Solved: Re: Wipe switch/router config after certain date/time

jujj · ‎05-01-2022

I am looking for some help with EEM Scripting and/or kron policies. I am trying to delete the configuration of switches/routers after a certain date & time. If the switch is offline, it should delete on boot-up ONLY after that certain date. I tried using a KRON policy, but I cannot get it to delete the configurations correctly.

kron occurence RIP at 0:01 Nov 1 recurring

policy-list WRITE-ERASE

!

kron policy-list WRITE-ERASE

cli delete flash:vlan.dat

cli write erase

cli reload

This policy will work IF the switch is online. However, if the switch is NOT online when this date passes, it will not execute. I need it to execute if the device is offline when the date passes, and is turned back on.

These devices are remote and may exist in high-secure environments where we cannot let the configurations of the switches exist on devices that are not supposed to be on our network after a certain date.

The device may be powered off & on before the date that I want the switch to wipe on. Some customers have a requirement to join the network until X date - after that date, we want the configuration to be wiped. If the device is not powered up when that date hits, it should wipe when it is booted.

Thank you for any help!

Dan Frey · ‎05-02-2022

This will require multiple events to be correlated in an EEM policy. The events will need to be a crontab setting which is also defined as epoch time in an event manager environment variable or event to run at reboot.

event manager environment epoch 1653054540
event manager applet RIP
 event tag 1 timer cron cron-entry "49 1 20 5 *"
 event tag 2 timer cron cron-entry "@reboot"
 trigger
  correlate event 1 or event 2
 action 010 cli command "enable"
 action 020 wait 1
 action 030 if $_event_pub_sec ge "$epoch"
 action 040  cli command "write erase \015 \015"
 action 050  cli command "delete flash:vlan.dat \015 \015"
 action 060  reload
 action 070 end

View solution in original post

Georg Pauwen · ‎05-01-2022

Hello,

with 'offline' and 'online' you mean the switch being physically powered off/on ?

jujj · ‎05-02-2022

@Georg Pauwen yes you are correct. To clarify, the policy I posted above will only work if the switch is powered on. If the switch is not powered on, the policy will never trigger. I will require it to trigger no matter what; if it is powered off when the date passes, then it should automatically wipe AFTER the determined date. I am unsure if I can do this with a kron policies, or how to do it with EEM scripting.

(When I click reply on your comment, the page just refreshes and I cannot reply directly on my work computer)

Leo Laohoo · ‎05-02-2022

@jujj wrote:

I need it to execute if the device is offline when the date passes, and is turned back on.

This is not EEM. Keep it simple: Use config registry.

So what you are saying, if the switch is powers up, someone drops a config. When the switch bounces, it erases the config. So why not have a config register of 0x2101?

jujj · ‎05-02-2022

@Leo Laohoo The device may be powered off & on before the date that I want the switch to wipe on. Some customers have a requirement to join the network until X date - after that date, we want the configuration to be wiped. If the device is not powered up when that date hits, it should wipe when it is booted.

marce1000 · ‎05-02-2022

- Customer should be aware that these are not common requirements at all, doing for device in production may disturb the network, in worst case lead to spanning-tree issues or even loop (?). Wiping config is an ict-management tasks and should be positioned as such , meaning being controlled or executed by authorized person 'at all times' , preferably on an offline device.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Dan Frey · ‎05-02-2022

This will require multiple events to be correlated in an EEM policy. The events will need to be a crontab setting which is also defined as epoch time in an event manager environment variable or event to run at reboot.

event manager environment epoch 1653054540
event manager applet RIP
 event tag 1 timer cron cron-entry "49 1 20 5 *"
 event tag 2 timer cron cron-entry "@reboot"
 trigger
  correlate event 1 or event 2
 action 010 cli command "enable"
 action 020 wait 1
 action 030 if $_event_pub_sec ge "$epoch"
 action 040  cli command "write erase \015 \015"
 action 050  cli command "delete flash:vlan.dat \015 \015"
 action 060  reload
 action 070 end

jujj · ‎05-09-2022

@Dan Frey thank you so much for the response. I was just able to get my lab back up and running at work to test this out. I am testing on a 3850. I did some research on EEM policies and cron (both of which I knew little) and believe I understand most, but please correct me if I am wrong.

- Your command block sets $epoch to 1653054540 - what does this number mean? I believe action 030 references $_event_pub_sec to be greater than $epoch, but I don't understand the significance of this number.

- event tag 1 timer cron cron-entry "49 1 20 5 *" sets event 1 timer to the 49th minute, 1st hour, 20th day, 5th month, any year

- event tag 2 - When does this trigger?

- action 040 & 050, \015 does not take so I had to add another cli command to confirm write erase, then /force in delete flash:vlan.dat.

However, if I set event tag 1 timer cron cron-entry to, say, "48 06 10 5 *", - at 06:48 on May 10, it triggers. However, it does enable, and that is it. I cannot transfer the logs over due to air gap & security reqs, however these are the debug output:

RIP: DEBUG(cli_lib) CTL : cli_open called.

RIP: DEBUG(cli_lib) OUT : Switch>

RIP: DEBUG(cli_lib) IN : Switch>enable

eem_no_scan flag set, skipping scan of command_string=enable

RIP: DEBUG(cli_lib) OUT : Switch#

RIP: DEBUG(cli_lib) CTL : cli_close called.

EEM callback policyt RIP has ended with normal exit status of 0x0

event manager environment epoch 1653054540
event manager applet RIP
 event tag 1 timer cron cron-entry "48 06 10 5 *"
 event tag 2 timer cron cron-entry "@reboot"
 trigger
  correlate event 1 or event 2
 action 010 cli command "enable"
 action 020 wait 1
 action 030 if $_event_pub_sec ge "$epoch"
 action 040  cli command "write erase"
 action 050  cli command "confirm"
 action 060  cli command "delete /force flash:vlan.dat"
 action 070  reload
 action 080 end

Thank you for the assistance and I am glad I can begin to work with EEM policies correctly.

Georg Pauwen · ‎05-10-2022

Hello,

the 'epoch' number is is the number of seconds that have elapsed since January 1, 1970. You can use the site below to convert any current or past or future time to an epoch format. So Dan's script sets an epoch (a specific date and time) and then compares the current time and date to that epoch number, if it is greater, the script will run...

https://www.epochconverter.com/

Dan Frey · ‎05-10-2022

+5 for @Georg Pauwen as I agree with Georg's comment. To add some additional context the epoch value in the example I provided is May 10, 2022 at 1:49:00 which exactly the same time as cron (minus the year). Cron does not have field for year but thats OK because epoch does take year into account. Tag1 is to trigger the script to run at this time which is needed for when the router is powered on. If this time passes by and the system is not powered on, the cron will not run when the device is powered back on and that is what tag2 is to address. Tag2 will trigger the script to run after every reboot. Whatever tag triggers the script to run it will always be checked if the current epoch time ($_event_pub_sec) is greater than the time defined in the event manager environment epoch variable. If $_event_pub_sec is greater then run the if code block, otherwise no action is taken. If you wanted the script to run next year at May 10 2023 1:49:00 then tag1 would remain the same and the epoch variable would need to be updated for that time.

jujj · ‎05-10-2022

Amazing explanation from both of you - I read up on it last night and began to understand. This was a huge requirement of my team and will be extremely useful.

I tested the script in several ways and it works perfectly. I appreciate you so much!