Disable "reload" using EEM

Disable "reload" using EEM

Although not recommended, but reload command can be disabled on the router. Possible ways are-

• Using AAA accounting on TACACS+ server on per-user basis
• Using alias and changing reload to something harmless like show ip route. alias exec reload show ip route However, the short reloa can bypass this alias command.
• Using EEM

Here, a short EEM script is used to disable the reload command.

EEM configuration

event manager applet NO_RELOAD

event cli pattern "reload" sync no skip yes occurs 1

action 1.0 syslog msg "$_cli_msg command attempted, but not executed"

!

The event cli pattern command is used to specify the event criteria for an EEM that is run by matching a CLI command.

The sync keyword specifies if the policy should be executed synchronously before the CLI command executes.

The skip keyword indicates whether the CLI will be executed.

The occurs keyword indicates the number of occurrences before the EEM event is triggered.

TIP

The set <label> _exit_status <value> sets the EEM applet variable. If _exit_status is set to 0, that means the command will not be executed. If set to 1, the command will be executed.

This can be used if skip is set to no.

Test run:

When the administrator attempts a reload, the EEM event triggers but the applet skips the command.

Output

Router# reload

Router#

*Mar 1 00:29:06.171: %HA_EM-6-LOG: NO_RELOAD: reload command attempted, but not executed