Selectively Update Edge Port Configs

Terry Slattery
Principal Architect

This past week I had to update selected edge ports on a set of Cisco Catalyst 4507 and 4510 switches.  Two things forced me to take the time to use NetMRI’s Configuration Command Scripting (CCS) language to automate the process.  The first was an inconsistent deployment and the second was an IOS bug.  Using a script greatly reduced the opportunity for me to make a mistake that would ultimately be very difficult to find.  Each switch contained at least four 48-port 10/100/1000 blades (WS-X4648-RJ45V+E).

I started out with one set of switches and scanned the configuration to verify the range of edge ports on each blade.  The ‘interface range‘ command made it easy to add the appropriate interface configuration to the large ranges of edge ports.  That worked well for a few devices.  Then I ran into problems.

The use of some of the ports varied from system to system.  For example, each switch hosted four or five Wireless APs.  Each set of four APs was connected to a known set of ports, but AP1 was not consistently connected to the same port on different switches.  And where there were five APs, the fifth unit was connected to a random port on the switch.  There were similar configurations for other ports, where a server or some other device was connected.  So I had to be careful about selecting the port ranges to which my updated configuration commands should be applied.  I started by carefully examining the current configurations to find edge ports that could be manually configured.  This severely impacted my productivity and I started thinking about building a script.

The second problem was that in some of the 4500s, I ran into an IOS bug that affects systems that have redundant Supervisors.  Syslog shows the following error:

%SYS-3-TIMERNEG: Cannot start timer  (0xXXXXXXXX) with negative  offset (-YYYYYYYYYY).
-Process=  "",  ipl= 2

A traceback follows the message (see  I tried a variety of ranges and some would work, but it was random and I was wasting time.  Two problems, each of which required that I carefully examine the device configurations was enough to get me to take the time to write the script.  It was a short script.  It had to identify edge ports and add my configuration commands to each one.  Fortunately, all the edge ports were easily identified by two statements:

 switchport mode access
 switchport voice vlan XX

The script started by executing ‘show run‘.  For each interface, it then extracts the configuration for just that interface, using ‘show run interface XX‘.  It parses the output to make sure that it is an edge port and if it is, it will add the desired commands.  When it has finished configuring all ports, it saves the configuration.  This approach takes a while to run and I had to change the NetMRI script timer to give it enough time to run for all the interfaces that might be on 8 blades of 48 ports each in a 4510.  What I liked about it was that I didn’t have to spend a lot of time executing commands.  It could handle randomly assigned ports, as long as there was a standard configuration for the edge ports.  If there had been a couple of configuration styles for edge ports, I’d have built more sections into the script to match each one.

Marty Adkins and I discussed the approach and he came up with a more elegant mechanism.  He would have had the first command do

show run | i ^interface|switchport mode access|switchport voice vlan

This would group the necessary lines together, making it easy to match the combination of three lines that were needed.  I wouldn’t have needed to use ‘show run interface XX‘ with his approach, allowing the script to run much faster and more efficiently.

I now have a neat script that will allow me to make future edge port configuration changes with little effort, and I like that.



Re-posted with Permission 

NetCraftsmen would like to acknowledge Infoblox for their permission to re-post this article which originally appeared in the Applied Infrastructure blog under


Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.