Script to Add port security based on VLAN number

Pete89 · ‎09-29-2016

We have a bunch of c3650s all running 03.06.04.E IOS-XE.

We also have a lot of 3560s all running on 15.0(2)SE9

We would like to add port security on interfaces in certain VLANs but not all VLANs. So, if the interface has

switchport access vlan 31, 41 or 51

we would want to add this:

Switchport port-security maximum 15
Switchport port-security aging type inactivity
Switchport port-security aging time 5
Switch port-security

to the interface.

Brand new to tcl. Looking for the script that would later be used by SolarWinds to execute it.

Any help would be very appreciated!!!

P.

Dan Frey · ‎09-30-2016

This should do what you requested. Paste this in starting in enable mode.

!=======

tclsh

set ports [exec sh int status | exclude trunk]

foreach line [split $ports "\n"] {

if [regexp {^([A-Za-z0-9]+\/[0-9\/]+)\s+.*( 31 | 41 | 51 )} $line match port vlan] {

puts "$port in vlan $vlan added to port security"

ios_config "interface $port" "switchport port-security maximum 15"

ios_config "interface $port" "switchport port-security aging type inactivity"

ios_config "interface $port" "switchport port-security aging time 5"

ios_config "interface $port" "switchport port-security"

}

!========

Pete89 · ‎09-30-2016

Wow!

This is almost working the way we want it. The only problem is when the trunk interface is not up but configured, security gets added.

We are close!

Dan Frey · ‎09-30-2016

Can you share the output of "show int status | exclude trunk" when trunk interface is not up but configured?

Pete89 · ‎09-30-2016

Here you go:

Gi0/2 THIS WORKED notconnect 3 auto auto 10/100/1000BaseTX

Gi0/3 THIS WORKED notconnect 3 auto auto 10/100/1000BaseTX

Gi0/4 THIS WORKED notconnect 3 auto auto 10/100/1000BaseTX

Gi0/5 THIS WORKED notconnect 50 auto auto 10/100/1000BaseTX

Gi0/6 THIS WORKED notconnect 50 auto auto 10/100/1000BaseTX

Gi0/7 THIS WORKED notconnect 50 auto auto 10/100/1000BaseTX

Gi0/8 THIS WORKED notconnect 50 auto auto 10/100/1000BaseTX

Gi0/10 TRUNK notconnect 1 auto auto Not Present

Dan Frey · ‎09-30-2016

OK, the trunk link shows up in vlan 1 when its not up. Need to update the show command to exclude this link.

set ports [exec sh int status | exclude trunk|TRUNK|Not Present]

all else remains the same.

Pete89 · ‎09-30-2016

We tweaked it a little more because ports with no config at all were getting port security added to them:

tclsh
set ports [exec sh int status | ex ( notconnect +1 )|trunk ]
foreach line [split $ports "\n"] {
if [regexp {^([A-Za-z0-9]+\/[0-9\/]+)\s+.*( 3 | 4 | 5 | 6 | 7 | 11 | 50 )} $line match port vlan] {
puts "$port in vlan $vlan added to port security"
ios_config "interface $port" "Switchport port-security maximum 15" "Switchport port-security aging type inactivity" "Switchport port-security aging time 5" "interface $port" "Switch port-security"

}

}

tclquit

Daniel, thanks so much. You got us on the right track. THANK YOU !!

Pete89 · ‎09-30-2016

We aint out of the woods yet. When I dump the above script on a switch it does not come out of the tcl shell:

It just stays like so:

switch01(tcl)#

It's as though it does not see the tclquit command. I have tried exit and still cant get it back to this:

switch01#

This has to be something simple.

Dan Frey · ‎10-03-2016

Is there an error message displayed? tclquit or exit should work.

Pete89 · ‎10-03-2016

Daniel,

Here is the output:

CPAV-GRZ.83#tclsh
CPAV-GRZ.83(tcl)#set ports [exec sh int status | ex ( notconnect +1 )|trunk ]

Port      Name               Status       Vlan       Duplex Speed Type
Gi0/1     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/2     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/3     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/4     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/5     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/6     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/7     Gartner            notconnect   3            auto   auto 10/100/1000BaseTX
Gi0/8     AP                 notconnect   50           auto   auto 10/100/1000BaseTX

CPAV-GRZ.83(tcl)#foreach line [split $ports "\n"] {
+> if [regexp {^([A-Za-z0-9]+\/[0-9\/]+)\s+.*( 3 | 4 | 5 | 6 | 7 | 11 | 50 )} $line match port vlan] {
+> puts "$port in vlan $vlan added to port security"
+>$g "interface $port" "Switchport port-security maximum 15" "Switchport port-security aging type inactivity" "Switchport port-security aging time 5" "interface $port" "Switch port-security"
+>
+>}
+>
+>}
Gi0/1 in vlan 3 added to port security
Gi0/2 in vlan 3 added to port security
Gi0/3 in vlan 3 added to port security
Gi0/4 in vlan 3 added to port security
Gi0/5 in vlan 3 added to port security
Gi0/6 in vlan 3 added to port security
Gi0/7 in vlan 3 added to port security
Gi0/8 in vlan 50 added to port security

CPAV-GRZ.83(tcl)#

That is a copy/paste from the same version of the script above.

Thanks!

Pete89 · ‎10-06-2016

Hello,

Really stuck on this one. The above script will not leave the tclshell which makes using it with Solarwinds a deal breaker because it just times out.

Like I said before it is like the switch doesnt even see the tclquit command

Any help on this is much appreciated.