Make your devices more foolproof with EEM

One of the possible applications of Cisco Embedded Event Manager applets is to protect your network from faulures caused by human error. This can be done by blocking some CLI patterns.

One of the cases I met was a Campus LAN with large layer-2 domains. So it was not uncommon for a tecnitian when he or she wanted to add a new VLAN to a trunk to type switchport trunk allowed vlan <VLAN#> and by doing this disrupt communications for all the rest of the VLANs across this trunk.

I came up with this applet:

event manager applet no_allow_vlan
 event cli pattern "switchport trunk allowed vlan [1-9]" sync no skip yes
 action 1.0 syslog priority warnings msg "*** INTENTO DE EJECUTAR SWITCHPORT ALLOW VLAN SIN ADD ***"

It blocks switchport trunk allowed vlan <VLAN#> command while still allowing you to use switchport trunk allowed vlan add <VLAN#> and switchport allowed vlan remove <VLAN#>.