Using EEM and CDP for AP port description and configuration

Jurgens L · ‎02-08-2019

I've looked around on the Cisco support forums for EEM scripts that can help me automatically configure switch ports for Cisco Access Points by utilizing CDP neighbours and found various forums where this is discussed however I didn't see a complete end to end illustration of how the script will look like as a whole. By going through the forums, I've built up a script to do exactly that, a big shout out should go to @Joe Clarke for his contributions in the forums with EEM!

In this illustration, I've deployed this EEM script on a Cisco 2960X switch, also ensure you are running the latest IOS software that will support all the EEM features.

I've required the EEM script to do the following automated tasks:

Assign descriptions to Access Points and trunk links to neighbouring switches.
Configure switch ports to the correct VLAN when Access Point connects to it.
Undo access point configuration and reconfigure the port for normal end clients if the port is down for more than 2 minutes.

The last mentioned task is just in case someone moves the AP's network cable several times across the switch, which will result in multiple ports still stuck on the VLAN configuration for the AP and therefore providing end client the incorrect VLAN.

EEM Script for CDP Port Configuration

event manager applet auto-update-port-description authorization bypass
description "Auto-update port-description based on CDP neighbor info"
event neighbor-discovery interface regexp .*GigabitEthernet[1-9]/[0-9]/[0-9]+$ cdp add
action 0.0 comment "Event line regexp: Deside which interface to auto-update description on"
action 1.0 comment "Verify CDP neighbor to be Switch or Router"
action 1.1 regexp "(Switch|Router|AIR)" "$_nd_cdp_capabilities_string"
action 1.2 if $_regexp_result eq "1"
action 2.0 comment "Trim domain name"
action 2.1 regexp "^([^\.]+)" "$_nd_cdp_entry_name" match host
action 3.0 comment "Convert long interface name to short"
action 3.1 string first "Ethernet" "$_nd_port_id"
action 3.2 if $_string_result eq "7"
action 3.21 string replace "$_nd_port_id" 0 14 "Gi"
action 3.3 elseif $_string_result eq 10
action 3.31 string replace "$_nd_port_id" 0 17 "Te"
action 3.4 elseif $_string_result eq 4
action 3.41 string replace "$_nd_port_id" 0 11 "Fa"
action 3.5 end
action 3.6 set int "$_string_result"
action 4.0 comment "Check old description if any, and do no change if same host:int"
action 4.1 cli command "enable"
action 4.11 cli command "config t"
action 4.2 cli command "do show interface $_nd_local_intf_name | incl Description:"
action 4.21 set olddesc "<none>"
action 4.22 set olddesc_sub1 "<none>"
action 4.23 regexp "Description: ([a-zA-Z0-9:/\-]*)([a-zA-Z0-9:/\-\ ]*)" "$_cli_result" olddesc olddesc_sub1
action 4.24 if $olddesc_sub1 eq "$host:$int"
action 4.25 syslog msg "EEM script did NOT change desciption on $_nd_local_intf_name, since remote host and interface is unchanged"
action 4.26 exit 10
action 4.27 end
action 4.3 cli command "interface $_nd_local_intf_name"
action 4.4 cli command "description LINK TO: $host:$int"
action 4.5 cli command "do write"
action 4.6 syslog msg "EEM script updated description on $_nd_local_intf_name from $olddesc to Description: $host:$int and saved config"
action 5.0 end
action 6.0 exit

EEM Script for configuring AP switch port

event manager applet detect-AP-add-adress authorization bypass
event neighbor-discovery interface regexp Ethernet.* cdp add
action 1.0 regexp "(AIR-)" "$_nd_cdp_platform"
action 2.0 if $_regexp_result eq "1"
action 3.0 cli command "enable"
action 4.0 cli command "config t"
action 5.0 cli command "default interface $_nd_local_intf_name"
action 5.1 cli command "int $_nd_local_intf_name"
action 5.2 cli command "switch access vlan 255"
action 5.3 cli command "switchport mode access"
action 5.5 cli command "load-interval 30"
action 5.6 cli command "spanning-tree portfast"
action 5.7 cli command "spanning-tree link-type shared"
action 6.0 cli command "end"
action 6.1 cli command "write"
action 6.2 syslog msg "EEM script configured AP port and saved config"
action 7.0 end

EEM Script to undo AP configuration if the port is down for two minutes

event manager applet undo-AP-port-config authorization bypass
event syslog pattern "LINEPROTO-5-UPDOWN.* changed state to down"
trigger occurs 1 delay 120
action 1.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 2.0 cli command "enable"
action 3.0 cli command "show int $intf | inc Description:"
action 5.0 regexp "-AP" "$_cli_result"
action 6.0 if $_regexp_result eq "1"
action 7.0 continue
action 9.0 cli command "config t"
action 10.0 cli command "default interface $intf"
action 11.0 cli command "interface $intf"
action 12.0 cli command "switchport mode access"
action 13.0 cli command "switchport access vlan 10"
action 14.0 cli command "switchport voice vlan 253"
action 15.0 cli command "switchport port-security maximum 3"
action 16.0 cli command "switchport port-security aging time 2"
action 17.0 cli command "switchport port-security aging type inactivity"
action 18.0 cli command "switchport port-security"
action 19.0 cli command "spanning-tree portfast edge"
action 20.0 cli command "spanning-tree bpduguard enable"
action 21.0 cli command "switchport nonegotiate"
action 22.0 cli command "spanning-tree portfast"
action 23.0 cli command "end"
action 24.0 cli command "wr"
action 25.0 cli command "exit"
action 26.0 syslog msg "EEM script undo AP port config and saved config"
action 27.0 end

I'm definitely not an expert in EEM, and if there are more efficient ways to script the above functions, feel free to share what can be done to improve this.