Вот скрипт, позволяющий управлять всеми (почти) возможностями port security.
#!/usr/bin/perl
#sets up port security modes on 3com SSII switches
#v.1.0.7 added --reset option
#v.1.0.6 can delete secure MACs
#v.1.0.5 can add secure MACs
#v.1.0.4 not needs MIB, uses numeric OIDs
#v.1.0.3 changed displayed names (PortMode -> securePortMode)
#v.1.0.2 can show stored MACs
#v.1.0.1 can set ifAdminStatus
#v.1.0.0 can set securePortMode, secureIntrusionAction, secureNumberAddresses only
#(c) Denis Nelubin, 2005
#(c) OmskTeleCom, Ltd., 2005
use SNMP;
use Getopt::Long;
#parameters names
@portmode_is = ('', 'noRestrictions', 'continuousLearning', 'autoLearn', 'secure');
%portmode_si = ('noRestrictions'=>1, 'continuousLearning'=>2, 'autoLearn'=>3, 'secure'=>4);
@ntkmode_is = ('', 'notAvailable', 'disabled', 'needToKnowOnly',
'needToKnowWithBroadcastsAllowed', 'needToKnowWithMulticastsAllowed',
'permanentNeedToKnowOnly', 'permanentNeedToKnowWithBroadcastsAllowed',
'permanentNeedToKnowWithMulticastsAllowed');
%ntkmode_si = ('notAvailable'=>1, 'disabled'=>2, 'needToKnowOnly'=>3,
'needToKnowWithBroadcastsAllowed'=>4, 'needToKnowWithMulticastsAllowed'=>5,
'permanentNeedToKnowOnly'=>6, 'permanentNeedToKnowWithBroadcastsAllowed'=>7,
'permanentNeedToKnowWithMulticastsAllowed'=>8);
@intact_is = ('', 'notAvailable', 'noAction', 'disablePort', 'disablePortTemporarily');
%intact_si = ('notAvailable'=>1, 'noAction'=>2, 'disablePort'=>3, 'disablePortTemporarily'=>4);
@admst_is = ('', 'enabled', 'disabled', 'testing');
GetOptions('u|unit|slot:i'=>\$unit,
'n|num-addr:i'=>\$numaddr,
'm|mode:s'=>\$portmode,
'a|action:s'=>\$intact,
'set:i'=>\$autoset,
'v|verbose'=>\$verbose,
'c|community:s'=>\$community,
't|timeout:i'=>\$timeout,
'r|retries:i'=>\$retries,
'e|enable'=>\$enable,
'd|disable'=>\$disable,
'add-mac:s'=>\@addmac,
'del-mac:s'=>\@delmac,
'reset'=>\$autoreset) or usage();
usage() if($#ARGV<1);
$host = $ARGV[0];
$port = $ARGV[1];
#convert port to unit and port
if($port<100)
{
$unit = 1 unless($unit);
}
else
{
$unit = int($port/100);
$port = $port%100;
}
usage() if(!$unit or !$port);
#default values
$community = 'private' unless($community);
$timeout = 3000000 unless($timeout);
$retries = 3 unless($retries);
$adminstatus = 2 if(defined $disable);
$adminstatus = 1 if(defined $enable);
if(defined $autoset)
{
$portmode = 3 unless(defined $portmode);
$numaddr = ($autoset?$autoset:1) unless(defined $numaddr);
$intact = 4 unless(defined $intact);
$adminstatus = 1 unless(defined $adminstatus);
}
if(defined $autoreset)
{
$portmode = 1 unless(defined $portmode);
$numaddr = 0 unless(defined $numaddr);
$intact = 2 unless(defined $intact);
$adminstatus = 1 unless(defined $adminstatis);
}
#convert from strings to numbers
$portmode = $portmode_si{$portmode} unless($portmode=~/^\d/);
$intact = $intact_si{$intact} unless($intact=~/^\d/);
if($verbose)
{
print "host:\t$host\n" if(defined $host);
print "unit:\t$unit\n" if(defined $unit);
print "port:\t$port\n" if(defined $port);
print "community:\t$community\n" if(defined $community);
print "timeout:\t$timeout\n" if(defined $timeout);
print "retries:\t$retries\n" if(defined $retries);
print "mode:\t$portmode ($portmode_is[$portmode])\n" if(defined $portmode);
print "action:\t$intact ($intact_is[$intact])\n" if(defined $intact);
print "num-addr:\t$numaddr\n" if(defined $numaddr);
print "adminstatus:\t$adminstatus ($admst_is[$adminstatus])\n" if(defined $adminstatus);
foreach $mac (@addmac)
{
print "add-mac:\t$mac\n";
}
foreach $mac (@delmac)
{
print "del-mac:\t$mac\n";
}
}
#SNMP::addMibDirs('/usr/share/snmp/mibs');#!!!!!!?????
