Créer des macros sur Cisco
Créer des macros permet de s’affranchir de longue séances de saisies de commandes identiques.
You should be connected in privileged user in enabled mode The followind command list all the macro present on the equipment.
#sh parser macro brief
default global : cisco-global
default interface: cisco-desktop
default interface: cisco-phone
default interface: cisco-switch
default interface: cisco-router
default interface: cisco-wireless
customizable : Make_Range_UNUSED
customizable : Make_UNUSED
customizable : make_Firewall_Links
The default ones are Cisco pre-defined and the other ‘customizable’ are user defined. These one have been made to admnister the equipement. To list the content of the macro:
#sh parser macro name Make_UNUSED
Macro name : Make_UNUSED
Macro type : customizable
# macro to configure port unused
# To check the action done : macro global trace Make_UNUSED $INT g3/0/1
default int $INT
int $INT
description --- UNUSED ---
switchport access vlan 111
switchport mode access
switchport nonegotiate
shutdown
no cdp enable
no lldp receive
no lldp transmit
spanning-tree portfast
spanning-tree bpduguard enable
end
Same macro but for securing a port range:
#sh parser macro name Make_Range_UNUSED
Macro name : Make_Range_UNUSED
Macro type : customizable
# macro to configure a range of ports unused
# To make the action done : macro global trace Make_Range_UNUSED $RANGE Gi1/0/4-12
default int range $RANGE
int range $RANGE
description --- UNUSED ---
switchport access vlan 111
switchport mode access
switchport nonegotiate
shutdown
no cdp enable
no lldp receive
no lldp transmit
spanning-tree portfast
spanning-tree bpduguard enable
end
For the exemple, we have a cisco 2960 48 ports with a range of port we want to secure.
Gi1/0/17 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/18 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/19 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/20 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/21 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/22 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/23 notconnect 1 auto auto 10/100/1000BaseTX
Port Name Status Vlan Duplex Speed Type
Gi1/0/24 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/25 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/26 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/27 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/28 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/29 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/30 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/31 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/32 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/33 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/34 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/35 notconnect 1 auto auto 10/100/1000BaseTX
Port Name Status Vlan Duplex Speed Type
Gi1/0/36 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/37 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/38 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/39 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/40 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/41 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/42 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/43 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/44 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/45 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/46 notconnect 1 auto auto 10/100/1000BaseTX
We have sseveral possibilities :
- Secure port by port using the commands written in the macro ‘Make_UNUSED’ : env 330 commands
- Secure the range of ports, here they are all following, by using the same action as above. env 11 commands
- Use the macro ‘Make_UNUSED’, easier but we have to use the macro for each port. env 60 commands
- Use the macro ‘Make_Range_UNUSED’ : 1 commands
So let use the macro ‘Make_Range_UNUSED’
(config)#macro global trace Make_Range_UNUSED $RANGE Gi1/0/17-46
Applying command... 'default int range Gi1/0/17-46'
% Cannot enable CDP on this interface, since CDP is not running
% Cannot enable CDP on this interface, since CDP is not running
% Cannot enable CDP on this interface, since CDP is not running
../..
% Cannot enable CDP on this interface, since CDP is not running
% Cannot enable CDP on this interface, since CDP is not running
% Cannot enable CDP on this interface, since CDP is not running
% Cannot enable CDP on this interface, since CDP is not running
% Cannot enable CDP on this interface, since CDP is not running
Applying command... 'int range Gi1/0/17-46'
Applying command... ' description --- UNUSED ---'
Applying command... ' switchport access vlan 111'
Applying command... ' switchport mode access'
Applying command... ' switchport nonegotiate'
Applying command... ' shutdown'
Applying command... ' no cdp enable'
Applying command... ' no lldp receive'
Applying command... ' no lldp transmit'
Applying command... ' spanning-tree portfast'
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast will be configured in 30 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.
Applying command... ' spanning-tree bpduguard enable'
Applying command... ' end'
Let check :
Gi1/0/17 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/18 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/19 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/20 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/21 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/22 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/23 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Port Name Status Vlan Duplex Speed Type
Gi1/0/24 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/25 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/26 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/27 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/28 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/29 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/30 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/31 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/32 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/33 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/34 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/35 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Port Name Status Vlan Duplex Speed Type
Gi1/0/36 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/37 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/38 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/39 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/40 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/41 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/42 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/43 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/44 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/45 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
Gi1/0/46 --- UNUSED --- disabled 111 auto auto 10/100/1000BaseTX
And let check the configration of one port :
#sh run inter Gi1/0/17
Building configuration...
Current configuration : 259 bytes
!
interface GigabitEthernet1/0/17
description --- UNUSED ---
switchport access vlan 111
switchport mode access
switchport nonegotiate
shutdown
no cdp enable
no lldp transmit
no lldp receive
spanning-tree portfast
spanning-tree bpduguard enable
end