[c-nsp] switchport trunk allowed vlan

Arie Vayner (avayner) avayner at cisco.com
Mon Nov 1 09:24:02 EDT 2010


Tim,


BTW, In SXI we have enough EEM support to block the command.

See the following script:

event manager applet BLOCK-ALLOWED-VLAN-RANGE
 event cli pattern "switchport trunk allowed vlan\s+[0-9]" skip yes sync no
 action 1.0 syslog msg "switchport trunk allowed vlan <RANGE> is not allowed"

Router(config)#do show run int gig1/22
!
interface GigabitEthernet1/22
 switchport
 switchport trunk allowed vlan 100-102
 shutdown
end

Router(config)#int gig1/22
Router(config-if)# switchport trunk allowed vlan 110
Router(config-if)#
Router(config-if)# do show run int gig1/22
!
interface GigabitEthernet1/22
 switchport
 switchport trunk allowed vlan 100-102
 shutdown
end

Router(config-if)#
08:10:06: %HA_EM-6-LOG: BLOCK-ALLOWED-VLAN-RANGE: switchport trunk allowed vlan <RANGE> is not allowed


In later EEM versions we can do really cool stuff, like adding new commands, string parsing etc, but unfortunately, its not in SXI yet...

Arie


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack
Sent: Monday, November 01, 2010 14:16
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] switchport trunk allowed vlan

On Mon, Nov 1, 2010 at 7:58 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 31/10/10 15:39, Keegan Holley wrote:
>>
>> If you are simply trying to disable a command have you thought about doing
>> so in tacacs?  It sounds like it would be simpler and it also has the
>> benefit of being centralized so you won't need to configure it on each
>> individual router.
>
> It also has the disadvantage of being centralised, so each router has to be
> configured to talk to a central point-of-failure.
>
> :o)
>
> +1 for wanting to disable this w/o TACACS

Exactly. In my book, "simple" = less operational dependencies. (Plus
configuration management system carries the burden of making these
changes anyway.)

-- 
Tim:>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list