L3 Switch script to shutdown a port based IP reachability

Similar Messages

• TCL script or applet to disable port based on reachability

  I am looking for a script or applet that will dis/enable an ethernet interface on Cat 6500
  based on reachablity to an external destination. Reachability should be verified either directly by sending ICMP packets, or based on IPSLA status.
  Thank you,
  Jarek

  "This will ping every 5 seconds for reachability."
  ip sla 1
  type icmp-echo 10.1.1.1
  timeout 1000
  threshold 1000
  frequency 5
  ip sla schedule 1 life forever start-time now
  "Creates object tracking with IP SLA operation from above."
  track 1 rtr 1 reachability
  "EEM will shutdown the interface if its unreachable."
  event manager applet interface-shut
  event track 1 state down
  action 0.0 cli command "enable"
  action 0.1 cli command "conf t"
  action 1.0 cli command "interface fa0"
  action 2.0 cli command "shut"
  action 3.0 syslog msg "interface-shut EEM shut down interface fa0"
  "EEM will bring the interface up when its reachable."
  event manager applet interface-noshut
  event track 1 state up
  action 0.0 cli command "enable"
  action 0.1 cli command "conf t"
  action 1.0 cli command "interface fa0"
  action 2.0 cli command "no shut"
  action 3.0 syslog msg "interface EEM brought up interface fa0"

• Does the SLM224G switch support port-based VLAN's?

  I am looking for a simple solution to create two LAN's. One for my own and one for my customers, who will be able to use desktop PC's with internet access. I have only one internet connection (DSL over ISDN) and wil not getting another just for my customers.
  My own network should not be accessible or visible to users who are using the customers-PC's. The other way around is allowed, but not really necessary. My setup requires me to hook up the switch to the (ISP) router, and that router just has one LAN port not able to do anything related to VLAN's.
  I read about port-based VLAN's here, where it is stated that creating seperate LAN's is just putting ports into VLAN's on the switch, nothing else needs to be done... However, they used a NetGear smart switch.
  I checked out Cisco's SLM224G as it is affordable, has 24 ports (instead of 8 for the NetGear) and should support VLAN's. I have read a lot about VLAN's, including:
  "- Port-based VLAN's means that you can reconfigure ports to be in different VLAN's. Port-based VLAN's do not confirm 802.1q VLAN support.
  - 802.1q VLAN's means that you can tag VLAN's with 802.1q headers to create a trunk between two devices that carries frames for multiple VLAN's. 802.1q VLAN's confirm that there is also Port-based VLAN support."
  I known from the spec sheets that the SLM224G supports 802.1q (tagged) trunking. So it should, given found text above, also support port-based VLAN's.
  My question is whether it indeed will support port-based VLAN's?
  Am I able to use it directly behind my ISP's router and create two seperate LAN's?
  If so, one extra question: how are the PC's behind the switch (inside the two VLAN's) get their IP-adresses from the ISP-router? Or will it service only one of the two LAN's and should I install a DHCP-server in the other LAN?
  Any information is very welcome!
  Thank you.

  Thanks for your responce, mr. Carr.
  I have read more about vlan's and their setup. I think the article about port based vlan's was lacking some information about the router/firewall. May be it was set up to work with different vlan's from the start. Strangely, in the text it is said that nothing needs to be set up besides the (Netgear) vlan-capable switch.
  So, from your response and other texts I learned I needed a vlan-capable router. I have to say that I need to be able to manage a server on the LAN from the outside (internet). I already tried to set up a Cisco/Linksys WRT54G router behind the ISP's (ZyXel) single LAN-ported router and that would not work at all (even when the Linksys was set in router-mode). I lost the connection to internet setting it up that way. I even tried to setup the Linksys in the DMZ of the ZyXel, with no luck. I was unable to set that up with working internet-access form the LAN. So I was not too happy with the suggestion to set up a (second) vlan-capable gigabit router behind the ISP's router....
  Eventually, I bridged the ZyXel to get rid of the double NAT/gateway mode of the two routers as routing mode did not work on the Linksys. The Linksys is now getting the WAN-ip from the ISP on it's WAN port and I furthermore used DD-WRT's firmware to enable the build-in vlan-capabilities of the Linksys.
  Now I have set up the Linksys with two vlan's and I bought the SLM224G as an inexpensive manageable 24-port vlan-capable switch to provide the number of ports I needed. I devided the SLM in two vlan's and used two wires from the Linksys to the SLM. So the SLM does support port-based vlan's by simply setting up two ranges of ports with different PVID settings. Trunking and 802.1q tagging isn't needed that way. I know I could have used two dumb switches to get two separate subnetted networks, but this way I get just enough ports in a single device where I have ample space to put it.
  Anyway, thanks for helping me understanding the way vlan-capable switches work.

