cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4197
Views
5
Helpful
7
Comments
Joe Clarke
Cisco Employee
Cisco Employee

This year at CiscoLive! in Orlando, we had four potential management networks on which our access switches (3750-X and 3560CG) could be deployed.  To aid with the provisioning of switches on these networks, I used Cisco Prime LMS to deploy the following applet.  This example applet kicks off at reboot and then attempts to ping one of two default gateways after enabling their respective interfaces.  When the applet finds the right gateway, it will reconfigure itself for that network.  This applet worked 100% of the time for us, and made deployment of new switches much easier.  Enjoy!

event manager applet bootstrap authorization bypass

event timer cron cron-entry "@reboot" maxrun 200

action 001  cli command "enable"

action 002  cli command "config t"

action 003  cli command "int vlan1111"

action 004  cli command "shut"

action 005  cli command "int vlan111"

action 006  cli command "no shut"

action 0061 cli command "int vlan 551"

action 0062 cli command "shut"

action 007  cli command "end"

action 008  wait 60

action 009  cli command "ping 10.11.0.1"

action 010  regexp "!" "$_cli_result"

action 011  if $_regexp_result eq "1"

action 012   cli command "config t"

action 013   cli command "ntp server 63.231.220.15 source Vlan111"

action 014   cli command "snmp-server trap-source Vlan111"

action 015   cli command "aaa group server tacacs+ ACS"

action 016   cli command "ip tacacs source-interface Vlan111"

action 017   cli command "no energywise domain"

action 018   cli command "energywise domain OCCC security shared-secret 0 XXXX protocol udp port 43440 interface Vlan111"

action 020   cli command "energywise management security shared-secret 0 XXXX"

action 021   cli command "energywise allow query save"

action 022   cli command "energywise endpoint security none"

action 023   cli command "ip telnet source-interface Vlan111"

action 024   cli command "ip ftp source-interface Vlan111"

action 025   cli command "ip ssh source-interface Vlan111"

action 026   cli command "logging source-interface Vlan111"

action 027   cli command "ip default-gateway 10.11.0.1"

action 028   syslog msg "Bootstrapping complete from Vlan1111 to Vlan111"

action 030   cli command "end"

action 031  else

action 032   cli command "config t"

action 033   cli command "int vlan111"

action 034   cli command "shut"

action 0341  cli command "int vlan111"

action 0342  cli command "shut"

action 035   cli command "int vlan551"

action 036   cli command "no shut"

action 037   cli command "end"

action 0371  wait 60

action 038   cli command "ping 10.50.51.1"

action 039   regexp "!" "$_cli_result"

action 040   if $_regexp_result eq "1"

action 041    cli command "config t"

action 042    cli command "ntp server 63.231.220.15 source Vlan551"

action 043    cli command "snmp-server trap-source Vlan551"

action 044    cli command "aaa group server tacacs+ ACS"

action 045    cli command "ip tacacs source-interface Vlan551"

action 046    cli command "no energywise domain"

action 047    cli command "energywise domain OCCC security shared-secret 0 XXXX protocol udp port 43440 interface Vlan551"

action 049    cli command "energywise management security shared-secret 0 XXXX"

action 050    cli command "energywise allow query save"

action 051    cli command "energywise endpoint security none"

action 052    cli command "ip telnet source-interface Vlan551"

action 053    cli command "ip ftp source-interface Vlan551"

action 054    cli command "ip ssh source-interface Vlan551"

action 055    cli command "logging source-interface Vlan551"

action 056    cli command "ip default-gateway 10.50.51.1"

action 057    syslog msg "Bootstrapping complete from Vlan1111 to Vlan551"

action 059    cli command "end"

action 061   else

action 062    cli command "config t"

action 063    cli command "int vlan111"

action 064    cli command "shut"

action 065    cli command "int vlan1111"

action 066    cli command "int vlan551"

action 067    cli command "shut"

action 068    cli command "end"

action 069    syslog msg "Failed to ping prod gateways; terminating bootstrap"

action 070   end

action 071  end

Comments
Bill CARTER
Level 5
Level 5

Were VLAN 111 and VLAN 551 were configured for DHCP ?

