Cisco guru's: Port block scripting?

S

schnell

Gawd
Joined
Jul 22, 2005
Messages
764
Lets say I have a group of interfaces on a Cisco 3560. Lets say it is interfaces fa0/13-fa0/24. Is there any way to write a script so that I can shut or noshut all these interfaces at once?

Basically I want to be able to easily turn the ports on and off all at once as they are only used a couple of times a week but when they are used they are all used at once. When they are not in use I do not want to be dishing out our internal network to anyone who may wander into the area.
 
interface range command?

Or are you wanting to do this programmaticly?
 
As cyr0n said the interface range command is the simplest if you don't mind logging in to do it every time, could take it a step further and make an alias for it as well. A better option if you're IOS supports it and these ports are used around the same time you could make a time based EEM applet for it.
 
There are a few good methods.

I use macros on the cisco side, then ciscoCMD to run them across multiple switches

something like
define interface-range macro1 fa0/13 - 24

then with ciscoCMD you can feed it a text file of switches like
acc-sw1
acc-sw2
acc-sw3

and a list of commands like
en
conf t
interface range macro macro1
shut
end
wr mem

It will go through your switches one at a time and apply the commands you specify.

Remember you can only use 5 interface or interface range commands so...
interface range Fa1/0/1 - 3, Fa1/0/5, Fa1/0/7, Fa1/0/10, Fa1/0/15 is valid, but...
interface range Fa1/0/1, Fa1/0/3, Fa1/0/5, Fa1/0/7, Fa1/0/9, Fa1/0/11, Fa1/0/13 is not because it has more than 5 interface or groups of interfaces called out.

CiscoCMD: http://sourceforge.net/projects/cosi-nms/files/ciscocmd/

More info about interface range macros:
http://www.techexams.net/forums/ccnp/65314-cisco-macro-not-executing-interface-range.html
 
Time based applet sounds interesting but the problem is they are used around the same time of day when they are used, but they are not necessarily used on the same day of the week every time.
 
Forgot to mention you can schedule ciscoCMD to run with a cronjob pretty easily. We did this to enable port mirroring and start a packet capture when troubleshooting an issue that happened around the same time every day.

the syntax I typically use looks like this
./ciscocmd -r commands.txt -T hosts.txt -e -u username -p password -s enable_password --ssh

-r = file of commands to run
-T = file of hosts (targets)
-e = enable
-u = username
-p = password
-s = enable secret password
--ssh = use ssh instead of telnet

There are lots of other flags in the man page as well.
 
Last edited:
what about some kind of mac address filtering using time of day parameters? just thinking out loud.
 
How about a local kron ocurrence

Code: 
!
kron occurrence ShutIntRange at 21:00 recurring
 policy-list ShutIntRange
!
kron occurrence NoShutIntRange at 8:00 recurring
 policy-list NoShutIntRange
!
kron policy-list NoShutIntRange
 cli conf t
 cli int range f0/0/0 -1 
 cli no shut
!
kron policy-list ShutIntRange
 cli conf t
 cli int range f0/0/0 -1 
 cli shut
!
 
Last edited:
As other people have said, just use the range command and then it's a very short change to get them all up/down.

There was a while when I frequently had to make rather large changes to several devices at once (our version of guest access on/off on some Cisco Aironet APs running IOS), and found the easiest way to do it was using RANCID (which anyone using network switches should check out, it's SO very good), along with the included clogin -- it's been a while since I've used it for mass config change operations. It wasn't too hard to figure out, though.

But setting that up to do have it turn 12 ports on/off would be non-worthwhile.
 
You must log in or register to reply here.
Back
Top