Solved: TCL Scripting to change the command 'clear crypto session'

jroussy · ‎04-28-2010

Hi everyone,

I've been ask to create a TCL script to blocked the command 'clear crypto session' if the user didn't add the 'remote xx.xx.xx.xx'. To forbid someone to clear all the session by mistake.

And to be quite frank I do not really know where to begin. I try to find TCL scripts similar to that, but I didnt not find any. And I've never user TCL before...

Thanks

Joe Clarke · ‎04-29-2010

Here you go. Copy this file to a directory on the device's local flash (e.g. flash:/policies), then do:

Router(config)#event manager directory user policy flash:/policies
Router(config)#event manager policy cl_no_clear_crypto.tcl

Then test away.

View solution in original post

Joe Clarke · ‎05-03-2010

There is the main documentation page at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps10592_TSD_Products_Configuration_Guide_Chapter.html . Then there is the CiscoBeyond site which offers a nice repository of Cisco and user-contributed scripts at http://www.cisco.com/go/ciscobeyond . There is also a partner, Progrizon, which offers a free policy building tool to help get you started with applet and Tcl scripting.

View solution in original post

Joe Clarke · ‎04-28-2010

You don't need to Tcl for this necessarily. An applet like this would work:

event manager applet no-clear-crypto

event cli pattern "^clear crypto session\s*$" sync yes

action 1.0 puts "The 'clear crypto session' cannot be run without an argument."

action 2.0 exit 0

This applet requires EEM 3.0, but a similar one could be made for earlier versions.

jroussy · ‎04-29-2010

Thanks for the quick answer,

I will test this today, if I can, and let you know if it worked!

Thanks again!

jroussy · ‎04-29-2010

It's not working... I upgrade the IOS to have 12.4 and not 12.3 but he dont take the commands action xxx puts and action xxx exit. Right now I have a IOS Version 12.4(15)T13.

yjdabear · ‎04-29-2010

You'll need to upgrade to 12.4(22)T or higher:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1070259

"EEM 3.0 is supported in Cisco IOS Release 12.4(22)T, 12.2(33)SRE, and later releases."

jroussy · ‎04-29-2010

Yeah... That what I find.

Thanks I will try 124-25c.

jroussy · ‎04-29-2010

Still not working... And I have the latest IOS : System image file is "flash:c2600-adventerprisek9-mz.124-25c.bin" but it's seem this is not supported on 2651Xm...

(config-applet)#action 100 ?
cli               Execute a CLI command
cns-event         Send a CNS event
counter           Modify a counter value
force-switchover Force a software switchover
info              Obtain system specific information
mail              Send an e-mail
policy            Run a pre-registered policy
publish-event     Publish an application specific event
reload            Reload system
snmp-trap         Send an SNMP trap
syslog            Log a syslog message

Joe Clarke · ‎04-29-2010

In order to get EEM 3.0 support, you need 12.4(22)T (the 'T' is important). You still have mainline, so you only have EEM 2.1. If you need to run mainline, that's not a problem, I can cook you up a Tcl script to do what you need. If you're okay with another upgrade, move to 12.4(22)T or 15.0, and the applet will work for you.

jroussy · ‎04-29-2010

Thats where I have a problem... I dont find IOS 12.4(22)T for 2651XM...

Joe Clarke · ‎04-29-2010

Ah, a 2651. That platform can only run up to 12.4(15)T which only gives you EEM 2.3. There are improvements there, but not enough functionality for the applet policy. I'll convert the policy to Tcl, and upload the file.

Joe Clarke · ‎04-29-2010

Here you go. Copy this file to a directory on the device's local flash (e.g. flash:/policies), then do:

Router(config)#event manager directory user policy flash:/policies
Router(config)#event manager policy cl_no_clear_crypto.tcl

Then test away.

jroussy · ‎04-30-2010

Hi Joe!

I did it, it seem to work! I will do one final test maybe this afternoon and be back to give feetback!

Thanks again for your help!!

jroussy · ‎05-03-2010

Perfect!!

Thank you very much!!

Do you have some web page to give me so I can learn to do this kind of script?

Thanks again!!

Joe Clarke · ‎05-03-2010

There is the main documentation page at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps10592_TSD_Products_Configuration_Guide_Chapter.html . Then there is the CiscoBeyond site which offers a nice repository of Cisco and user-contributed scripts at http://www.cisco.com/go/ciscobeyond . There is also a partner, Progrizon, which offers a free policy building tool to help get you started with applet and Tcl scripting.

jroussy · ‎05-03-2010

Thanks a lot!