Can you disable the reload command?

Someone has recently asked an interesting question - can you disable the reload command? Although I would strongly discourage you from doing that (after all, every router I've ever worked on since a venerable MGS running IOS 10.0 had to be reloaded every now and then), here's what you can do:

  • define an alias for the reload command that does something else. For example, alias exec reload show ip interface brief. While this would remind a careless operator, it would still not prevent someone using an abbreviation like relo to reload the device.
  • Use TACACS+ command accounting and disable the reload command on the TACACS+ server. The benefit of this approach is that you can do it on user-by-user basis ... but of course you need TACACS+ server, RADIUS will not do.
  • Disable the reload command with the Embedded Event Manager applet.
The applet to disable the reload command would be similar to this one:
event manager applet NoReload
 event cli pattern "reload" sync no skip yes
 action 1.0 syslog priority errors msg "Cannot reload this router"
Note: this article is part of You've asked for it series.

Posted by Ivan Pepelnjak on Sunday, March 11, 2007

Labels: ,

0 comments:

Subscribe to: Post Comments (Atom)
Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.