Automation with Cisco NCM Command Scripts

NetCraftsmen®

For this example, let’s assume we’re trying to figure out a way to allow the Network Operations Center (NOC) to shut down interfaces on access switches, but not on distribution or core switches. Additionally, the NOC should not be able to be able to shut down the uplink ports located on ports fastethernet 0/23 and fastethernet 0/24.

NCM provides an easy way to get started with the script. This is done by creating a SSH session to the switch and executing the commands that would be executed in the command script. Then, the commands can be viewed and automatically converted to an Expect or Perl script. From there, the script can be customized to provide the logic to accomplish the task above. Let’s walk through how each step is done.

1. Click on “Devices > Inventory”.

2. In the resulting screen, click on the SSH button next to the device you would like to connect to

3. In the Java SSH window that appears, type in an example of the commands that would be used to shutdown an interface and exit.

4. Navigate back to the device by, once again, going to “Devices > Inventory”. Click on the device name

5. In the resulting screen, click on “View > Telnet/SSH Sessions”

6. Click on “View Commands Only” to view the commands that you just entered

7. Click on “Convert to Expect Script” to automatically create a script from the commands entered.

8. At this point, an Expect script is created with the code needed to execute the commands entered previously

9. There a few places that need customization. First, the interface used in the script, fastethernet0/9 should be a variable that the NOC can define at execution time. This can be done by replacing fastethernet0/9 with a NCM variable that the NOC will be prompted to enter when they execute the script. To do this, replace fastethernet0/9 with $interface$. A string with $ at the beginning and end signifies an NCM variable.

send “interface fa0/9 ” ———–> send “interface $interface$ “

10. When this is added, the “Pull Variables” button can be clicked to create the prompt that the NOC will see when they execute the script

11. This brings up another screen that requires information to be entered for the prompt

12. That’s the basics of the script. The only thing left to do is add the restrictions for the script. First, the NOC should only be able to change access layer switches. The naming convention for the switches state that access switches start with “A”. We can use this as a check to make sure an access switch is being used. Below is the corresponding Expect code snippet

if [string match “^A*” $enable_prompt] {
} else {
puts ” This is not an access layer switch “
exit 1
}

This snippet checks to see if the pre-defined $enable_prompt variable starts with an A. If so, it is an access layer switch. If not, an error message is displayed and the script is exited with error status.

13. The second check was to make sure fastethernet0/23 or fastethernet0/24 are not used. This is accomplished with the snippet below.

set protected_int {“1/6” “1/7”}
set int $interface$

set i 0
foreach i $protected_int {
if [string match “*$i” $int] {
puts ” Shutdown of uplink ports is not permitted “
exit 1
}
}

In this portion, the uplink interfaces are put into an array named “protect_int”. The interface, that the NOC chooses, is stored in the $interface$ variable. A for loop checks to see if there is match between an uplink interface and the chosen interface. If so, an error message is sent and the scripted is exited.

14. When the script is created, the Expect command “log_user 1” is set. This means that whatever is sent in the script is also sent to the script output. In order to stop this from happening, set “log_user 0”. With this set, only the “puts” output is displayed. In general, this is what you will want to see.

15. To run the script, click “Devices > Device Tools > Command Scripts”

16. Select “Run” on the script to execute.

17. Select the devices to run the script on, the interface to shutdown, and click “Save Task” to execute the script

That’s all there is to creating a command script in NCM. I would highly recommend purchasing the “Exploring Expect” book written by Don Libes and published by O’Reilly. Additionally, I would recommend downloading ActiveTCL from Activestate.com. Expect is actually an extension of TCL. After installing TCL, you can load the Expect extension by entering “teacup install Expect” from a CMD prompt.

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.