Disable Ports on Network Equipment with SNMP Support
Question
How can I disable ports on network equipment with SNMP support?
Answer
This article explains how the ports can be disabled on network equipment with SNMP support. You can use this example to create your own scripts and manage ports where a Baremetal server is connected. If you are using SNMP for equipment management, make sure that you fully understand your vendor's explanations (and recommendations) of how to use its services and features.
Please note that running bad scripts may affect the whole network infrastructure and cause a host downtime for the hosts. Run custom scripts at your own risk and responsibility.
Script Example
#!/bin/bash
#Find,disable,enable port using SNMP at Cisco switch
#Reference documentation http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml
#Example: cd <directory> ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 e
#Where:
#- 1st parameter is switch IP address
#- 2nd is MAC-address of NIC
#- 3rd is operation(e - enable port when find description at port, d -disable port when find MAC, f - find MAC address in switch address table)
#Variables descriptions
switch_ip=$1;
mac=$(echo $2 | sed 's/://g');
community="ppublic";
operation=$3;
#We have created 3 procedure below
#For Cisco
3550 3550_get_port(){
#Check for vlans and find MAC at port
for i in `snmpwalk -On -v2c -c $community@1 192.168.128.13 .1.3.6.1.4.1.9.9.46.1.3.1.1.2 | sed 's/.1.3.6.1.4.1.9.9.46.1.3.1.1.2.1.//g' | awk '{print $1}'`; do
find_mac=`snmpwalk -On -v2c -c $community@$i 192.168.128.13 .1.3.6.1.2.1.17.4.3.1.1 | sed s/' '//g | grep -i $mac | sed 's/^.*Hex-STRING\://g'| awk '{print $1}'`;
if [[ $find_mac != "" ]]; then
point1=$(snmpwalk -On -v2c -c $community@$i $switch_ip .1.3.6.1.2.1.17.4.3.1.1 | sed s/' '//g | grep -i $mac | sed 's/.1.3.6.1.2.1.17.4.3.1.1.//g' | sed 's/=.*//g' );
port_numb=`snmpwalk -v2c -c $community@$i $switch_ip .1.3.6.1.2.1.17.4.3.1.2 | grep -i $point1 | sed 's/^.*INTEGER\: //g'`;
echo "MAC $mac was found in VLAN $i at port number #"$port_numb;
fi
done;
}
disable_port(){
3550_get_port;
echo "Going to disable port #"$port_numb;
#Before disable we write description to port
snmpset -v2c -c $community $switch_ip .1.3.6.1.2.1.31.1.1.1.18.$port_numb s "$mac";
#Disable port by MAC
snmpset -v2c -c $community $switch_ip .1.3.6.1.2.1.2.2.1.7.$port_numb i 2;
#Save running config of Cisco switch to startup
save_3550_cfg;
}
enable_port(){
echo "Going to enable port by MAC";
#Find MAC by port description
port_to_enable=`snmpwalk -v2c -On -c $community $switch_ip .1.3.6.1.2.1.31.1.1.1.18 | grep -i $mac | sed 's/.1.3.6.1.2.1.31.1.1.1.18.//g' | awk '{print $1}'`;
#If port was not found
if [[ $port_to_enable == "" ]]; then
echo "MAC wasn't found by port description. Exiting ...";
3550_get_port;
$port_to_enable=$port_numb;
echo $ $port_to_enable;
exit;
fi;
#Enable port
snmpset -v2c -c $community $switch_
ip .1.3.6.1.2.1.2.2.1.7.$port_to_enable i 1;
#Save running config of Cisco switch to startup
save_3550_cfg;
}
save_3550_cfg(){
echo "Saving Cisco 3550 switch configuration";
snmpset -t60 -v2c -c $community $switch_ip 1.3.6.1.4.1.9.2.1.54.0 i 1
}
main(){
if [[ $operation == "f" ]]; then
echo "Find port operation";
3550_get_port;
elif [[ $operation == "d" ]]; then
echo "Disable port operation";
disable_port;
elif [[ $operation == "e" ]]; then
echo "Enable port operation";
enable_port;
else
echo "Wrong arguments given";
fi;
}
main;
Examples
Find a port:
$ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 f
CODEFind the port operation:
MAC 00105AF6CF37 was found in VLAN 1 at port number #4
CODEDisable the port:
$ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 d
CODEDisable the port operation:
MAC 00105AF6CF37 was found in VLAN 1 at port number #4
CODEGoing to disable port #4
IF-MIB::ifAlias.4 = STRING: 00105AF6CF37
CODEIF-MIB::ifAdminStatus.4 = INTEGER: down(2)
CODESaving the Cisco 3550 switch configuration:
SNMPv2-SMI::enterprises.9.2.1.54.0 = INTEGER: 1
CODEThe way it appears in the Cisco console:
switch#sh int desc Interface Status Protocol Description Vl1 up up Vl100 up up cloudboot Fa0/1 up up uplink-office Fa0/2 up up Fa0/3 down down dell5x series Fa0/4 admin down down 00105AF6CF37
CODEIn this example, you can see that port 4 has a description which is MAC of the blocked device -
In this example, you can see that port00105AF6CF37
with theadmin down
port status.Fa0/4
is now up and has description00105AF6CF37
of MAC.Enable the port:
Since you know the disabled MAC address, you can find the description at the switch and enable that port:$ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 e
CODEEnable the port operation:
Going to enable port by MAC
CODEIF-MIB::ifAdminStatus.4 = INTEGER: up(1)
CODESaving Cisco 3550 switch configuration
CODESNMPv2-SMI::enterprises.9.2.1.54.0 = INTEGER: 1
CODEThe way it now appears at the Cisco switch side:
switch#sh int desc
CODEInterface Status Protocol Description Vl1 up up Vl100 up up cloudboot Fa0/1 up up uplink-office Fa0/2 up up Fa0/3 down down dell5x series Fa0/4 up up 00105AF6CF37
CODEIn this example, you can see that the port
Fa0/4
is now up and has the description00105AF6CF37
of MAC.