Question


How can I disable ports on network equipment with SNMP support?

Answer


This article explains how the ports can be disabled on network equipment with SNMP support. You can use this example to create your own scripts and manage ports where a Baremetal server is connected. If you are using SNMP for equipment management, make sure that you fully understand your vendor's explanations (and recommendations) of how to use its services and features.

Please note that running bad scripts may affect the whole network infrastructure and cause a host downtime for the hosts. Run custom scripts at your own risk and responsibility.

Script Example

#!/bin/bash 
#Find,disable,enable port using SNMP at Cisco switch 
#Reference documentation http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml 
#Example: cd <directory> ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 e 
#Where: 
#- 1st parameter is switch IP address 
#- 2nd is MAC-address of NIC 
#- 3rd is operation(e - enable port when find description at port, d -disable port when find MAC, f - find MAC address in switch address table) 
#Variables descriptions 
switch_ip=$1; 
mac=$(echo $2 | sed 's/://g'); 
community="ppublic"; 
operation=$3; 
#We have created 3 procedure below 
#For Cisco 
3550 3550_get_port(){ 
#Check for vlans and find MAC at port 
for i in `snmpwalk -On -v2c -c $community@1 192.168.128.13 .1.3.6.1.4.1.9.9.46.1.3.1.1.2 | sed 's/.1.3.6.1.4.1.9.9.46.1.3.1.1.2.1.//g' | awk '{print $1}'`; do
     find_mac=`snmpwalk -On -v2c -c $community@$i 192.168.128.13 .1.3.6.1.2.1.17.4.3.1.1 | sed s/' '//g | grep -i $mac | sed 's/^.*Hex-STRING\://g'| awk '{print $1}'`;
     if [[ $find_mac != "" ]]; then
          point1=$(snmpwalk -On -v2c -c $community@$i $switch_ip .1.3.6.1.2.1.17.4.3.1.1 | sed s/' '//g | grep -i $mac | sed 's/.1.3.6.1.2.1.17.4.3.1.1.//g' | sed 's/=.*//g' );
          port_numb=`snmpwalk -v2c -c $community@$i $switch_ip .1.3.6.1.2.1.17.4.3.1.2 | grep -i $point1 | sed 's/^.*INTEGER\: //g'`;
          echo "MAC $mac was found in VLAN $i at port number #"$port_numb;
     fi 
done; 
}
disable_port(){ 
        3550_get_port; 
        echo "Going to disable port #"$port_numb; 
        #Before disable we write description to port 
        snmpset -v2c -c $community $switch_ip .1.3.6.1.2.1.31.1.1.1.18.$port_numb s "$mac"; 
        #Disable port by MAC 
        snmpset -v2c -c $community $switch_ip .1.3.6.1.2.1.2.2.1.7.$port_numb i 2; 
        #Save running config of Cisco switch to startup 
        save_3550_cfg;
}
enable_port(){ 
        echo "Going to enable port by MAC"; 
        #Find MAC by port description 
        port_to_enable=`snmpwalk -v2c -On -c $community $switch_ip .1.3.6.1.2.1.31.1.1.1.18 | grep -i $mac | sed 's/.1.3.6.1.2.1.31.1.1.1.18.//g' | awk '{print $1}'`; 
        #If port was not found 
        if [[ $port_to_enable == "" ]]; then 
           echo "MAC wasn't found by port description. Exiting ..."; 
           3550_get_port; 
           $port_to_enable=$port_numb; 
           echo $ $port_to_enable; 
           exit; 
   fi; 
   #Enable port 
   snmpset -v2c -c $community $switch_ 
ip .1.3.6.1.2.1.2.2.1.7.$port_to_enable i 1; 
   #Save running config of Cisco switch to startup 
   save_3550_cfg; 
}
save_3550_cfg(){ 
   echo "Saving Cisco 3550 switch configuration"; 
    snmpset -t60 -v2c -c $community $switch_ip 1.3.6.1.4.1.9.2.1.54.0 i 1 
}
main(){ 
     if [[ $operation == "f" ]]; then 
           echo "Find port operation"; 
           3550_get_port; 
    elif [[ $operation == "d" ]]; then 
           echo "Disable port operation"; 
           disable_port; 
    elif [[ $operation == "e" ]]; then 
           echo "Enable port operation"; 
           enable_port; 
   else 
          echo "Wrong arguments given"; 
  fi; 
} 
main;
CODE


Examples

  1. Find a port:

    $ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 f
    CODE

    Find the port operation:

    MAC 00105AF6CF37 was found in VLAN 1 at port number #4
    CODE
  2. Disable the port:

    $ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 d
    CODE

    Disable the port operation:

    MAC 00105AF6CF37 was found in VLAN 1 at port number #4
    CODE

    Going to disable port #4

    IF-MIB::ifAlias.4 = STRING: 00105AF6CF37
    CODE
    IF-MIB::ifAdminStatus.4 = INTEGER: down(2)
    CODE

    Saving the Cisco 3550 switch configuration:

    SNMPv2-SMI::enterprises.9.2.1.54.0 = INTEGER: 1
    CODE

    The way it appears in the Cisco console:

    switch#sh int desc
    Interface                Status            Protocol Description 
    Vl1                      up                up       
    Vl100                    up                up       cloudboot 
    Fa0/1                    up                up       uplink-office 
    Fa0/2                    up                up 
    Fa0/3                    down              down     dell5x series 
    Fa0/4 admin              down              down     00105AF6CF37
    CODE

    In this example, you can see that port 4 has a description which is MAC of the blocked device - 00105AF6CF37 with the admin down port status.

    In this example, you can see that port Fa0/4 is now up and has description 00105AF6CF37 of MAC.
  3. Enable the port:
    Since you know the disabled MAC address, you can find the description at the switch and enable that port:

    $ ./snmp_cisco.sh 192.168.128.13 00:10:5A:F6:CF:37 e
    CODE

    Enable the port operation:

    Going to enable port by MAC
    CODE
    IF-MIB::ifAdminStatus.4 = INTEGER: up(1)
    CODE
    Saving Cisco 3550 switch configuration
    CODE
    SNMPv2-SMI::enterprises.9.2.1.54.0 = INTEGER: 1
    CODE

    The way it now appears at the Cisco switch side:

    switch#sh int desc
    CODE
    Interface                      Status            Protocol Description 
    Vl1                            up                up       
    Vl100                          up                up       cloudboot 
    Fa0/1                          up                up       uplink-office 
    Fa0/2                          up                up 
    Fa0/3                          down              down     dell5x series 
    Fa0/4                          up                up       00105AF6CF37
    CODE

    In this example, you can see that the port Fa0/4 is now up and has the description 00105AF6CF37 of MAC.