This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Execute a script when a rule is used

Execute a script when a rule is used

Gaspard_W
New Contributor

ā€Ž06-01-2016 01:06 PM

Hello,

I'm working with NAC and so netlogin.

We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.

We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.

I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.

Thanks
Gaspard

0 Kudos
38 REPLIES 38

Gaspard_W
New Contributor
In response to AndrƩ_Herkenrat

ā€Ž06-02-2016 05:34 AM

I will look at it. The setup involves having a phone vlan, and two or three other vlans.

0 Kudos

Gaspard_W
New Contributor

ā€Ž06-02-2016 05:17 AM

Hello everyone,

So my usecase currently is :

2 switches, I'll call them 1 and 2
the switch 1 has netlogin enabled on every port (not the trunk port)

We want to be able to connect the switch 2 (Netlogin enabled on every port also (not the trunk port)) on the switch 1, so it would be on a netlogin enabled port. mac-based-vlan

The problem is that Netlogin allows the switch 2 MAC address but it doesn't let him netlog the devices connected to it (every devices connected on the switch 2), that's normal because it's mac based.

The thing now is that we want to be able to have script run maybe, that would disable netlogin on the switch 1 on that specific port, and add all the VLANs that are needed to make the port a trunk port.
This script could be reverted also when the switch is unplugged from the port on the switch 1.
0 Kudos

AndrƩ_Herkenrat
Extreme Employee

ā€Ž06-02-2016 03:03 AM

Depending on the usecase you could use a combination of EDP and LLDP. LLDP as Kevin said to trigger an UPM-event, which removes .1x from the port and searches the downlink vlans via EDP.
Can you be a bit more precise about the usecase ?

0 Kudos

Kevin_Kim
Extreme Employee

ā€Ž06-02-2016 01:40 AM

If LLDP runs on the links between switches, you could use a device-detect and device-undetect profile/script where you can do whatever you want.

- device-detect profile is used to configure a port for the device that has just connected.

# configure upm event device-detect profile ports

- device-undetect profile is used to return the port to a default configuration after a device disconnects.

# configure upm event device-undetect profile ports

Device triggers respond to the discovery protocols IEEE 802.1ab LLDP. A device-detect trigger occurs when an LLDP packet reaches a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured for device-detect or device-undetect profiles.

0 Kudos

Frank_Thomas
Extreme Employee

ā€Ž06-01-2016 07:03 PM

Another way to skin a cat,
Within Policy Rules

64ff95e29cb64d0fa84eaec862fe8d85_RackMultipart20160601-21992-57l6g8-RuleTraporPolicy_inline.png


There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.
0 Kudos
GTM-P2G8KFN