Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Controlling config-if statement for given interfaces

Hi,

Using IOS 15.0(2)SG on a cat 4506E with SUP6-LE,

I want to control how the interfaces are confugured.

So I wrote the following :

event manager environment mapping interface TenGigabitEthernet4/6

event manager applet Block-Mapping

event manager applet Track-Int-Config

event cli pattern "^in(.*)" sync no skip no

action 1.0 syslog msg "A-1.0 $_cli_msg"

action 1.2 set my_cli "$_cli_msg"

action 1.3 cli command "ena"

action 1.4 cli command "config t"

action 1.5 cli command "event manager environment mapping $_cli_msg"

action 3.0 syslog msg "A-1.2 $my_cli, A-1.3 $_cli_msg"

!

event cli pattern "^sw(.*)vl(.*)" sync no skip yes

action 0.1 syslog msg "mapping = $mapping"

action 0.3 string last "TenGigabitEthernet1/1" "$mapping"

action 1.0 if $_string_result eq 10

action 1.1 syslog msg "A-1.0 matched Te 1/1, $_string_result"

action 2.0 else

action 2.1 syslog msg "A-2.0 did not match Te 1/1, $_string_result, $_cli_msg"

action 2.2 cli command "ena"

action 2.3 cli command "conf t"

action 2.4 cli command "$mapping"

action 2.6 syslog msg "A-2.0 did not match Te 1/1, $_string_result, $_cli_msg"

action 2.8 cli command "$_cli_msg"

action 9.9 end

!

end

First applet stores the interface to be configured on the configuration.

It uses the environment variable « mapping » stored in the configuration.

Second applet detects the statement that should not be used on Te 1/1”,
i.e.: “switchport vlan mapping”

If the interface configured is Te 1/1, the statement is not taken in account.

Otherwise, the statement is configured (using the first available vty).

It works, however, I am not very happy with this implementation :

  • •1- We need a vty available to have the wanted result
  • •2- Only one can change the configuration at a given time
  • •3- The action « puts » issue a log message instead a message to the operator

I wanted to use an application variable, OK, I can set it, but I am not able to read it.

Then I wanted to use a “stub object”, but this one is not supported on my Catalyst.

So, if you have a better idea, thanks …

4 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Controlling config-if statement for given interfaces

You could use contexts to save your interface (context save and context retrieve), but there are caveats.  First, every time you retrieve a context it is destroyed, so you need to save it again.  Second, just like with the event manager environment workaround, you are limited to one interface at a time since your version of EEM does not pass the VTY name to the policy.  This makes it very hard to trace whether a command appears under one interface or another if multiple people are configuring two different interfaces at once.

When it comes to puts, this will print the controlling terminal if the policy is synchronous.  So, a puts in your second applet would display a message to the operator.  It would generate a syslog in your first applet.

Cisco Employee

Controlling config-if statement for given interfaces

No configuration change and no used VTY.  Sorry, I misread the second applet.  Both are async, so puts won't work for either.  If you make the secon synchronous, then puts will print to the current VTY.

Cisco Employee

Controlling config-if statement for given interfaces

Yes, you will always need a VTY line for the solution.  You just wouldn't need one for the first applet if you used a context.   Your config us close.  Do:

event cli pattern "^sw(.*)vl(.*)" sync yes

Then at the end of your applet, do:

action 9.91 exit 0

Cisco Employee

Controlling config-if statement for given interfaces

Are you using AAA command authz?  You might try configuring "event manager applet Track-Int-Config auth by" as that will bypass authz, and should speed things up.

10 REPLIES
Cisco Employee

Controlling config-if statement for given interfaces

You could use contexts to save your interface (context save and context retrieve), but there are caveats.  First, every time you retrieve a context it is destroyed, so you need to save it again.  Second, just like with the event manager environment workaround, you are limited to one interface at a time since your version of EEM does not pass the VTY name to the policy.  This makes it very hard to trace whether a command appears under one interface or another if multiple people are configuring two different interfaces at once.

When it comes to puts, this will print the controlling terminal if the policy is synchronous.  So, a puts in your second applet would display a message to the operator.  It would generate a syslog in your first applet.

Community Member

Controlling config-if statement for given interfaces

Thank you, Joseph.

So using "context" is a little bit more complex to manage,

just there is  no change to the configuration.

On the other hand, it is not so bad to have an indication about the last interface configured.

This can help to track odd configuration activities.

I will discuss the point with other people.

I will check the "puts" for the second applet,

since I need to send a message when the statement is not tken in account.

Cisco Employee

Controlling config-if statement for given interfaces

No configuration change and no used VTY.  Sorry, I misread the second applet.  Both are async, so puts won't work for either.  If you make the secon synchronous, then puts will print to the current VTY.

