Notes on Networking

A blog to share my study notes on Cisco networking and more

TCL Script for DHCP Snooping Configuration

Apr
29

The first script is used to configure 61 Cisco Catalyst 2960S access switches for DHCP Snooping in a way that every switch builds the DHCP Snooping database with its own hostname on the FTP server so that different databases do not overwrite each other.

###   Global Configuration to enable DHCP Snooping
ios_config " ip ftp username xxxxxx"
ios_config "ip ftp password xxxxxx"
ios_config "ip dhcp snooping"
ios_config "ip dhcp snooping vlan  10,20,30,40,50,60,200,210,250,300"
ios_config "no ip dhcp snooping information option"###   Global Configuration for building DHCP
###   Snooping database in the local flash
###   and then copying it to the FTP server
###   since switches cannot make the database
###   on the FTP server initially
set HOSTNAME [info hostname]
ios_config "ip dhcp snooping database flash:/$HOSTNAME.txt"
exec copy flash:/$HOSTNAME.txt ftp://172.31.1.7/dhcpdb/$HOSTNAME.txt
ios_config "ip dhcp snooping database ftp://172.31.1.7/dhcpdb/$HOSTNAME.txt"
exec delete flash:/$HOSTNAME.txt###   Determining if the switch is a 24 port
###   switch or a 48 port switch
set LAST_INT [lindex [exec show interfaces summary | include GigabitEthernet1/0/48] 1]
if {$LAST_INT == "GigabitEthernet1/0/48"} {set PORT 48} else {set PORT 24}

###   Interface level configuration on the
###   access ports to enable DHCP Snooping
for {set N 1} {$N <= $PORT} {incr N} {
ios_config "interface gigabitEthernet 1/0/$N" "ip dhcp snooping limit rate 25" "end" }

###   Interface level configuration on the trunk
###   ports to enable DHCP Snooping
if {$PORT == "48"} {
ios_config "interface gigabitEthernet 1/0/49" "ip dhcp snooping trust" "end"
ios_config "interface gigabitEthernet 1/0/50" "ip dhcp snooping trust" "end"
} else {
ios_config "interface gigabitEthernet 1/0/25" "ip dhcp snooping trust"  "end"
ios_config "interface gigabitEthernet 1/0/26" "ip dhcp snooping trust" "end"}

The second script is used to change the ports’ access VLANs from VLAN 10 to VLAN 300 where the ports are connected to special devices – in this case bio access control system. The script uses the connected device’s MAC address to determine the right port.

###   The MAC addresses of the devices that are
###   intended to move from VLAN 10 to 300
###   begin with 0017.fc. We extract a table out
###   of MAC address table of the switch
###   where the MACs begin with 0017.fc.
set TABLE [exec show mac address-table | include 0017.fc]
set RECORDS [split $TABLE "\n"]###   Now we have the list of interfaces that
###   their VLAN membership should be changed.
###   Ooh! Take care! This list also includes
###   trunk ports. So make sure to change the VLAN
###   membership if the port is a an access port
###   belonging to VLAN 10, the CONDITION!
foreach RECORD $RECORDS {

if {$RECORD!= ""} {
set INT [lindex $RECORD 3]
set CONDITION [lsearch -exact [exec show running-config interface $INT | include access vlan 10] 10]
if {$CONDITION == 3} {
ios_config "interface $INT" "switchport access vlan 300" "shutdown" "no shutdown" "end"}}}

Make sure to save the script on a FTP server and then download and run the script from the server. Doing Copy/Paste the script into the SSH/Telnet terminal or running it through Configuration Management Servers like Solarwinds NCM may have unexpected results depending on the TCL interpreter compiled in your switch/router.

Share

Leave a Reply

%d bloggers like this: