It is not about range feature:)
After my post about how to get into the switch with “not sure” credentials, let’s assume you fixed access and configured devices with TACACS and SSH. It’s time to drop the interface-level config for ISE NAC (as an example) to all user ports, servers/wireless/trunk must be excluded.
With proper segmentation using VLANs, we should have users ports in USER_VLAN, server ports in SERVER_VLAN, etc. If there is a dedicated switch for users, that is great, we can just log in to each switch and use range command – carefully with uplinks:) But what if there is a mix of ports.
I’ve created a script to apply the configuration to ports based on the VLAN. We can use a description or anything specific for ports. I used VLAN because it’s the most popular use case.
What we have
Switch (or list of switches if VLAN numbers are the same) with two VLANs:
- VLAN 10 – users/data
- VLAN 20 – servers
The Goal – Apply ISE port-level configuration to all ports in VLAN 10 (only for users)
The process of how it works:
GitHub repo is here
device.csv – the list of switches (also it could be run for just one switch)
local.py – just credentials to the switches in a separate file
config_intf_ise.txt – all commands that need to be pushed to the interface
connect_to_device.py – the same file with functions to ping and connect to the device.
ise-switch-int-apply-config.py – main script. Created class Device with different methods to init and close connection, collect_interfaces – get all interfaces with specific vlan and apply_intf_config – apply commands from the file to collected interfaces onlu
device-result.json – store results
Of course, the script could be used for the different cases if you need to apply the config to the bulk of ports.