Joe Clarke
Cisco Employee
Cisco Employee

No.  I had statically configured each VLAN SVI for an IP address from our IPAM solution.  Next year I will go with DHCP and PnP I think.

Jeremy Impson
Level 1
Level 1

How hard would it be to read the configuration fragments for network 1 vs network 2 from files on flash. The tricky part would be setting which production gateway to ping for which fragment. Maybe put the whole thing in a while loop, then have a file name convention like this?

00-10.11.0.1.confg

01-10.50.51.1.confg

The leading number enforces a default search order, and the file endings lets the while loop do (the equivalent of ) 'open *.confg". I *think* each fragment can have the appropriate shut/no shut commands in it.

I'm very new to EEM applets and haven't enough experience to know how difficult it would be to actually implement this.

Joe Clarke
Cisco Employee
Cisco Employee

You could do this.  You'd do something like:

cli command "more 00-10.11.0.1.config"

regexp "pattern" $_cli_result

if $_regexp_result eq 1

...

end

Of course, that's a rough outline of the approach.  This could be done in a loop so you didn't have as much code static in the config.  However, this was not desirable in my case as I didn't want to maintain a list of files on flash, and I couldn't assume any base network connectivity.

ipankonin
Community Member

I'm interested in seeing something that captures the native vlan of the remote switch on one of the uplinks (via cdp, for example) and reconfigures its port based on that.  Similar to what you've got here, but different...

Joe Clarke
Cisco Employee
Cisco Employee

You could do that.  Use the neighbor discovery event detector to detect the new CDP neighbor.  Then run the "show cdp nei det" command to get the detailed CDP neighbor information that contains the native VLAN value.  Parse the output and reconfigure your port based on that.  Here are some unlabeled actions that should work:

 

cli command "show cdp nei $_nd_local_intf_name | inc Native VLAN:"

regexp "Native VLAN: ([0-9]+)" $_cli_result match nvlan

cli command "config t"

cli command "int $_nd_local_intf_name"

cli command "switchport access vlan $nvlan"

cli command "end"

ipankonin
Community Member

Thanks.  I was working on it yesterday, and I think I've got all the bugs ironed out.

This is a PnP solution for "temporary" or "conference room" switches, with voice vlan enabled (in case we need a temporary increase in phone density).  The idea is to use the same config throughout the corporation, so I'm not having to constantly redo my work when we want to send these to a new site with different vlan info.  The biggest one was un-configuring the previous data vlan so that it can be managed via DDNS on the new vlan.  Before I took care of this, the DHCP address would get assigned to the old vlan before it got flipped, and I couldn't manage it.  The switch will function on vlan 1 if there is no CDP event.

 

There are two scripts here.  The second one reverts to the default config on a link-down event.

 

