Cisco Switch Port Provisioner?

6 posts

1 Feb 2010 at 12:11 p.m. UTC

Greetings to all,

I have come to the realization that I can't do it all. I know, I know it's a sad day for me too. So I'm looking for a way that I can appoint someone to do port changes (Desc, VLAN, M/A/Cs, etc) without giving them access to the bare IOS. Has anyone written or seem something that can do this?

Thanks, Tom

ciscocrank

28 posts

1 Feb 2010 at 1:10 p.m. UTC

do you mean add user to the device with limited capability

bogon

1 post

1 Feb 2010 at 1:32 p.m. UTC

The easiest way (if it's a single device) is to: setup a privilege level (from 2 to 14, inclusive), define the commands available at that level, and create a username/password for that user at the privilege level you setup.

The example in this link pertains to an issue with doing just this, but should help you get to where you're going: Cisco

If it's for a large number of devices, then you're probably going to want to look at implementing something like TACACS+.

Good luck!

tearl42

6 posts

1 Feb 2010 at 1:39 p.m. UTC

No, not exactly.

Here is what I mean... All of my ports are shutdown unless they are in use, but it's part of our daily lives that users or departments move around our building. Because we have the policy that everything stays shutdown until used, when out desktop tech goes and moves a machine it actually takes 2 people to do ... One to physically move it and one to logically move it. I want to make that process WAY shorter then it's taking right now. I would like a system where I can can have someone activate and de-activate ports (Moves, Addes, Changes (MACs)) without giving them access to the actual IOS. It's almost an end user tracking system with a provisioning tie in.

Hope that explains it better...

Tom

joshobrien77

2 posts

1 Feb 2010 at 5:10 p.m. UTC

ACS Server with per users Auth and Access right set will get you what your looking for. it will also log all changes for audit and house keeping purposes.

tearl42

6 posts

1 Feb 2010 at 8:37 p.m. UTC

True, but I'll still have to train people in how to login, what commands, blah, blah...

I really want this to be idiot proof as much as possible (Yes, I know the ol' saying).

Tom

joshlowe

94 posts

1 Feb 2010 at 11:19 p.m. UTC

Do the ports need to be shut down? You could configure 802.1x port-based authentication so that if someone plugs into an unused port, they have no access until they provide a valid username/password. That way, if you move a machine that already has 802.1x username/password configured on it, it will start working on that port immediately. The only training required for the IT guys is to click the "authentication" tab of the interface properties and put in the username and password for new machines.

tearl42

6 posts

1 Feb 2010 at 11:29 p.m. UTC

Actually, that's a great idea. We're alrady working towards that... My company is typically behind in adopting technology by a longshot so we're looking for something in the mean time.

Tom

Phil

4 posts

11 Feb 2010 at 9:38 p.m. UTC

We did a simple web application for this kind of tasks some years ago. It contained a backend part (PERL), wich connects to the switch(es) and reads the config (interface status). The frontend (PHP) displays these infos on a website and allows changes (e.g. open/close ports). These changes are pushed to the devices trough the backend scripts.

If you have some coding people, this would be one possible way. :)

Sevan

23 posts

14 Mar 2010 at 2:52 p.m. UTC

haven't actually played with this myself so don't know if it'll do everything you require but it should atleast help you to get started with pulling data out of your switches. http://sourceforge.net/projects/switchmap/

ntwrk80

2 posts

14 Mar 2010 at 8:47 p.m. UTC

Try Netdisco www.netdisco.org. I use it to allow my helpdesk staff to change VLANs and up/down status of ports. It e-mails me of all changes so I still know what is going on. It also allows them to search for where a computer is plugged in by IP or MAC.

Someone else mentioned switchmap, it's a great program too, but doesn't have the change functions, much cleaner interface than netdisco though.

