We moved this page to our Documentation Portal. You can find the latest updates here. |
Question
How can I disable ports on network equipment with SNMP support?
Answer
NOTE: Running bad written scripts may affect the whole network infrastructure and cause host downtime.downtime for the hosts! Run custom scripts at your own risk and responsibility.
Script Example
####################################START SCRIPT ################################### #!/bin/bash #Find,disable,enable port using SNMP at Cisco switch #Reference documentation http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml #Example: cd <directory> ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 e #Where: #- 1st parameter is switch IP address #- 2nd is MAC-address of NIC #- 3rd is operation(e - enable port when find description at port, d -disable port when find MAC, f - find MAC address in switch address table) #Variables descriptions switch_ip=$1; mac=$(echo $2 | sed 's/://g'); community="ppublic"; operation=$3; #We have created 3 procedure below #For Cisco 3550 3550_get_port(){ #Check for vlans and find MAC at port for i in `snmpwalk -On -v2c -c $community@1 192.168.128.13 .1.3.6.1.4.1.9.9.46.1.3.1.1.2 | sed 's/.1.3.6.1.4.1.9.9.46.1.3.1.1.2.1.//g' | awk '{print $1}'`; do find_mac=`snmpwalk -On -v2c -c $community@$i 192.168.128.13 .1.3.6.1.2.1.17.4.3.1.1 | sed s/' '//g | grep -i $mac | sed 's/^.*Hex-STRING\://g'| awk '{print $1}'`; if [[ $find_mac != "" ]]; then point1=$(snmpwalk -On -v2c -c $community@$i $switch_ip .1.3.6.1.2.1.17.4.3.1.1 | sed s/' '//g | grep -i $mac | sed 's/.1.3.6.1.2.1.17.4.3.1.1.//g' | sed 's/=.*//g' ); port_numb=`snmpwalk -v2c -c $community@$i $switch_ip .1.3.6.1.2.1.17.4.3.1.2 | grep -i $point1 | sed 's/^.*INTEGER\: //g'`; echo "MAC $mac was found in VLAN $i at port number #"$port_numb; fi done; } disable_port(){ 3550_get_port; echo "Going to disable port #"$port_numb; #Before disable we write description to port snmpset -v2c -c $community $switch_ip .1.3.6.1.2.1.31.1.1.1.18.$port_numb s "$mac"; #Disable port by MAC snmpset -v2c -c $community $switch_ip .1.3.6.1.2.1.2.2.1.7.$port_numb i 2; #Save running config of Cisco switch to startup save_3550_cfg; } enable_port(){ echo "Going to enable port by MAC"; #Find MAC by port description port_to_enable=`snmpwalk -v2c -On -c $community $switch_ip .1.3.6.1.2.1.31.1.1.1.18 | grep -i $mac | sed 's/.1.3.6.1.2.1.31.1.1.1.18.//g' | awk '{print $1}'`; #If port was not found if [[ $port_to_enable == "" ]]; then echo "MAC wasn't found by port description. Exiting ..."; 3550_get_port; $port_to_enable=$port_numb; echo $ $port_to_enable; exit; fi; #Enable port snmpset -v2c -c $community $switch_ ip .1.3.6.1.2.1.2.2.1.7.$port_to_enable i 1; #Save running config of Cisco switch to startup save_3550_cfg; } save_3550_cfg(){ echo "Saving Cisco 3550 switch configuration"; snmpset -t60 -v2c -c $community $switch_ip 1.3.6.1.4.1.9.2.1.54.0 i 1 } main(){ if [[ $operation == "f" ]]; then echo "Find port operation"; 3550_get_port; elif [[ $operation == "d" ]]; then echo "Disable port operation"; disable_port; elif [[ $operation == "e" ]]; then echo "Enable port operation"; enable_port; else echo "Wrong arguments given"; fi; } main; ####################################END SCRIPT ###################################
Use Examples
-
Find port
$ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 f
Find port operation
MAC 00105AF6CF37 was found in VLAN 1 at port number #4
-
Disable port
$ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 d
Disable port operation
MAC 00105AF6CF37 was found in VLAN 1 at port number #4
Going to disable port #4
IF-MIB::ifAlias.4 = STRING: 00105AF6CF37
IF-MIB::ifAdminStatus.4 = INTEGER: down(2)
Saving Cisco 3550 switch configuration
SNMPv2-SMI::enterprises.9.2.1.54.0 = INTEGER: 1
How it looks from the Cisco console side:
switch#sh int desc Interface Status Protocol Description Vl1 up up Vl100 up up cloudboot Fa0/1 up up uplink-office Fa0/2 up up Fa0/3 down down dell5x series Fa0/4 admin down down 00105AF6CF37
In this example,you can see that port 4 has description which is MAC of blocked device - 00105AF6CF37 and port status "admin down".
-
Enable port
Since you know disabled MAC address,you can find description at switch and enable that port:$ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 e
Enable port operation
Going to enable port by MAC
IF-MIB::ifAdminStatus.4 = INTEGER: up(1)
Saving Cisco 3550 switch configuration
SNMPv2-SMI::enterprises.9.2.1.54.0 = INTEGER: 1
How it now looks like at the Cisco switch side:
switch#sh int desc
Interface Status Protocol Description Vl1 up up Vl100 up up cloudboot Fa0/1 up up uplink-office Fa0/2 up up Fa0/3 down down dell5x series Fa0/4 up up 00105AF6CF37
In this example, you can see that port Fa0/4 is now up and has description 00105AF6CF37 of MAC.