!--------------------------------------------------------
! DEFAULT INTERFACE CONFIGURATION
!--------------------------------------------------------
!
!------------------------
! DEFAULT UPLINK CONFIG
!------------------------
!
interface g0/1
 description UPLINK
 switchport
 switchport access vlan 1
 switchport mode access
 no switchport voice vlan
 spanning-tree bpdufilter enable
 load-interval 30
 logging event link-status
!
!------------------------
! DEFAULT MANAGEMENT INTERFACE
!------------------------
!
interface VLAN1
 description MANAGEMENT
 ip address dhcp
 no ip redirects
 no shutdown
!
!------------------------
! DEFAULT USER EDGE CONFIG
!------------------------
!
interface range f0/1-8
 switchport
 switchport access vlan 1
 switchport mode access
 no switchport voice vlan
 no logging event link-status
!
!--------------------------------------------------------
! EEM SCRIPTS
!--------------------------------------------------------
!
!------------------------
! VLAN CONFIG SCRIPT
!------------------------
!
event manager applet SetVlanInfo
 event neighbor-discovery interface GigabitEthernet0/1 cdp add
 action 0100 syslog msg "CDP Neighbor detected on interface G0/1.  Executing Vlan Auto-config Script."
 action 0200 cli command "enable"
 action 0300 cli command "configure terminal"
 action 0400 cli command "do show ip interface brief | include ^Vlan.*DHCP"
 action 0500 regexp "Vlan[0-9]+" $_cli_result OLDDATAVLAN
 action 0600 if $_regexp_result eq 1
 action 0700  regexp "[0-9]+" $OLDDATAVLAN OLDDATAVLAN
 action 0900  cli command "interface vlan $OLDDATAVLAN"
 action 1000  cli command "no ip address dhcp"
 action 1100  cli command "no interface vlan $OLDDATAVLAN"
 action 1150  cli command "no vlan $OLDDATAVLAN"
 action 1200 end
 action 1300 cli command "interface range GigabitEthernet0/1, FastEthernet0/1-8"
 action 1400 cli command "do show cdp neighbor GigabitEthernet0/1 detail | include ^Native"
 action 1500 regexp "[0-9]+" $_cli_result DATAVLAN
 action 1600 if $_regexp_result eq 1
 action 1700  cli command "switchport access vlan $DATAVLAN"
 action 1800 end
 action 1900 cli command "do show cdp neighbor GigabitEthernet0/1 detail | include VoIP"
 action 2000 regexp "VoIP.*[0-9]+" $_cli_result VOICEVLAN
 action 2100 if $_regexp_result eq 1
 action 2150  regexp "[0-9]+" $VOICEVLAN VOICEVLAN
 action 2200  cli command "switchport voice vlan $VOICEVLAN"
 action 2250 else
 action 2260  cli command "no switchport voice vlan"
 action 2300 end
 action 2400 cli command "interface vlan $DATAVLAN"
 action 2500 cli command "description Management - Added by Script"
 action 2600 cli command "ip address dhcp"
 action 2700 cli command "no ip redirects"
 action 2800 cli command "exit"
!
!------------------------
! VLAN REMOVAL SCRIPT
!------------------------
!
event manager applet RemoveVlanInfo
 event syslog pattern "Line protocol on Interface GigabitEthernet0/1, changed state to down"
 action 0100 syslog msg "Interface GigabitEthernet0/1 changed state to down.  Executing Vlan Auto-removal Script."
 action 0200 cli command "enable"
 action 0300 cli command "configure terminal"
 action 0400 cli command "do show ip interface brief | include ^Vlan.*DHCP"
 action 0500 regexp "Vlan[0-9]+" $_cli_result OLDDATAVLAN
 action 0600 if $_regexp_result eq 1
 action 0700  regexp "[0-9]+" $OLDDATAVLAN OLDDATAVLAN
 action 0900  cli command "interface vlan $OLDDATAVLAN"
 action 1000  cli command "no ip address dhcp"
 action 1100  cli command "no interface vlan $OLDDATAVLAN"
 action 1150  cli command "no vlan $OLDDATAVLAN"
 action 1200 end
 action 1300 cli command "interface range GigabitEthernet0/1, FastEthernet0/1-8"
 action 1700 cli command "switchport access vlan 1"
 action 1900 cli command "do show running-config interface GigabitEthernet0/1 | include voice vlan"
 action 2000 regexp "voice.*[0-9]+" $_cli_result VOICEVLAN
 action 2100 if $_regexp_result eq 1
 action 2150  regexp "[0-9]+" $VOICEVLAN VOICEVLAN
 action 2260  cli command "no switchport voice vlan"
 action 2270  cli command "no vlan $VOICEVLAN"
 action 2300 end
 action 2400 cli command "interface vlan 1"
 action 2500 cli command "description Default Management Vlan Interface"
 action 2600 cli command "ip address dhcp"
 action 2700 cli command "no ip redirects"
 action 2800 cli command "exit"
!

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco