how to make UPM script changes permanent

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)

I have a script that uses a port up log trigger to look at the FDB and see if the mac is in a list then delete the PORT from the DATA vlan and add it to one of several different vlans ( based on the MAC)

I do not have the PORT DOWN trigger putting things back as we found 3rd Party APs in DHCP mode would get an IP in the wrong VLAN and would reboot, thus having a loop.

so instead: Port comes UP , we read the FDB if the FDB matches an Aruba OUI we move the PORT to the WIFI vlan... the AP reboots , link goes down, the port stays in the wifi vlan; the AP comes up and everything is GOOD...

the Problem is if the switch reboots, the Port belongs to NO vlan ( original config it was in the DATA vlan) the FDB never will learn if there is NO vlan... so the port never gets moved to the WIFI vlan. ( actually the voice vlan is tagged on these ports but the AP does not talk to that vlan so the fdb problem still exists)


so wondering if anyone else can tell me how to make a UPM script perminint, and if not why does part of the script ( the deleteing of the port from the Data vlan ) stay and not the adding of the port to the wifi vlan?

what I would like is on a reboot the ports went back to default state ( in the data vlan )

then the scripts would work fine to move things back to the proper vlan ...

a close second would be if the config just stayed in the state it was in ( like if I could save the config in the script) so the ports would stay in the wifi vlan after power outage things would come back online ( if you move items you would need to reconfigure the switch , but I am OK with that)


thanks for your help


script bits :


create upm profile MAC-Detect
if (!$match($EVENT.LOG_PARAM_0,1:52)) then
create log entry "!!!!UPLINK_PORT_STATUS_CHANGE_NO_UPM_ACTION_TAKEN!!!!!!!!"
return 0
endif
set var MAC1 6c:f3:7f:
set var MAC2 d8:c7:c8:
set var MAC3 ac:a3:1e:
set var MAC4 00:40:8c:
set var MAC5 ac:cc:8e:
set var MAC6 00:20:4a:
set var MAC7 18:64:72:
set var VLAN1 Wifi
set var VLAN2 security
set var myWaitVar $TCL(after [expr 1000 * 6])
set var CLI.OUT " "
show fdb ports $EVENT.LOG_PARAM_0
set var list1 $TCL(split ${CLI.OUT} "\n")
set var list2 $TCL(lindex $(list1) 2)
set var list3 $TCL(string replace $(list2) 9 65 {})
create log entry ($list3)_mac_entry
if (!$match($list3, $MAC1)) then
configure vlan data del port $EVENT.LOG_PARAM_0
configure vlan $VLAN1 add port $EVENT.LOG_PARAM_0
create log entry "Aruba_device_connected_on_port_($EVENT.LOG_PARAM_0)"
return 0
endif
if (!$match($list3, $MAC2)) then
configure vlan data del port $EVENT.LOG_PARAM_0
conf

igure vlan $VLAN1 add port $EVENT.LOG_PARAM_0
create log entry "Aruba_device_connected_on_port_($EVENT.LOG_PARAM_0)"
return 0
endif
if (!$match($list3, $MAC3)) then
configure vlan data del port $EVENT.LOG_PARAM_0
configure vlan $VLAN1 add port $EVENT.LOG_PARAM_0
create log entry "Aruba_device_connected_on_port_($EVENT.LOG_PARAM_0)"
return 0
endif
if (!$match($list3, $MAC4)) then
configure vlan data del port $EVENT.LOG_PARAM_0
configure vlan $VLAN2 add port $EVENT.LOG_PARAM_0
create log entry "AXIS_device_connected_on_port_($EVENT.LOG_PARAM_0)"
return 0
endif
if (!$match($list3, $MAC5)) then
configure vlan data del port $EVENT.LOG_PARAM_0
configure vlan $VLAN2 add port $EVENT.LOG_PARAM_0
create log entry "AXIS_device_connected_on_port_($EVENT.LOG_PARAM_0)"
return 0
endif
if (!$match($list3, $MAC6)) then
configure vlan data del port $EVENT.LOG_PARAM_0
configure vlan $VLAN2 add port $EVENT.LOG_PARAM_0
create log entry "Security_device_connected_on_port_($EVENT.LOG_PARAM_0)"
return 0
endif
if (!$match($list3, $MAC7)) then
configure vlan data del port $EVENT.LOG_PARAM_0
configure vlan $VLAN1 add port $EVENT.LOG_PARAM_0
create log entry "Aruba_device_connected_on_port_($EVENT.LOG_PARAM_0)"
return 0
endif
create log entry " MAC_DETECT_FAILED_DEVICE_UNKNOWN_STAYS_IN_DATA_VLAN"
return 1
.
#Period used to end block-mode




create log filter Log_PortUp
configure log filter Log_PortUp add events vlan.msgs.portLinkStateUp
create log target upm MAC-detect
configure log target upm MAC-detect filter Log_PortUp severity Info only
configure log target upm MAC-detect match Any






Photo of David Rahn

David Rahn

  • 1,036 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Dorian Perry

Dorian Perry, Employee

  • 2,302 Points 2k badge 2x thumb
Hi David,

I believe the command you are looking for is "enable cli scripting permanent". Add the command at the beginning of the UPM Script. Also add a "save" at the end of the UPM Script to save the configuration.
Photo of David Rahn

David Rahn

  • 1,036 Points 1k badge 2x thumb

Thank you ... trying it now..

any idea why some items are permanent and others are not ( config vlan data del port x vs config vlan wifi add port x) ?


Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Is there a reason why you are not using mac-based network login?
Photo of David Rahn

David Rahn

  • 1,036 Points 1k badge 2x thumb
my ignorance. .. can I use mac login and mask the mac and only look at the oui?
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Easily...
configure netlogin add mac-list aa:bb:cc:00:00:00 24 password ports 1-3
would strip the last bytes and send aabbcc000000 with a password of password to radius or the local database whenever a mac starting with aa:bb:cc appears in ports 1 to 3. The number after the mac (24) is a mask and is the number of bits to pass (ffffff000000)

If you want to simply get the OUI of any mac, use
configure netlogin add mac-list ff:ff:ff:00:00:00 24 password ports 1-3
(Edited)
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
David,

This is what I think you should do.

Lets asume you have two groups of APs with MAC addresses starting with 00:01:aa:00:00:00 and 00:01:bb:00:00:00. That you want to connect the first group to vlan red and the second group to vlan blue. Any other device should connect to vlan white.

The configuration to do that would be:
#
# Module vlan configuration.
#
configure vlan default delete ports 1-7
create vlan "blue"
create vlan "nl"
create vlan "red"
create vlan "white"
configure vlan Mgmt ipaddress 172.16.56.11 255.255.255.0

#
# Module netLogin configuration.
#
configure netlogin vlan nl
enable netlogin mac
enable netlogin ports 1-7 mac
configure netlogin ports 1-7 mode mac-based-vlans
configure netlogin mac authentication database-order local
configure netlogin add mac-list 00:01:aa:00:00:00 24 extreme ports 1-7
configure netlogin add mac-list 00:01:bb:00:00:00 24 extreme ports 1-7
configure netlogin add mac-list 00:00:00:00:00:00 4 extreme ports 1-7

#
# Module aaa configuration.
#
create netlogin local-user "0001BB000000" extreme vlan-vsa untagged red
create netlogin local-user "0001BB000000" extreme vlan-vsa untagged blue
create netlogin local-user "000000000000" extreme vlan-vsa untagged white
The secret here is the mac-list.

The first entry will look for MAC addresses starting with 00:01:aa in ports 1 to 7. When it sees one, it will mask the remaining 24 bits, sending a request for user 0001AA000000 with password extreme.
The second entry will do the same for MAC addresses starting with 00:01:bb.
The third entry will take any MAC address starting with 0 in ports 1 to 7 and will mask the remaining 44 bits, sending a request for user 000000000000 with password extreme. This is the same as saying "all the rest"...

Then we only need to create local entries for those three "users" and assign the vlan to which each one of them should be redirected:
0001AA000000 --> vlan red
0001BB000000 --> vlan blue
000000000000 --> vlan white

Hope this helps you solve your problem.
(Edited)
Photo of David Rahn

David Rahn

  • 1,036 Points 1k badge 2x thumb
The third entry will take any MAC address starting with 0 in ports 1 to 7 and will mask the remaining 44 bits, sending a request for user 000000000000 with password extreme. This is the same as saying "all the rest"...
this seems to be what I want , however not all MACs start with 0 so do I need to create 16 fail safe entries?
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
You are right. My mistake.

You could try
configure netlogin add mac-list 00:00:00:00:00:00 1 extreme ports 1-7
configure netlogin add mac-list 80:00:00:00:00:00 1 extreme ports 1-7
These would catch all MACs with their first bit=0 or first bit=1, and you would have to add only those two entries (000000000000 and 800000000000)

Haven't tried it though. I'll leave it to you as homework... Hahahaha
Photo of David Rahn

David Rahn

  • 1,036 Points 1k badge 2x thumb

Nice...

I did add all the macs starting with 0-f and that did seem to work...

this is great and much smother than the UPM profile and log triggers etc.