• IEEE 802.1x port-based authetication

  I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
  I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.

  Hi Claudia,
  do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
  What is the IOS version you're using there?
  What is the RADIUS server in use?
  What is the exact error message you see on the RADIUS side?
  Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
  What is the server cert size and the MTU configured on the switches?
  With the info you provided it's difficult to say what's the reason of this failure.
  I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Vlan vs port based qos

  Hi,
  I have a question about vlan based qos. I am happy with qos configuration as applied to ports. However, vlan based qos confuses me somewhat.
  Is vlan based qos intended for situations where packets are to cross vlans? In that case, am I correct in assuming that vlan based qos has no effect on packet flows within that vlan? In that case the idea of vlan based qos would be to police/mark traffic leaving/joing that vlan?
  Or, does vlan based qos extend queuing (priority queue etc) down to ports that are members of that vlan are configured with vlan based qos? I think not but I'm not absolutely sure.
  I can't seem to get to the bottom of this on cco.
  Thanks, Steve

  Hi Steve,
  Packets do not have to cross VLANs for you to need VLAN-based QoS.
  VLAN-based QoS gives you an additional layer of queueing hierarchy. With port-based Qos, there is a set of software queues per physical port. As packets are scheduled from these queues, they are emitted from the port.
  With VLAN-based QoS, there is another layer. Each VLAN configured for VLAN-based QoS will have a set of queues associated with it, instead of having a set of queues for the physical port. This comes in useful for providers of Metro Ethernet service who offer multiple classes of service. Such ethernet services are usually sold with a fixed bandwidth per-VLAN. At egress switch ports, the provider will use vlan-based QoS to police/shape traffic in order to conform to the sold rate. Within this shaped rate, queueing will be used to ensure that the higher classes of service get preference.
  In answer to your questio, vlan-based qos does have an effect on packet flows within that vlan.
  Hope that helps - pls rate the post if it does.
  Regards,
  Paresh.

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• Port-Based Authentication on 877

  Hi 
  I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port   (  xx    0000.xxxx.xxxx    STATIC      Gi1/0/3) .  
  authentication control-direction in
  authentication event fail retry 1 action authorize vlan xx
  authentication event no-response action authorize vlan xx
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication port-control auto
  authentication violation protect
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 10
  As I remove command authentication port-control auto then sh mac address-table  command shows me DYNAMIC MAC.
  Anyone can please let explain me why it is happing 
  Regards,

  Any input?

• Port based routing?

  Hi,
  My Mac connects to Internet through ADSL router, and to a PPTP-VPN host through this connection.
  And I want to FORCE all my http/https connections(that use destination port 80, 443, and perhaps some more) to use the VPN, while keep anything else go through the ADSL router directly.
  Is this possible?

  Did you find any solution?
  I'm trying to find a way to do this too.. on linux port based routing can be done with iptables. Mac OS X uses ipfw but:
  The fwd action does not change the contents of the packet at all.
  In particular, the destination address remains unmodified, so
  packets forwarded to another system will usually be rejected by
  that system unless there is a matching rule on that system to
  capture them.
  Then there is natd? I'm not sure if this can be used..
  And another one is /etc/pf.conf which has this openbsd guide but fails with "PF ERROR! No ALTQ support in kernel. ALTQ related functions disabled".

• Port Based MPLS

  Dear Gurus,
  Im trying to configure port based mpls, however i find my 7206 doesnt support any encapsulation mpls, only l2tpv3. Is this IOS dependency?
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
  R2(config-if)#xconnect 3.3.3.3 100 encapsulation ?
    l2tpv3  Use L2TPv3 encapsulation
  tia.

