I have a rule to implement DOT1X on all ports configured for a specific VLAN; it was a week long odyssey through multiple forums just to figure out how to do that correctly.
Now, for my next challenge, my network has different models of switches and I don't want to maintain two sets of rules and policies for each type. For our Cisco 3850s, in addition to the DOT1X commands all switches get, they will also need to get a "device-tracking attach-policy..." line.
I have the script to determine the model figured out (I think), but it's using a Config Change Template. How do I use that config change template to change only the blocks (interfaces) found to match the violation parameters while still adding in that extra line for the 3850s?
Below is a dummied down version of the script I'm trying to run and a picture of how I'm trying to apply it. If ran, it would just do those commands under CLI in the global once and not for the multiple interfaces in violation.
script ConfigureDot1XInterface(NCM.EntityPhysical @ContextNode )
{
//For each port in violation line would go here if I knew the proper syntax
CLI
{
authentication host-mode single-host
!.... more DOT1X config lines
}
if(@ContextNode.Model contains '3850')
{
CLI
{
device-tracking attach-policy SOME_POLICY
}
}
}
Special side quark for the googlers: the ".$" after vlan 99 is to identify to only match 'vlan 99'. Not to match vlan 990 or 991, etc.
It needs to include the "." when running the script against actual cached configurations, but will not work with the "." when copy/pasting configs in to test. For those, the "." needs to be removed. The "." is necessary (since a recent upgrade) for actual configurations. Makes my head hurt.
Testing against "select a config to view violation results":
^interface (Fast|Gigabit)Ethernet.*\s+.*\s+switchport access vlan 99.$
Testing against "Paste a config block to test against":
^interface (Fast|Gigabit)Ethernet.*\s+.*\s+switchport access vlan 99$
