[c-nsp] Switchport trunk allowed issues
Hi I am writing a EEM using Cisco ios cli, can anyone have valuable suggestion about how to materialize it. Following is the topic Using following command on switch i.e switchport trunk allowed vlan add/remove/all/except/none range However, if one forgets to include the add/remove/all/except/none keyword, the command defaults to replace: switchport trunk allowed vlan range the VLAN that has already been placed on vlan deleted and result in downtime I would like to disable the use of: switchport trunk allowed vlan range, and replace it with a custom EEM command like: 1. switchport trunk allowed vlan none. 2. switchport trunk allowed vlan add add range 3. switchport trunk allowed vlan add remove range This would correct a dangerous IOS syntax. Looking forward Ami Norway ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Switchport trunk allowed issues
On 17/04/13 12:08, amir agha wrote: Hi I am writing a EEM using Cisco ios cli, can anyone have valuable suggestion about how to materialize it. Following is the topic Using following command on switch i.e switchport trunk allowed vlan add/remove/all/except/none range However, if one forgets to include the add/remove/all/except/none keyword, the command defaults to replace: switchport trunk allowed vlan range the VLAN that has already been placed on vlan deleted and result in downtime I would like to disable the use of: switchport trunk allowed vlan range, and replace it with a custom EEM command like: 1. switchport trunk allowed vlan none. 2. switchport trunk allowed vlan add add range 3. switchport trunk allowed vlan add remove range This would correct a dangerous IOS syntax. I don't know the specific answer to your question, except that I think it *is* possible to intercept CLI commands with EEM and stop them - no idea how though. An easy alternative is; alias interface tagvlan switchport trunk allowed vlan add alias interface detagvlan switchport trunk allowed vlan remove ...then train your staff to do: int Gi9/1 tagvlan 100 detagvlan 101 Or use TACACS to block the dangerous pattern. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Switchport trunk allowed issues
On 17 April 2013 14:08, amir agha monito...@yahoo.com wrote: Hi Ami, However, if one forgets to include the add/remove/all/except/none keyword, the command defaults to replace: switchport trunk allowed vlan range the VLAN that has already been placed on vlan deleted and result in downtime Many have solved same problem in TACACS. permit trunk allowed vlan add.* permit trunk allowed vlan remove.* permit trunk allowed vlan all.* permit trunk allowed vlan none.* permit trunk allowed vlan except.* deny trunk allowed vlan .* -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Switchport trunk allowed issues
Something like this should do the trick: event manager applet ALLOWED-VLAN event cli pattern switchport trunk allowed vlan +[0-9]+.* mode interface enter action 001 puts ERROR: switchport trunk allowed vlan is not allowed. Use Add/Remove action 002 set _exit_status 0 The regex on the cli pattern catches only the switchport trunk allowed vlan with numbers directly after the vlan keyword (skipping 1+ spaces). If you try the add/remove/none options the regexp would not match. I didn't test it too much, so please do before deploying in production. Arie -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of amir agha Sent: Wednesday, April 17, 2013 04:08 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Switchport trunk allowed issues Hi I am writing a EEM using Cisco ios cli, can anyone have valuable suggestion about how to materialize it. Following is the topic Using following command on switch i.e switchport trunk allowed vlan add/remove/all/except/none range However, if one forgets to include the add/remove/all/except/none keyword, the command defaults to replace: switchport trunk allowed vlan range the VLAN that has already been placed on vlan deleted and result in downtime I would like to disable the use of: switchport trunk allowed vlan range, and replace it with a custom EEM command like: 1. switchport trunk allowed vlan none. 2. switchport trunk allowed vlan add add range 3. switchport trunk allowed vlan add remove range This would correct a dangerous IOS syntax. Looking forward Ami Norway ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
