on 06-30-2013 04:14 PM
This year at CiscoLive! in Orlando, we had four potential management networks on which our access switches (3750-X and 3560CG) could be deployed. To aid with the provisioning of switches on these networks, I used Cisco Prime LMS to deploy the following applet. This example applet kicks off at reboot and then attempts to ping one of two default gateways after enabling their respective interfaces. When the applet finds the right gateway, it will reconfigure itself for that network. This applet worked 100% of the time for us, and made deployment of new switches much easier. Enjoy!
event manager applet bootstrap authorization bypass
event timer cron cron-entry "@reboot" maxrun 200
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "int vlan1111"
action 004 cli command "shut"
action 005 cli command "int vlan111"
action 006 cli command "no shut"
action 0061 cli command "int vlan 551"
action 0062 cli command "shut"
action 007 cli command "end"
action 008 wait 60
action 009 cli command "ping 10.11.0.1"
action 010 regexp "!" "$_cli_result"
action 011 if $_regexp_result eq "1"
action 012 cli command "config t"
action 013 cli command "ntp server 63.231.220.15 source Vlan111"
action 014 cli command "snmp-server trap-source Vlan111"
action 015 cli command "aaa group server tacacs+ ACS"
action 016 cli command "ip tacacs source-interface Vlan111"
action 017 cli command "no energywise domain"
action 018 cli command "energywise domain OCCC security shared-secret 0 XXXX protocol udp port 43440 interface Vlan111"
action 020 cli command "energywise management security shared-secret 0 XXXX"
action 021 cli command "energywise allow query save"
action 022 cli command "energywise endpoint security none"
action 023 cli command "ip telnet source-interface Vlan111"
action 024 cli command "ip ftp source-interface Vlan111"
action 025 cli command "ip ssh source-interface Vlan111"
action 026 cli command "logging source-interface Vlan111"
action 027 cli command "ip default-gateway 10.11.0.1"
action 028 syslog msg "Bootstrapping complete from Vlan1111 to Vlan111"
action 030 cli command "end"
action 031 else
action 032 cli command "config t"
action 033 cli command "int vlan111"
action 034 cli command "shut"
action 0341 cli command "int vlan111"
action 0342 cli command "shut"
action 035 cli command "int vlan551"
action 036 cli command "no shut"
action 037 cli command "end"
action 0371 wait 60
action 038 cli command "ping 10.50.51.1"
action 039 regexp "!" "$_cli_result"
action 040 if $_regexp_result eq "1"
action 041 cli command "config t"
action 042 cli command "ntp server 63.231.220.15 source Vlan551"
action 043 cli command "snmp-server trap-source Vlan551"
action 044 cli command "aaa group server tacacs+ ACS"
action 045 cli command "ip tacacs source-interface Vlan551"
action 046 cli command "no energywise domain"
action 047 cli command "energywise domain OCCC security shared-secret 0 XXXX protocol udp port 43440 interface Vlan551"
action 049 cli command "energywise management security shared-secret 0 XXXX"
action 050 cli command "energywise allow query save"
action 051 cli command "energywise endpoint security none"
action 052 cli command "ip telnet source-interface Vlan551"
action 053 cli command "ip ftp source-interface Vlan551"
action 054 cli command "ip ssh source-interface Vlan551"
action 055 cli command "logging source-interface Vlan551"
action 056 cli command "ip default-gateway 10.50.51.1"
action 057 syslog msg "Bootstrapping complete from Vlan1111 to Vlan551"
action 059 cli command "end"
action 061 else
action 062 cli command "config t"
action 063 cli command "int vlan111"
action 064 cli command "shut"
action 065 cli command "int vlan1111"
action 066 cli command "int vlan551"
action 067 cli command "shut"
action 068 cli command "end"
action 069 syslog msg "Failed to ping prod gateways; terminating bootstrap"
action 070 end
action 071 end
Were VLAN 111 and VLAN 551 were configured for DHCP ?
No. I had statically configured each VLAN SVI for an IP address from our IPAM solution. Next year I will go with DHCP and PnP I think.
How hard would it be to read the configuration fragments for network 1 vs network 2 from files on flash. The tricky part would be setting which production gateway to ping for which fragment. Maybe put the whole thing in a while loop, then have a file name convention like this?
00-10.11.0.1.confg
01-10.50.51.1.confg
The leading number enforces a default search order, and the file endings lets the while loop do (the equivalent of ) 'open *.confg". I *think* each fragment can have the appropriate shut/no shut commands in it.
I'm very new to EEM applets and haven't enough experience to know how difficult it would be to actually implement this.
You could do this. You'd do something like:
cli command "more 00-10.11.0.1.config"
regexp "pattern" $_cli_result
if $_regexp_result eq 1
...
end
Of course, that's a rough outline of the approach. This could be done in a loop so you didn't have as much code static in the config. However, this was not desirable in my case as I didn't want to maintain a list of files on flash, and I couldn't assume any base network connectivity.
I'm interested in seeing something that captures the native vlan of the remote switch on one of the uplinks (via cdp, for example) and reconfigures its port based on that. Similar to what you've got here, but different...
You could do that. Use the neighbor discovery event detector to detect the new CDP neighbor. Then run the "show cdp nei det" command to get the detailed CDP neighbor information that contains the native VLAN value. Parse the output and reconfigure your port based on that. Here are some unlabeled actions that should work:
cli command "show cdp nei $_nd_local_intf_name | inc Native VLAN:"
regexp "Native VLAN: ([0-9]+)" $_cli_result match nvlan
cli command "config t"
cli command "int $_nd_local_intf_name"
cli command "switchport access vlan $nvlan"
cli command "end"
Thanks. I was working on it yesterday, and I think I've got all the bugs ironed out.
