cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2839
Views
5
Helpful
10
Replies

Script to Add port security based on VLAN number

Pete89
Level 2
Level 2

We have a bunch of c3650s all running 03.06.04.E IOS-XE.

We also have a lot of 3560s all running on 15.0(2)SE9

We would like to add port security on interfaces in certain VLANs but not all VLANs. So, if the interface has

switchport access vlan 31, 41 or 51

we would want to add this:

Switchport port-security maximum 15
Switchport port-security aging type inactivity
Switchport port-security aging time 5
Switch port-security

to the interface.

Brand new to tcl. Looking for the script that would later be used by SolarWinds to execute it.

Any help would be very appreciated!!!

P.

10 Replies 10

Dan Frey
Cisco Employee
Cisco Employee

This should do what you requested.  Paste this in starting in enable mode.

!=======

tclsh

set ports [exec sh int status | exclude trunk]

foreach line [split $ports "\n"] {

  if [regexp {^([A-Za-z0-9]+\/[0-9\/]+)\s+.*( 31 | 41 | 51 )} $line match port vlan] {       

  puts "$port in vlan $vlan added to port security"

  ios_config "interface $port" "switchport port-security maximum 15"

  ios_config "interface $port" "switchport port-security aging type inactivity"

  ios_config "interface $port" "switchport port-security aging time 5"

  ios_config "interface $port" "switchport port-security"

  }

}

!========

Wow!

This is almost working the way we want it. The only problem is when the trunk interface is not up but configured, security gets added.

We are close!

Can you share the output of "show int status | exclude trunk" when trunk interface is not up but configured?    

Here you go:

Gi0/2     THIS WORKED        notconnect   3            auto   auto 10/100/1000BaseTX

Gi0/3     THIS WORKED        notconnect   3            auto   auto 10/100/1000BaseTX

Gi0/4     THIS WORKED        notconnect   3            auto   auto 10/100/1000BaseTX

Gi0/5     THIS WORKED        notconnect   50           auto   auto 10/100/1000BaseTX

Gi0/6     THIS WORKED        notconnect   50           auto   auto 10/100/1000BaseTX

Gi0/7     THIS WORKED        notconnect   50           auto   auto 10/100/1000BaseTX

Gi0/8     THIS WORKED        notconnect   50           auto   auto 10/100/1000BaseTX

Gi0/10    TRUNK              notconnect   1            auto   auto Not Present

OK, the trunk link shows up in vlan 1 when its not up.   Need to update the show command to exclude this link.

set ports [exec sh int status | exclude trunk|TRUNK|Not Present]

all else remains the same.  

We tweaked it a little more  because ports with no config at all were getting port security added to them:

tclsh
set ports [exec sh int status | ex ( notconnect +1 )|trunk ]
foreach line [split $ports "\n"] {
  if [regexp {^([A-Za-z0-9]+\/[0-9\/]+)\s+.*( 3 | 4 | 5 | 6 | 7 | 11 | 50 )} $line match port vlan] {       
  puts "$port in vlan $vlan added to port security"
  ios_config "interface $port" "Switchport port-security maximum 15" "Switchport port-security aging type inactivity" "Switchport port-security aging time 5" "interface $port" "Switch port-security"

}

}

tclquit

Daniel, thanks so much. You got us on the right track. THANK YOU !!

We aint out of the woods yet. When I dump the above script on a switch it does not come out of the tcl shell:

It just stays like so:

switch01(tcl)#

It's as though it does not see the tclquit command. I have tried exit and still cant get it back to this:

switch01#

This has to be something simple.

Is there an error message displayed?   tclquit or exit should work.

Daniel,

Here is the output:

CPAV-GRZ.83#tclsh             
CPAV-GRZ.83(tcl)#set ports [exec sh int status | ex ( notconnect +1 )|trunk ]

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/2     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/3     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/4     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/5     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/6     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/7     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/8     AP                 notconnect   50           auto   auto 10/100/1000BaseTX

CPAV-GRZ.83(tcl)#foreach line [split $ports "\n"] {
+>  if [regexp {^([A-Za-z0-9]+\/[0-9\/]+)\s+.*( 3 | 4 | 5 | 6 | 7 | 11 | 50 )} $line match port vlan] {       
+>  puts "$port in vlan $vlan added to port security"
+>$g "interface $port" "Switchport port-security maximum 15" "Switchport port-security aging type inactivity" "Switchport port-security aging time 5" "interface $port" "Switch port-security"   
+>
+>}
+>
+>}
Gi0/1 in vlan  3  added to port security
Gi0/2 in vlan  3  added to port security
Gi0/3 in vlan  3  added to port security
Gi0/4 in vlan  3  added to port security
Gi0/5 in vlan  3  added to port security
Gi0/6 in vlan  3  added to port security
Gi0/7 in vlan  3  added to port security
Gi0/8 in vlan  50  added to port security

CPAV-GRZ.83(tcl)#

That is a copy/paste from the same version of the script above.

Thanks!

Hello,

Really stuck on this one. The above script will not leave the tclshell which makes using it with Solarwinds a deal breaker because it just times out.

Like I said before it is like the switch doesnt even see the tclquit command

Any help on this is much appreciated.

Review Cisco Networking for a $25 gift card