[c-nsp] Switchport trunk allowed issues
Phil Mayers
p.mayers at imperial.ac.uk
Wed Apr 17 08:41:08 EDT 2013
On 17/04/13 12:08, amir agha wrote:
> Hi
> I am writing a EEM using Cisco ios cli, can anyone have valuable suggestion about how to materialize it. Following is the topic
> Using following command on switch i.e
>
> switchport trunk allowed vlan <add/remove/all/except/none> <range>
>
> However, if one forgets to include the <add/remove/all/except/none> keyword, the command defaults to replace:
>
> switchport trunk allowed vlan <range>
>
> the VLAN that has already been placed on vlan deleted and result in downtime
>
> I would like to disable the use of: "switchport trunk allowed vlan <range>",
>
> and replace it with a custom EEM command like:
>
> 1. switchport trunk allowed vlan none.
> 2. switchport trunk allowed vlan add <add> <range>
> 3. switchport trunk allowed vlan add <remove> <range>
> This would correct a dangerous IOS syntax.
I don't know the specific answer to your question, except that I think
it *is* possible to intercept CLI commands with EEM and stop them - no
idea how though.
An easy alternative is;
alias interface tagvlan switchport trunk allowed vlan add
alias interface detagvlan switchport trunk allowed vlan remove
...then train your staff to do:
int Gi9/1
tagvlan 100
detagvlan 101
Or use TACACS to block the dangerous pattern.
More information about the cisco-nsp
mailing list