  Hello Jepoy,
  according to feature navigator it is  supported on C7200 port mode C7200
  but you need some specific feature sets
  like
  c7200-adventerprisek9-mz.124-24.T2.bin
  I have a pair of C7200 with advanced security and xconnect is not supported on them
  Hope to help
  Giuseppe

• LogicX  FREE Channel Switcher script by AUDIOGROCERY

  LogicX  FREE Channel Switcher scripter preset by AUDIOGROCERY
  Audiogrocery is excited to announce the new A.G Midi Channel Switcher which is royalty free. The A.G Midi Channel Switcher is a new ultimate midi processing script/preset designed for the LogicX scripter plugin. You can use this plugin preset to switch easily the incoming midi channel into any other channel to be able to change the instrument patch, articulation etc via Key Switches or Program Change messages. The A.G Channel Switcher is designed to be used with any multitimbral Software Instruments such as Spectrasonics Omnisphere, NI Kontakt, Steinberg Halion Sonic etc, or with multitimbral hardware midi devices via the Logic External Instrument software plugin.  
  Key Features
  • Smooth channel/patch change. You can hold down a few notes and switch to another midi channel via Key Switch (KS) or Program Change (PC) without any interruption. After the switching, the new notes will be performed by the new patch while the old “held” notes will play the old patch until you release them. The method guarantees no hanging note events!
  • Non-note events “Pass Thru”. The midi channel of the all other midi events such as Control Change, Pitch Bend etc is transformed into new channel so you can control the new patch accordingly.
  • Midi Channel Key Switching. You can assign a custom Key Switching range using Min/Max Note assigners UI parameters. 
  • Midi Channel Program Change Switching.
  The A.G Midi Channel Switcher comes with Mac Installer for easy install and use in any LogicX project. The tool comes with a detailed User Guide documentation PDF included in the pack.
  PS. Audiogrocery is going to release a bunch of FREE Pro Environments & Scripter plugins for Logic, as well as NI Kontakt Extra scripts. Stay in tune…
  Regards,
  A.G

  Hi, for Oracle 10g you can use the Oracle Policy for custom alerts, then you can monitoring the database from Oracle Database Control.
  Regards.

• Script to select all layers based on condition?

  Do anyone have a script to select all layers based on either name or color label? Possibly using search but not necessarily?

  If you search this forum you will find script that will process all layers in a document.  You can modify one if them to skip the layers you do not want to process do nothing to the. The process uses recursion to process layers within layer groups,.

• Community profile lost after switching from facebook-connected to email-based account?

  Hi there, apparently I do not have access to my old facebook-connected profile here in the community after switching to a new, e-mail based account. Is there a way to merge my new account (alexanderklar) with my old one (klar)? Or maybe reactivate access to my old account via my e-mail-based credentials? Thank you and best regardsAlexander Klar

  Hey , looks like your account is now ready! 
  Log in with "alexanderklar" and it will log you back into your old account automatically! :)

• Run a  script before shutdown with launchd

  Is there a way to run a shell script before shutdown with launchd? In 10.4, I have a shell script to remove user's folder when a user logs off.
  Lisa Perez

  the only way to do it that I know of is using a logout hook. see this link for details
  http://www.bombich.com/mactips/loginhooks.html
  However, I'm not sure exactly at what point in the logout process the logout hook is executed so there might be a problem running a script that deletes the home directory of the user that's being logged out.

• ERROR OWS-04045 during accessing multiple ports based web service

  I use WSA to publish a web service which have multiple ports.
  The ant build script :
  <oracle:assemble appName="${app.name}" ear="${app.name}.ear"
  targetNamespace="http://www.xxx.com" classpath="${domestic.class.path}"
  input="${web.home.path}/WEB-INF/classes" output="${archive.output.path}"
  style="rpc" mappingFileName="type-mapping.xml" appendToExistingDDs="true"
  serviceName="${app.name}">
  <oracle:porttype interfaceName="com.xxx.service.ICompanyDefinerWebService"
  className="com.xxx.CompanyWebServiceImpl">
  <oracle:port name="company" uri="company" />
  </oracle:porttype>
  <oracle:porttype interfaceName="com.xxx.IUserDefinerWebService"
  className="com.xxx.UserProfileWebServiceImpl">
  <oracle:port name="userprofile" uri="userprofile" />
  </oracle:porttype>
  </oracle:assemble>
  There is a class name UserDTO which extends another class AbstractDTO, which locates in another package. I used a type-mapping file for giving them different namespaces.
  After deployment, I can use the url http://localhost:8888/xxx/userprofile to access the web service. OC4J provided a javascript based stub for testing.
  But I met some problems. When I use the web stub to access it , error occurs.
  ERROR OWS-04045 Malformed Request Message:Caught exception while handling request: unexpected element name: expected={http://www.xxx.com/framework/bean}operationRecord, actual={http://www.xxx.com/user/dto}operationRecord
  I switched the form to display in xml before invoke, I found there are different and correct namespaces on these 2 elements (UserDTO and OperationLog) .So, I'm very strange why the server will response such a fault information.
  In addition, if I use default style (just document-wrapped) to publish web service, almost all methods can not be accessed on web stub which is provided by oracle.
  Surely, the problem is caused by multiple port. The soap specification is 1.2 and JDK is SUN 1.5.0-b6, OC4J is 10.1.3.3
  I just want to konw whether oracle have some better practices or suggestion for publishing a web service which will have multiple ports.
  The other problem is we can not use abstract class(only support interface) when we want to use WSA to assemble a web service based EAR.