Community Member

Controlling config-if statement for given interfaces

so, the second applet should be:

event manager applet Block-Mapping

event cli pattern "^sw(.*)vl(.*)" sync yes skip yes

action 0.3 string last "TenGigabitEthernet1/1" "$mapping"

action 1.0 if $_string_result eq 10

event manager applet Block-Mapping
event cli pattern "^sw(.*)vl(.*)" sync yes skip yes
action 0.3 string last "TenGigabitEthernet1/1" "$mapping"
action 1.0 if $_string_result eq 10
action 1.1 puts msg "dropped forbiden statement  $mapping $_string_result"
action 2.0 else
action 2.2 cli command "ena"
action 2.3 cli command "conf t"
action 2.4 cli command "$mapping"
action 2.8 cli command "$_cli_msg"
action 9.9 end

then, I need anyway to configure the skipped statement.. I think this configuration needs an available vty.

Cisco Employee

Controlling config-if statement for given interfaces

Yes, you will always need a VTY line for the solution.  You just wouldn't need one for the first applet if you used a context.   Your config us close.  Do:

event cli pattern "^sw(.*)vl(.*)" sync yes

Then at the end of your applet, do:

action 9.91 exit 0

Community Member

Controlling config-if statement for given interfaces

Puts works fine.

I did not implement the context management.

However, making the applet synchronous produces blank line.

Could I avoid the blank line ??

=======================

Switch(config-if)#int t4/6
Switch(config-if)#switchport vlan mapping 223 dot1q-tunnel 223

Switch(config-if)#end
Switch#

FYI, the applets now look so:

==========================

event manager environment config_if interface TenGigabitEthernet4/6

event manager applet Block-Mapping

event cli pattern "^sw(.*)vl(.*)" sync yes

action 0.1  syslog msg "config_if = $config_if"

action 0.3  string last "TenGigabitEthernet1/1" "$config_if"

action 1.0  if $_string_result eq 10

action 1.1   syslog msg "A-1.0 matched Te 1/1, $_string_result"

action 1.8   puts "forbiden  $_cli_msg on $config_if"

action 2.0  else

action 2.2   cli command "ena"

action 2.3   cli command "conf t"

action 2.4   cli command "$config_if"

action 2.8   cli command "$_cli_msg"

action 3.0   syslog msg "A-2.0 did not match Te 1/1, $_string_result, $_cli_msg"

action 9.9  end

action 9.91 exit 0

event manager applet Track-Int-Config

event cli pattern "^in(.*)" sync no skip no

action 1.3 cli command "ena"

action 1.4 cli command "config t"

action 1.5 cli command "event manager environment config_if $_cli_msg"

action 3.0 syslog msg "A-1.5 used $_cli_msg"

!

end

Cisco Employee

Controlling config-if statement for given interfaces

There's no way to control that.  It shouldn't cause any negative results, though.

Community Member

Controlling config-if statement for given interfaces

Ok, Joseph, I managed to use context, because the implementation using environment variable was very slow.

Applet Track-Int-Config is now working very fast.

I not very happy with applet  Block-Mapping, it takes 8" to execute following:

action 4.5   cli command "ena"

action 5.0   cli command "conf t"

action 5.1   cli command "quit"

action 5.5   cli command "$if_config"

action 6.0   cli command "$_cli_msg"

Is it possible to speed up this p^rocess ??

Applet are looking like that:

====================================

event manager session cli username "eem"

event manager applet Track-Int-Config

event cli pattern "^interface (.*)" sync no skip no

action 0.0 handle-error type ignore

action 1.0 context retrieve key dummy variable "if_config"

action 2.0 set if_config "$_cli_msg"

action 3.0 context save key dummy variable "if_config"

event manager applet Block-Mapping

event cli pattern "^switchport vlan mapping (.*)" sync yes

action 1.0  context retrieve key dummy variable "if_config"

action 1.5  context save key dummy variable "if_config"

action 2.0  string last "TenGigabitEthernet1/1" "$if_config"

action 2.5  if $_string_result eq 10

action 3.0   syslog msg "Rejected $_cli_msg on $if_config"

action 3.5   puts "forbiden  $_cli_msg on $if_config"

action 4.0  else

action 4.5   cli command "ena"

action 5.0   cli command "conf t"

action 5.1   cli command "quit"

action 5.5   cli command "$if_config"

action 6.0   cli command "$_cli_msg"

action 6.5   puts "configured $_cli_msg on $if_config"

action 7.0   syslog msg "Configured  $_cli_msg on $if_config"

action 7.5   cli command "end"

action 9.9  end

action 9.99 exit 0

!

end

Cisco Employee

Controlling config-if statement for given interfaces

Are you using AAA command authz?  You might try configuring "event manager applet Track-Int-Config auth by" as that will bypass authz, and should speed things up.

Community Member

Controlling config-if statement for given interfaces

Bingo, Joseph !!

In fact, the TACACS server in my lab was not reachable during my last test session.

With the TACACS server up and running, it takes about  additional 100ms to configure a vlan mapping, which is acceptable.

I keep in mind "event manager applet Track-Int-Config auth by" just in case we have too long response time on the real network.

1596
Views
0
Helpful
10
Replies
CreatePlease to create content