EEM Script on Uplink Port

Joy3 · ‎02-22-2024

Hallo,

Running the EEM script below, to overwrite the VLANs on the uplink port does not work remotely. Is the any error that someone can point to? Thanks

event manager applet VLAN_ALLOWED authorization bypass

event none

action 3.0 cli command "enable"

action 4.0 cli command "conf t"

action 5.0 cli command "interface gi1/1/1"

action 6.0 cli command "switchport trunk allowed vlan 200-203"

action 6.1 cli command "exit"

debug event manager action cli

event manager run VLAN_ALLOWED

This is the uplink's current config:

interface GigabitEthernet1/1/1
description UPLINK
switchport trunk allowed vlan 110,120,130,140-143,200-203
switchport mode trunk
snmp trap mac-notification change added
service-policy output WAN-EDGE
ip dhcp snooping trust

liviu.gheorghe · ‎02-22-2024

Hello @Joy3 ,

I'm not sure what the problem is. I tested your setup in my lab environment, I just changed the interface number, and it works. See below for outputs:

Trying 1.1.1.100 ... Open

User Access Verification

Password:
sw2>en
Password:
sw2#
sw2#term mon
sw2#
sw2#sho line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 0 0 0/0 -
1 AUX 9600/9600 - - - - - 0 0 0/0 -
* 2 VTY - - - - - 3 0 0/0 -
3 VTY - - - - - 0 0 0/0 -
4 VTY - - - - - 0 0 0/0 -
5 VTY - - - - - 0 0 0/0 -
6 VTY - - - - - 0 0 0/0 -

sw2#sho run int g1/1
Building configuration...

Current configuration : 221 bytes
!
interface GigabitEthernet1/1
description UPLINK
switchport trunk allowed vlan 110,120,130,140-143,200-203
switchport trunk encapsulation dot1q
switchport mode trunk
no negotiation auto
ip dhcp snooping trust
end

sw2#term mon
sw2#sho deb
Embedded Event Manager:
Debug EEM action cli debugging is on
sw2#
sw2#event manager run VLAN_ALLOWED
sw2#
*Feb 22 18:34:37.846: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : CTL : cli_open called.
*Feb 22 18:34:37.847: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : OUT : sw2>
*Feb 22 18:34:37.847: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : IN : sw2>enable
*Feb 22 18:34:37.857: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : OUT : sw2#
*Feb 22 18:34:37.857: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : IN : sw2#conf t
*Feb 22 18:34:37.867: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z.
*Feb 22 18:34:37.867: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : OUT : sw2(config)#
*Feb 22 18:34:37.868: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : IN : sw2(config)#interface gi1/1
*Feb 22 18:34:37.878: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : OUT : sw2(config-if)#
*Feb 22 18:34:37.878: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : IN : sw2(config-if)#switchport trunk allowed vlan 200-203
*Feb 22 18:34:37.988: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : OUT : sw2(config-if)#
*Feb 22 18:34:37.988: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : IN : sw2(config-if)#exit
*Feb 22 18:34:37.998: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : OUT : sw2(config)#
*Feb 22 18:34:37.998: %HA_EM-6-LOG: VLAN_ALLOWED : DEBUG(cli_lib) : : CTL : cli_close called.
*Feb 22 18:34:38.001:
*Feb 22 18:34:38.001: tty is now going through its death sequence
sw2#
sw2#sho run int g1/1
Building configuration...

Current configuration : 201 bytes
!
interface GigabitEthernet1/1
description UPLINK
switchport trunk allowed vlan 200-203
switchport trunk encapsulation dot1q
switchport mode trunk
no negotiation auto
ip dhcp snooping trust
end

sw2#

Regards, LG
*** Please Rate All Helpful Responses ***

MHM Cisco World · ‎02-22-2024

What you get from from debug event

Can you share debug

MHM

balaji.bandi · ‎02-22-2024

Running the EEM script below, to overwrite the VLANs on the uplink port does not work remotely. Is the any error that someone can point to? Thanks

You want to run this EEM acript when ? any time or on boot or certain timing ?

always use end of EEM script

action 7.0 cli command "end"

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joy3 · ‎02-22-2024

@liviu.gheorghe Thanks for that demo, but what is interesting is that when I run the script on a data port, it works but as soon as I run it on the uplink port, I lose connection immediately. It is a C3850 switch.

@MHM Cisco World I get no debug message because as soon as I run the script, I lose connection immediately.

@balaji.bandi Do you mean in place of exit or an additional command?

MHM Cisco World · ‎02-22-2024

This not EEM issue' the trunk must allow some vlan include vlan1 and native vlan (if you specify different vlan for native than vlan1) and also mgmt vlan.

You lost connection because you allow few vlan that not include above

MHM

balaji.bandi · ‎02-22-2024

end is suggested,

as you mentioned if you run this uplink port you loose connection,

check what VLAN you have connection since you have

110,120,130,140-143,200-203

when you run the script you only going to be :

200-203 (this may be the issue)

what is the outcome you looking :

110,120,130,140-143,200-203

to

200-203

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joy3 · ‎02-23-2024

@balaji.bandi The uplink is the connection to our ISP and the transfer network is vlan 200-203. The rest of the vlans are not required in this port. I will probably have to go to the location to change this, since everyone agrees there is no error in the EEM script.

MHM Cisco World · ‎02-23-2024

what is mgmt van for SW ?
MHM

balaji.bandi · ‎02-23-2024

are you connecting to the switch on those VLAN IP address ?

we need to know how you connecting and what are those VLAN IP address in that device.

other option you can write the config, use reload

reload [text | in [hh:]mm [text] | at hh:mm [month day | day month] [text] | cancel]

and change the config, if that works ok - if not working the device reload mentioned time so the old configuration will be restored as it is.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joy3 · ‎02-25-2024

@MHM Cisco World Mgmt vlan is 130

@balaji.bandi The switch is connected to the provider edge router with the 'transfer network' in the vlan 200-203. The other vlans are for data, voice, access points etc. And yes, I have been using the reload command since I am not on location.

balaji.bandi · ‎02-26-2024

if the management VLAN 130 - you removing from Trunk how does that going to work - we are still not clear what VLAN is what ?

if you connecting to MGMT VLAN 130 - you removing from that - what option you have connecting to device back ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎02-26-2024

mgmt vlan 130 and it not include in vlan allow in trunk so sure you loss access to SW

Joy3 · ‎02-27-2024

@MHM Cisco World and @balaji.bandi Why would we need the MGMT vlan on a port connecting to the ISP's provider edge router? At least from the rest of the switches that are working (the one I am asking about, is also working just that I would like to maintain the standard), this interface GigabitEthernet1/1 is configured for point-to-point connection to the provider's edge router (vlan 200-203 have subnet 255.255.255.252).

balaji.bandi · ‎02-27-2024

we are in assumption what has been given the information - if you need more help you need provide show run (full config removing password information ) so we understand, at this we have only one sided information.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help