Sevan

23 posts

14 Mar 2010 at 11:20 p.m. UTC

What about VMPS? http://www.freenac.net/

Fryguy

2 posts

16 Mar 2010 at 12:28 a.m. UTC

You could always create a macro on the switch and have them apply that. That Macro would hve all the necessary commands with a minimal amount of typing.

tearl42 6 posts	1 Feb 2010 at 12:11 p.m. UTC Greetings to all, I have come to the realization that I can't do it all. I know, I know it's a sad day for me too. So I'm looking for a way that I can appoint someone to do port changes (Desc, VLAN, M/A/Cs, etc) without giving them access to the bare IOS. Has anyone written or seem something that can do this? Thanks, Tom
ciscocrank 28 posts	1 Feb 2010 at 1:10 p.m. UTC do you mean add user to the device with limited capability
bogon 1 post	1 Feb 2010 at 1:32 p.m. UTC The easiest way (if it's a single device) is to: setup a privilege level (from 2 to 14, inclusive), define the commands available at that level, and create a username/password for that user at the privilege level you setup. The example in this link pertains to an issue with doing just this, but should help you get to where you're going: Cisco If it's for a large number of devices, then you're probably going to want to look at implementing something like TACACS+. Good luck!
tearl42 6 posts	1 Feb 2010 at 1:39 p.m. UTC No, not exactly. Here is what I mean... All of my ports are shutdown unless they are in use, but it's part of our daily lives that users or departments move around our building. Because we have the policy that everything stays shutdown until used, when out desktop tech goes and moves a machine it actually takes 2 people to do ... One to physically move it and one to logically move it. I want to make that process WAY shorter then it's taking right now. I would like a system where I can can have someone activate and de-activate ports (Moves, Addes, Changes (MACs)) without giving them access to the actual IOS. It's almost an end user tracking system with a provisioning tie in. Hope that explains it better... Tom
joshobrien77 2 posts	1 Feb 2010 at 5:10 p.m. UTC ACS Server with per users Auth and Access right set will get you what your looking for. it will also log all changes for audit and house keeping purposes.
tearl42 6 posts	1 Feb 2010 at 8:37 p.m. UTC True, but I'll still have to train people in how to login, what commands, blah, blah... I really want this to be idiot proof as much as possible (Yes, I know the ol' saying). Tom
joshlowe 94 posts	1 Feb 2010 at 11:19 p.m. UTC Do the ports need to be shut down? You could configure 802.1x port-based authentication so that if someone plugs into an unused port, they have no access until they provide a valid username/password. That way, if you move a machine that already has 802.1x username/password configured on it, it will start working on that port immediately. The only training required for the IT guys is to click the "authentication" tab of the interface properties and put in the username and password for new machines.
tearl42 6 posts	1 Feb 2010 at 11:29 p.m. UTC Actually, that's a great idea. We're alrady working towards that... My company is typically behind in adopting technology by a longshot so we're looking for something in the mean time. Tom
Phil 4 posts	11 Feb 2010 at 9:38 p.m. UTC We did a simple web application for this kind of tasks some years ago. It contained a backend part (PERL), wich connects to the switch(es) and reads the config (interface status). The frontend (PHP) displays these infos on a website and allows changes (e.g. open/close ports). These changes are pushed to the devices trough the backend scripts. If you have some coding people, this would be one possible way. :)
Sevan 23 posts	14 Mar 2010 at 2:52 p.m. UTC haven't actually played with this myself so don't know if it'll do everything you require but it should atleast help you to get started with pulling data out of your switches. http://sourceforge.net/projects/switchmap/
ntwrk80 2 posts	14 Mar 2010 at 8:47 p.m. UTC Try Netdisco www.netdisco.org. I use it to allow my helpdesk staff to change VLANs and up/down status of ports. It e-mails me of all changes so I still know what is going on. It also allows them to search for where a computer is plugged in by IP or MAC. Someone else mentioned switchmap, it's a great program too, but doesn't have the change functions, much cleaner interface than netdisco though.
Sevan 23 posts	14 Mar 2010 at 11:20 p.m. UTC What about VMPS? http://www.freenac.net/
Fryguy 2 posts	16 Mar 2010 at 12:28 a.m. UTC You could always create a macro on the switch and have them apply that. That Macro would hve all the necessary commands with a minimal amount of typing.