This is a PnP solution for "temporary" or "conference room" switches, with voice vlan enabled (in case we need a temporary increase in phone density). The idea is to use the same config throughout the corporation, so I'm not having to constantly redo my work when we want to send these to a new site with different vlan info. The biggest one was un-configuring the previous data vlan so that it can be managed via DDNS on the new vlan. Before I took care of this, the DHCP address would get assigned to the old vlan before it got flipped, and I couldn't manage it. The switch will function on vlan 1 if there is no CDP event.
There are two scripts here. The second one reverts to the default config on a link-down event.
!-------------------------------------------------------- ! DEFAULT INTERFACE CONFIGURATION !-------------------------------------------------------- ! !------------------------ ! DEFAULT UPLINK CONFIG !------------------------ ! interface g0/1 description UPLINK switchport switchport access vlan 1 switchport mode access no switchport voice vlan spanning-tree bpdufilter enable load-interval 30 logging event link-status ! !------------------------ ! DEFAULT MANAGEMENT INTERFACE !------------------------ ! interface VLAN1 description MANAGEMENT ip address dhcp no ip redirects no shutdown ! !------------------------ ! DEFAULT USER EDGE CONFIG !------------------------ ! interface range f0/1-8 switchport switchport access vlan 1 switchport mode access no switchport voice vlan no logging event link-status ! !-------------------------------------------------------- ! EEM SCRIPTS !-------------------------------------------------------- ! !------------------------ ! VLAN CONFIG SCRIPT !------------------------ ! event manager applet SetVlanInfo event neighbor-discovery interface GigabitEthernet0/1 cdp add action 0100 syslog msg "CDP Neighbor detected on interface G0/1. Executing Vlan Auto-config Script." action 0200 cli command "enable" action 0300 cli command "configure terminal" action 0400 cli command "do show ip interface brief | include ^Vlan.*DHCP" action 0500 regexp "Vlan[0-9]+" $_cli_result OLDDATAVLAN action 0600 if $_regexp_result eq 1 action 0700 regexp "[0-9]+" $OLDDATAVLAN OLDDATAVLAN action 0900 cli command "interface vlan $OLDDATAVLAN" action 1000 cli command "no ip address dhcp" action 1100 cli command "no interface vlan $OLDDATAVLAN" action 1150 cli command "no vlan $OLDDATAVLAN" action 1200 end action 1300 cli command "interface range GigabitEthernet0/1, FastEthernet0/1-8" action 1400 cli command "do show cdp neighbor GigabitEthernet0/1 detail | include ^Native" action 1500 regexp "[0-9]+" $_cli_result DATAVLAN action 1600 if $_regexp_result eq 1 action 1700 cli command "switchport access vlan $DATAVLAN" action 1800 end action 1900 cli command "do show cdp neighbor GigabitEthernet0/1 detail | include VoIP" action 2000 regexp "VoIP.*[0-9]+" $_cli_result VOICEVLAN action 2100 if $_regexp_result eq 1 action 2150 regexp "[0-9]+" $VOICEVLAN VOICEVLAN action 2200 cli command "switchport voice vlan $VOICEVLAN" action 2250 else action 2260 cli command "no switchport voice vlan" action 2300 end action 2400 cli command "interface vlan $DATAVLAN" action 2500 cli command "description Management - Added by Script" action 2600 cli command "ip address dhcp" action 2700 cli command "no ip redirects" action 2800 cli command "exit" ! !------------------------ ! VLAN REMOVAL SCRIPT !------------------------ ! event manager applet RemoveVlanInfo event syslog pattern "Line protocol on Interface GigabitEthernet0/1, changed state to down" action 0100 syslog msg "Interface GigabitEthernet0/1 changed state to down. Executing Vlan Auto-removal Script." action 0200 cli command "enable" action 0300 cli command "configure terminal" action 0400 cli command "do show ip interface brief | include ^Vlan.*DHCP" action 0500 regexp "Vlan[0-9]+" $_cli_result OLDDATAVLAN action 0600 if $_regexp_result eq 1 action 0700 regexp "[0-9]+" $OLDDATAVLAN OLDDATAVLAN action 0900 cli command "interface vlan $OLDDATAVLAN" action 1000 cli command "no ip address dhcp" action 1100 cli command "no interface vlan $OLDDATAVLAN" action 1150 cli command "no vlan $OLDDATAVLAN" action 1200 end action 1300 cli command "interface range GigabitEthernet0/1, FastEthernet0/1-8" action 1700 cli command "switchport access vlan 1" action 1900 cli command "do show running-config interface GigabitEthernet0/1 | include voice vlan" action 2000 regexp "voice.*[0-9]+" $_cli_result VOICEVLAN action 2100 if $_regexp_result eq 1 action 2150 regexp "[0-9]+" $VOICEVLAN VOICEVLAN action 2260 cli command "no switchport voice vlan" action 2270 cli command "no vlan $VOICEVLAN" action 2300 end action 2400 cli command "interface vlan 1" action 2500 cli command "description Default Management Vlan Interface" action 2600 cli command "ip address dhcp" action 2700 cli command "no ip redirects" action 2800 cli command "exit" !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: