TCL Scripting to change the command 'clear crypto session'

Answered Question

Hi everyone,

I've been ask to create a TCL script to blocked the command 'clear crypto session' if the user didn't add the 'remote xx.xx.xx.xx'. To forbid someone to clear all the session by mistake.

And to be quite frank I do not really know where to begin. I try to find TCL scripts similar to that, but I didnt not find any. And I've never user TCL before...

Thanks

Correct Answer by Joe Clarke about 6 years 10 months ago

There is the main documentation page at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps10592_TSD_Products_Configuration_Guide_Chapter.html .  Then there is the CiscoBeyond site which offers a nice repository of Cisco and user-contributed scripts at http://www.cisco.com/go/ciscobeyond .  There is also a partner, Progrizon, which offers a free policy building tool to help get you started with applet and Tcl scripting.

Correct Answer by Joe Clarke about 6 years 10 months ago

Here you go.  Copy this file to a directory on the device's local flash (e.g. flash:/policies), then do:


Router(config)#event manager directory user policy flash:/policies

Router(config)#event manager policy cl_no_clear_crypto.tcl


Then test away.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Loading.
Joe Clarke Wed, 04/28/2010 - 12:56
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You don't need to Tcl for this necessarily.  An applet like this would work:


event manager applet no-clear-crypto

event cli pattern "^clear crypto session\s*$" sync yes

action 1.0 puts "The 'clear crypto session' cannot be run without an argument."

action 2.0 exit 0


This applet requires EEM 3.0, but a similar one could be made for earlier versions.

Still not working... And I have the latest IOS : System image file is "flash:c2600-adventerprisek9-mz.124-25c.bin" but it's seem this is not supported on 2651Xm...


(config-applet)#action 100 ?
  cli               Execute a CLI command
  cns-event         Send a CNS event
  counter           Modify a counter value
  force-switchover  Force a software switchover
  info              Obtain system specific information
  mail              Send an e-mail
  policy            Run a pre-registered policy
  publish-event     Publish an application specific event
  reload            Reload system
  snmp-trap         Send an SNMP trap
  syslog            Log a syslog message

Joe Clarke Thu, 04/29/2010 - 11:37
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

In order to get EEM 3.0 support, you need 12.4(22)T (the 'T' is important).  You still have mainline, so you only have EEM 2.1.  If you need to run mainline, that's not a problem, I can cook you up a Tcl script to do what you need.  If you're okay with another upgrade, move to 12.4(22)T or 15.0, and the applet will work for you.

Joe Clarke Thu, 04/29/2010 - 12:50
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Ah, a 2651.  That platform can only run up to 12.4(15)T which only gives you EEM 2.3.  There are improvements there, but not enough functionality for the applet policy.  I'll convert the policy to Tcl, and upload the file.

Correct Answer
Joe Clarke Thu, 04/29/2010 - 15:43
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Here you go.  Copy this file to a directory on the device's local flash (e.g. flash:/policies), then do:


Router(config)#event manager directory user policy flash:/policies

Router(config)#event manager policy cl_no_clear_crypto.tcl


Then test away.

Correct Answer
Joe Clarke Mon, 05/03/2010 - 08:24
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

There is the main documentation page at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps10592_TSD_Products_Configuration_Guide_Chapter.html .  Then there is the CiscoBeyond site which offers a nice repository of Cisco and user-contributed scripts at http://www.cisco.com/go/ciscobeyond .  There is also a partner, Progrizon, which offers a free policy building tool to help get you started with applet and Tcl scripting.

Actions

This Discussion

Related Content