cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2042
Views
0
Helpful
8
Replies

Access Port Only MAT Events

Cory Anderson
Level 1
Level 1

Hello all,

I want to create an applet or EEM script that puts hosts in the proper VLAN based on their mac address/OUI.  I've read through "https://supportforums.cisco.com/document/100791/automatically-set-port-descriptions" and "https://supportforums.cisco.com/discussion/11385521/eem-32-mac-address-prefix-switch-port-config-examples" which are extrememly helpful.  

The big questions are:

1: How would I excluder Trunk interfaces from the EEM event

2: Is it possible to read the mac addresses/OUI's and corresponding VLAN ID's from a csv table rather than configuring each of them as an environment variable?  

aaaa.aa*,20

bbbb.bb*,30

Example, on port G0/1 - G0/20 (access ports)

MAC address aaaa.aa* = VLAN 20

MAC address bbbb.bb* = VLAN 30

event manager environment oui_20 aaaa.aa

event manager environment oui_30 bbbb.bb

!
event manager applet detect-mac
event mat mac-address "^$oui_20"
action 001 syslog msg "detect-mac running"
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "interface $_mat_intf_name"
action 004 if $_mat_notification eq "add"
action 005 cli command "switchport access vlan 20"
action 008 end
action 009 cli command "end"

!

event manager applet detect-mac
event mat mac-address "^$oui_30"
action 001 syslog msg "detect-mac running"
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "interface $_mat_intf_name"
action 004 if $_mat_notification eq "add"
action 005 cli command "switchport access vlan 30"
action 008 end
action 009 cli command "end"

8 Replies 8

Joe Clarke
Cisco Employee
Cisco Employee

1. You'll need to add code to parse the output of "show int switchport" to see if the port is a trunk.

cli command "show int $_mat_intf_name switchport | inc Operational Mode:"

regexp "trunk" "$_cli_result"

if $_regexp_result eq "1"

  exit

end

2. No, this is not possible on the event spec line.  You could build a regexp for all OUIs, and then extract a matching VLAN from a file.  You could read the file, and then extract the VLAN portion if the OUI matches the OUI portion.

Thanks Joe,

I just want to make sure that I understand this correctly.  If I use the MAT event and parsed the interface every time a new mac was learned, would that use a lot of processing resources on the switch, depending on the amount of MAC addresses learned on the trunk?  Would that put the switch at risk of running out of resources and crashing?

It could, yes.  But there's no other way to reliably filter trunk ports.  You could design an interface regexp to match ports that you know to only be access, but that would require you to know operational state up front for each switch.

As another means to protect processing resources, is it possible to only run this event on an interface that changed state to up within a certain time period?  

Example:  If an interface changed state to up within the last 90 seconds, monitor MAT events?  If it's been up longer than 90 seconds, do not?

No, the event detector does not support this.  While you could react to an interface coming up and install a mat policy, I feel the timing would make this too difficult.

What you could do is have a "scheduler" policy that periodically runs and checks all interface operational states.  If they are access it installs a policy for that interface.  If it turns to trunk, it removes the policy.  The downside of this is that you will have one policy for every access port.

I am doing something very similar with an EEM script.  I would say you want to filter out trunk ports based on Administrative Mode vs Operational.  Unless the port is manually configured a trunk I treat it as an access port.

event manager applet detect-mac

 !!!
 !! Detect MAC addresses
 !!!
 event mat mac-address "^.*$" type add
 action 1.00 if $_mat_notification eq "add"

 !!!
 !! Excluding trunk interfaces. 
 !!!
 action 1.01  cli command "enable"
 action 1.02 cli command "show int $_mat_intf_name switchport | inc Administrative Mode:"
 action 1.03  string match "*trunk*" "$_cli_result"
 action 1.04  syslog msg "Interface: $_mat_intf_name Result: $_cli_result"
 action 2.00  if $_string_result eq "0"

That may be fine for certain use cases, but in general I think it's risky to use administrative state.  While a port configured for trunking will be a trunk, you may miss trunks that negotiate.  And if your desire is either to match all or skip all trunk ports, administrative state alone may not be telling you the whole story.

 

That said, build solutions that do what you need them to do and test them thoroughly.

In my enviroment we would consider a negotiated trunk a security risk.  They should not exist.  If you need a trunk then configure it as such.  Your right it might not matter in some networks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco