Set Disabled port to up when rewriting running-config

[herr-mhet]

I am implementing port-security as a legacy security feature on our campus switches. During testing, I noticed that I cannot re-Up a Disabled port when supplying the new running-config. This makes sense as the switches are parsing the supplied config and commit the diffs. If a port was disabled it is still administratively Up, so why should the switch change anything. It would be best for our operations, though, if we could somehow re-Up the port if we deploy a new running-config. Right now, we'd have to manually access the switch via Web or SSH to re-enable the port.

Is there a flag or value I can set in my JSON running-config that tells the switch to reset the violation state of the port?

[tchiapuziowong]

hi @herr-mhet a few questions to help me better understand the issue:

• what switch platform/firmware are you using?
• when copying a new config to the running, what method are you using originally? CLI or REST API based? I'm assuming using the Ansible collection?
• In the new config are you explicitly defining the interface as "no shutdown" to enable the interface and the switch is not recognizing it? Is that what I'm understanding?

[herr-mhet]

Hi, thanks for getting back at me.

• I am using a 6405 Chassis switch with different types of modules. The switch is running the AOSXC firmware version 10.09.1000.
• I am using the REST API using this ansible collection and the aoscx_upload_config method.
• Here is an excerpt from my generated JSON file:

    "Interface": {
        "1%2F3%2F7": {
            "description": "Client",
            "name": "1/3/7",
            "poe_interface": {
                "PoE_Interface1": {
                    "config": {
                        "admin_disable": "false",
                        "pre_standard_detect": "false"
                    }
                }
            },
            "user_config": {
                "admin": "up"
            }
        }
    },
    "Port": {
        "1%2F3%2F7": {
            "interfaces": [
                "1%2F3%2F7"
            ],
            "admin": "up",
            "name": "1/3/7",
            "routing": false,
            "port_access_security_violation": {
                "action": "shutdown"
            },
            "port_security": {
                "client_limit": "1",
                "enable": "true"
            },
            "port_security_static_client_mac_addr": [
                "00:00:00:00:00:00"
            ],
            "vlan_mode": "native-untagged",
            "vlan_tag": "1",
            "vlan_trunks": [
                "10",
                "20",
                "30"
            ]
        }
    }

However, in the live context the only information that actually changed is the MAC-address in the port_security_static_client_mac_addr field. Note that I always generate the complete running config and push that unto the switch.

So what happened was:

• Send the above configuration to the switch
• Plug in a client with the MAC AA:AA:AA:AA:AA:AA
• Port goes into disabled state
• Generate new JSON config with the MAC AA:AA:AA:AA:AA:AA in the port_security_static_client_mac_addr field
• Send that config to the switch
• Port stays disabled

I want to know if it is possible (through a flag or otherwise) to change the last step so that the disabled state is lifted after the new config has been send to the switch.

[alagoutte]

Hi,

Do you have try to disable and re-enable the port/interface ? and why do you use JSON config ? you can configure port_security directly with API call (See https://github.com/aruba/aoscx-ansible-collection/blob/master/plugins/modules/aoscx_l2_interface.py#L98)

[herr-mhet]

Do you have try to disable and re-enable the port/interface ?

Yes, I have to manually disable and re-enable the port (either through the CLI or the Web-Interface) after applying the new running-config with the changed MAC address for the security-disabled state to be reset and the port becoming enabled again.

and why do you use JSON config ? you can configure port_security directly with API call (See https://github.com/aruba/aoscx-ansible-collection/blob/master/plugins/modules/aoscx_l2_interface.py#L98)

We are using the entire JSON running-config as a QA feature in our NetOps-CI. We are creating a diff from the newly generated JSON and the former generated (and working) JSON to verify and document that only the parts we wanted to change in our deployment has changed.

Unless there are good security or performance reasons against uploading entire running-configs to our switches, we would like to continue doing it this way.

[herr-mhet]

Is there an update to this issue? Would it help if I'd create a TAC for this problem?

[tchiapuziowong]

hi @herr-mhet - circling back to this - did you create a TAC case? can you manually enable the interface after connecting the device with the MAC AA:AA:AA:AA:AA:AA?

[herr-mhet]

No I did not open a TAC case for this. To your other question: I am able to manually enable the interface disabled port by first manually disabling the port and then manually enabling it again.