cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2525
Views
25
Helpful
14
Replies

TCL Scripting to change the command 'clear crypto session'

jroussy
Level 1
Level 1

Hi everyone,

I've been ask to create a TCL script to blocked the command 'clear crypto session' if the user didn't add the 'remote xx.xx.xx.xx'. To forbid someone to clear all the session by mistake.

And to be quite frank I do not really know where to begin. I try to find TCL scripts similar to that, but I didnt not find any. And I've never user TCL before...

Thanks

2 Accepted Solutions

Accepted Solutions

Here you go.  Copy this file to a directory on the device's local flash (e.g. flash:/policies), then do:

Router(config)#event manager directory user policy flash:/policies

Router(config)#event manager policy cl_no_clear_crypto.tcl

Then test away.

View solution in original post

There is the main documentation page at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps10592_TSD_Products_Configuration_Guide_Chapter.html .  Then there is the CiscoBeyond site which offers a nice repository of Cisco and user-contributed scripts at http://www.cisco.com/go/ciscobeyond .  There is also a partner, Progrizon, which offers a free policy building tool to help get you started with applet and Tcl scripting.

View solution in original post

14 Replies 14

Joe Clarke
Cisco Employee
Cisco Employee

You don't need to Tcl for this necessarily.  An applet like this would work:

event manager applet no-clear-crypto

event cli pattern "^clear crypto session\s*$" sync yes

action 1.0 puts "The 'clear crypto session' cannot be run without an argument."

action 2.0 exit 0

This applet requires EEM 3.0, but a similar one could be made for earlier versions.

Thanks for the quick answer,

I will test this today, if I can, and let you know if it worked!

Thanks again!

It's not working... I upgrade the IOS to have 12.4 and not 12.3 but he dont take the commands action xxx puts and action xxx exit. Right now I have a IOS Version 12.4(15)T13.

You'll need to upgrade to 12.4(22)T or higher:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1070259

"EEM 3.0 is supported in Cisco IOS Release 12.4(22)T, 12.2(33)SRE, and later releases."

Yeah... That what I find.

Thanks I will try 124-25c.

Still not working... And I have the latest IOS : System image file is "flash:c2600-adventerprisek9-mz.124-25c.bin" but it's seem this is not supported on 2651Xm...

(config-applet)#action 100 ?
  cli               Execute a CLI command
  cns-event         Send a CNS event
  counter           Modify a counter value
  force-switchover  Force a software switchover
  info              Obtain system specific information
  mail              Send an e-mail
  policy            Run a pre-registered policy
  publish-event     Publish an application specific event
  reload            Reload system
  snmp-trap         Send an SNMP trap
  syslog            Log a syslog message

Joe Clarke
Cisco Employee
Cisco Employee

In order to get EEM 3.0 support, you need 12.4(22)T (the 'T' is important).  You still have mainline, so you only have EEM 2.1.  If you need to run mainline, that's not a problem, I can cook you up a Tcl script to do what you need.  If you're okay with another upgrade, move to 12.4(22)T or 15.0, and the applet will work for you.

Thats where I have a problem... I dont find IOS 12.4(22)T for 2651XM...

Ah, a 2651.  That platform can only run up to 12.4(15)T which only gives you EEM 2.3.  There are improvements there, but not enough functionality for the applet policy.  I'll convert the policy to Tcl, and upload the file.

Here you go.  Copy this file to a directory on the device's local flash (e.g. flash:/policies), then do:

Router(config)#event manager directory user policy flash:/policies

Router(config)#event manager policy cl_no_clear_crypto.tcl

Then test away.

Hi Joe!

I did it, it seem to work! I will do one final test maybe this afternoon and be back to give feetback!

Thanks again for your help!!

Perfect!!

Thank you very much!!

Do you have some web page to give me so I can learn to do this kind of script?

Thanks again!!

There is the main documentation page at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps10592_TSD_Products_Configuration_Guide_Chapter.html .  Then there is the CiscoBeyond site which offers a nice repository of Cisco and user-contributed scripts at http://www.cisco.com/go/ciscobeyond .  There is also a partner, Progrizon, which offers a free policy building tool to help get you started with applet and Tcl scripting.

Thanks a lot!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: