Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2800
Views
20
Helpful
0
Comments

Using EEM to migrate static end device to a managed network

Jurgens L
Level 3
Level 3

‎02-09-2019 06:20 PM - edited ‎03-01-2019 05:11 PM

 

I was involved with a network migration that made me look at using the power of EEM, below is a solution for anyone who may find themselves in a similar situation.

 

The Challange

I was tasked to upgrade a legacy access layer of a network which was still consisting of unmanaged switches (flat network) to a Cisco solution which consisted of 3850's (Core/Distribution Layer) and 2960X for the access layer with dedicated subnets for each specific service operating on the network. 

The challenge was the access layer as there were multiple devices such as printers, access control and other devices on the network with static IP's. Therefore we would need to determine on which ports they are connected to so we can migrate them over to the new structured VLAN's that was designed for each service. Since the device are connected to unmanaged switches, there was no way to verify this on the switch port level and it was also not practical to physically trace the cable from the end device to the switch port. There was also a very large amount of end device so to try and track them once they were on the Cisco access layer would result in a large amount of effort and time.

The other problem was that we did not have Cisco ISE to utilise the MAB functionality so ports can be dynamically assigned VLAN's based on the end device MAC address.

 

The Solution 

Using EEM we would create a script to create a description on the switch ports so we can identify the type of devices. In order to get the correct MAC addresses, we requested the system admins who support the end device to provide a list of the device with their static IP's.

Since the Cisco core was already active and we had an SVI that was in the same subnet as the legacy network, we could pull the IP's and associated MAC addresses from the ARP table.

This gave us clarity on what the OUI addresses were for the end devices. In this solution we had to break the devices up in the following classes:

  • Printers
  • Access Control
  • Miscellaneous

In our situation, we would do the port configuration in a two-step approach, first replace unmanaged switches with Cisco 2960X's and identify the ports by applying a description. The second step would be to change the switch port VLAN configuration once system admin confirmed they changed the end device's IP address. 

 

The Scripts

event manager applet PRINTERS
event mat interface regexp GigabitEthernet.* type add
action 001 cli command "enable"
action 002 cli command "show int $_mat_intf_name switchport | inc Operational Mode:"
action 003 string match "*access*" "$_cli_result"
action 004 if $_string_result eq "1"
action 005 regexp "(246e.|3ca8.|308d.|480f.|48ba.|54e1.|5820.|6cc2.|441e.|d46e.|7854.|84c9.|9457.|98e7.)" $_mat_mac_address
action 006 if $_regexp_result eq 1
action 007 cli command "enable"
action 008 cli command "config t"
action 009 cli command "interface $_mat_intf_name"
action 010 cli command "des PRINTER"
action 011 cli command "end"
action 012 end

event manager applet MISCELLANEOUS
event mat interface regexp GigabitEthernet.* type add
action 001 cli command "enable"
action 002 cli command "show int $_mat_intf_name switchport | inc Operational Mode:"
action 003 string match "*access*" "$_cli_result"
action 004 if $_string_result eq "1"
action 005 regexp "(00e0.|0050.|0090.|40a8.|4437.|6c4b.|0001.|e46f.|f09f.|fc99.|50eb.|)" $_mat_mac_address
action 006 if $_regexp_result eq 1
action 007 cli command "enable"
action 008 cli command "config t"
action 009 cli command "interface $_mat_intf_name"
action 010 cli command "des MISC"
action 011 cli command "end"
action 012 end

event manager applet ACCESS_CONTROL
event mat interface regexp GigabitEthernet.* type add
action 001 cli command "enable"
action 002 cli command "show int $_mat_intf_name switchport | inc Operational Mode:"
action 003 string match "*access*" "$_cli_result"
action 004 if $_string_result eq "1"
action 005 regexp "(001f.|0024.)" $_mat_mac_address
action 006 if $_regexp_result eq 1
action 007 cli command "enable"
action 008 cli command "config t"
action 009 cli command "interface $_mat_intf_name"
action 010 cli command "des ACCESS_CONTROL"
action 011 cli command "end"
action 012 end

 

Conclusion

Once all the ports were identified we knew which ports still need to stay on the legacy VLAN, while the remainder can be configured as per the new design, it was easy to coordinate with the support teams onsite when they were migrating the end devices to the new IP subnets. We could also modify the scripts to automatically apply the VLAN configuration should a new device connect to the switch or if someone moves the cable to a different port.

There are of course other solutions out there such as SmartPort and ISE, however, if you don't have these options to your disposal, EEM is an extremely powerful tool that can give you the same results.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents