Execute a script when a rule is used
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-01-2016 01:06 PM
Hello,
I'm working with NAC and so netlogin.
We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.
We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.
I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.
Thanks
Gaspard
I'm working with NAC and so netlogin.
We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.
We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.
I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.
Thanks
Gaspard
38 REPLIES 38
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-02-2016 05:34 AM
I will look at it. The setup involves having a phone vlan, and two or three other vlans.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-02-2016 05:17 AM
Hello everyone,
So my usecase currently is :
2 switches, I'll call them 1 and 2
the switch 1 has netlogin enabled on every port (not the trunk port)
We want to be able to connect the switch 2 (Netlogin enabled on every port also (not the trunk port)) on the switch 1, so it would be on a netlogin enabled port. mac-based-vlan
The problem is that Netlogin allows the switch 2 MAC address but it doesn't let him netlog the devices connected to it (every devices connected on the switch 2), that's normal because it's mac based.
The thing now is that we want to be able to have script run maybe, that would disable netlogin on the switch 1 on that specific port, and add all the VLANs that are needed to make the port a trunk port.
This script could be reverted also when the switch is unplugged from the port on the switch 1.
So my usecase currently is :
2 switches, I'll call them 1 and 2
the switch 1 has netlogin enabled on every port (not the trunk port)
We want to be able to connect the switch 2 (Netlogin enabled on every port also (not the trunk port)) on the switch 1, so it would be on a netlogin enabled port. mac-based-vlan
The problem is that Netlogin allows the switch 2 MAC address but it doesn't let him netlog the devices connected to it (every devices connected on the switch 2), that's normal because it's mac based.
The thing now is that we want to be able to have script run maybe, that would disable netlogin on the switch 1 on that specific port, and add all the VLANs that are needed to make the port a trunk port.
This script could be reverted also when the switch is unplugged from the port on the switch 1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-02-2016 03:03 AM
Depending on the usecase you could use a combination of EDP and LLDP. LLDP as Kevin said to trigger an UPM-event, which removes .1x from the port and searches the downlink vlans via EDP.
Can you be a bit more precise about the usecase ?
Can you be a bit more precise about the usecase ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-02-2016 01:40 AM
If LLDP runs on the links between switches, you could use a device-detect and device-undetect profile/script where you can do whatever you want.
- device-detect profile is used to configure a port for the device that has just connected.
# configure upm event device-detect profile ports
- device-undetect profile is used to return the port to a default configuration after a device disconnects.
# configure upm event device-undetect profile ports
Device triggers respond to the discovery protocols IEEE 802.1ab LLDP. A device-detect trigger occurs when an LLDP packet reaches a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured for device-detect or device-undetect profiles.
- device-detect profile is used to configure a port for the device that has just connected.
# configure upm event device-detect profile ports
- device-undetect profile is used to return the port to a default configuration after a device disconnects.
# configure upm event device-undetect profile ports
Device triggers respond to the discovery protocols IEEE 802.1ab LLDP. A device-detect trigger occurs when an LLDP packet reaches a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured for device-detect or device-undetect profiles.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-01-2016 07:03 PM
Another way to skin a cat,
Within Policy Rules
There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.
Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.
Within Policy Rules
There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.
Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.