  Is it possible to use several "class L4VIPCLASS" inside the "policy-map multi-match VIPs" in order to have several VIPs to load-balance services for several serverfarms?
  Something like this:
  class-map match-all L4VIPCLASS-1
  2 match virtual-address 172.16.1.1 tcp eq www
  class-map match-all L4VIPCLASS-2
  2 match virtual-address 172.16.1.2 tcp eq www
  class-map match-all L4VIPCLASS-3
  2 match virtual-address 172.16.1.3 tcp eq 8081
  policy-map type loadbalance http first-match WEB_POLICY-1
  class class-default
  serverfarm-1
  policy-map type loadbalance http first-match WEB_POLICY-2
  class class-default
  serverfarm-2
  policy-map type loadbalance http first-match WEB_POLICY-3
  class class-default
  serverfarm-3
  policy-map multi-match VIPs
  class L4VIPCLASS-1
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-1
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 1 vlan 11
  class L4VIPCLASS-2
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-2
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 2 vlan 22
  class L4VIPCLASS-3
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-3
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 3 vlan 33
  interface vlan XX
  service-policy input VIPs
  Many thanks for your support.

• N5K EEM script to shutdown interface if CDP neighbor drops

  Hi
  Total n00b on EEM here. Background - we have an inline transparent L2 firewall sitting between our Nexus core switch and our UCS. If the physical interfaces on one of the firewalls go down, our UCS virtual hosts can detect that and will automatically fail over to their other NIC and network connectivity is restored. However if theres a software or process problem on the firewall we can lose connectivity to half of the UCS because all the links are physically staying up but the server traffic is getting blackholed.
  If the L2 firewall stops passing traffic we will lose the CDP neighbor entry for the UCS on the N5K. If that happens I want to shut down the port channel interface that connects the Nexus to the firewall, triggering the virtual hosts to fail over to their second NIC.
  Basically
  1)     Check for presence of CDP neighbor on e1/17
  2)     If there is an entry there do nothing
  3)     If there is no entry there then issue the following cli commands "conf t, interface port-channel 17, shutdown"
  I would like the switch to execute the script once per minute all day every day.
  NEXUS-SW1# sh cdp ne int e1/17
  Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
                    S - Switch, H - Host, I - IGMP, r - Repeater,
                    V - VoIP-Phone, D - Remotely-Managed-Device,
                    s - Supports-STP-Dispute
  Device-ID             Local Intrfce Hldtme Capability  Platform      Port ID
  UCS-FABRIC-A(SSI171402MC)
                      Eth1/17        173    S I s     UCS-FI-6248UP Eth1/17
  NEXUS-SW1#
  Could anyone give me a hand on a script to do this please? Looks like there is EEM neighbor discovery stuff in IOS but not NX-OS on the 5K, so I think this script will have to use the CLI to detect failure. Thanks

  I'm running the latest 6.0(2)N2(1) NX-OS on the 5548 with the Layer 3 daughtercard and LAN Enterprise Services license. There is some EEM stuff in the CLI but it appears basic compared to what is in IOS.
  NEXUS-SW1(config-applet)# event ?
    cli             Create a cli event specification
    counter         Create a counter event
    fanabsent       Create fanabsent event specification
    fanbad          Create fanbad event specification
    oir             Create Online-Insertion-Removal event specification
    policy-default  Use the event in the system policy being overridden
    snmp            Create a 'snmp' event specification.
    storm-control   Create a storm control event specification
    syslog          Create a syslog event specification
    sysmgr          System manager related events
    temperature     Create temperature event specification
    track           Create a 'track' event specification
  NEXUXS-SW1(config-applet)# event cli ?
    match  Enter cli regex to be used for matching
    tag    Event tag identifier
  I was hoping I could use the "event cli match" or something like that to detect the loss of the cdp neighbor. And then shut down the interface if it is not there.