#SNMP::loadModules('A3COM0021-PORT-SECURITY');
$sess = SNMP::Session->new( DestHost=>$host,
Community=>$community,
Timeout=>$timeout,
Retries=>$retries);
die("SNMP session: ".$sess->{ErrorStr}."\n") if($sess->{ErrorNum});
#set values
@vars;
#push(@vars,['secureNumberAddresses',"$unit.$port",$numaddr]) if(defined $numaddr);
push(@vars,['.1.3.6.1.4.1.43.10.22.1.1.6',"$unit.$port",$numaddr,'INTEGER']) if(defined $numaddr);
#push(@vars,['securePortMode',"$unit.$port",$portmode]) if(defined $portmode);
push(@vars,['.1.3.6.1.4.1.43.10.22.1.1.3',"$unit.$port",$portmode,'INTEGER']) if(defined $portmode);
#push(@vars,['secureIntrusionAction',"$unit.$port",$intact]) if(defined $intact);
push(@vars,['.1.3.6.1.4.1.43.10.22.1.1.5',"$unit.$port",$intact,'INTEGER']) if(defined $intact);
#push(@vars,['ifAdminStatus',$unit*100+$port,$adminstatus]) if(defined $adminstatus);
push(@vars,['.1.3.6.1.2.1.2.2.1.7',$unit*100+$port,$adminstatus,'INTEGER']) if(defined $adminstatus);
foreach $mac (@addmac)
{
#push(@vars,['secureAddrRowStatus',"$unit.$port".oidmac($mac),4]); #4: createAndGo
push(@vars,['.1.3.6.1.4.1.43.10.22.2.1.4',"$unit.$port".oidmac($mac),4,'INTEGER']);
}
foreach $mac (@delmac)
{
#push(@vars,['secureAddrRowStatus',"$unit.$port".oidmac($mac),6]); #6: destroy
push(@vars,['.1.3.6.1.4.1.43.10.22.2.1.4',"$unit.$port".oidmac($mac),6,'INTEGER']);
}
if($#vars>=0)
{
$sess->set(\@vars);
die("SNMP set: ".$sess->{ErrorStr}."\n") if($sess->{ErrorNum});
}
#get values
($secslot, $secport, $portmode, $ntkmode, $intact, $numaddr, $numaddrstor, $adminstatus)
= $sess->get([
# ['secureSlotIndex',"$unit.$port"],
['.1.3.6.1.4.1.43.10.22.1.1.1',"$unit.$port"],
# ['securePortIndex',"$unit.$port"],
['.1.3.6.1.4.1.43.10.22.1.1.2',"$unit.$port"],
# ['securePortMode',"$unit.$port"],
['.1.3.6.1.4.1.43.10.22.1.1.3',"$unit.$port"],
# ['secureNeedToKnowMode',"$unit.$port"],
['.1.3.6.1.4.1.43.10.22.1.1.4',"$unit.$port"],
# ['secureIntrusionAction',"$unit.$port"],
['.1.3.6.1.4.1.43.10.22.1.1.5',"$unit.$port"],
# ['secureNumberAddresses',"$unit.$port"],
['.1.3.6.1.4.1.43.10.22.1.1.6',"$unit.$port"],
# ['secureNumberAddressesStored',"$unit.$port"],
['.1.3.6.1.4.1.43.10.22.1.1.7',"$unit.$port"],
# ['ifAdminStatus',$unit*100+$port]
['.1.3.6.1.2.1.2.2.1.7',$unit*100+$port]
]);
die("SNMP get: ".$sess->{ErrorStr}."\n") if($sess->{ErrorNum});
print "secureSlotIndex\t$secslot\n";
print "securePortIndex\t$secport\n";
print "securePortMode\t$portmode ($portmode_is[$portmode])\n";
#print "secureNeedToKnowMode\t$ntkmode ($ntkmode_is[$ntkmode])\n";
print "secureIntrusionAction\t$intact ($intact_is[$intact])\n";
print "secureNumberAddresses\t$numaddr\n";
print "secureNumberAddressesStored\t$numaddrstor\n";
print "ifAdminStatus\t$adminstatus ($admst_is[$adminstatus])\n";
#get macs
#$vars = new SNMP::Varbind(['secureAddrMAC',"$unit.$port"]);
$vars = new SNMP::Varbind(['.1.3.6.1.4.1.43.10.22.2.1.3',"$unit.$port"]);
for($i=0; $i<$numaddrstor; $i++)
{
$mac = $sess->getnext($vars);
die("SNMP getnext: ".$sess->{ErrorStr}."\n") if($sess->{ErrorNum});
$mac = strmac($mac);
print "secureAddrMAC\t$mac\n" unless($sess->{ErrorStr});
}
exit 0;
sub usage
{
print "Usage:\n";
print "$0 <opts> host port\n";
print "-u|--unit|--slot <num> - Unit or slot number (default 1)\n";
print "-m|--mode (1-4".join('|',@portmode_is).") - Port security mode\n";
print "-a|--action (1-4".join('|',@intact_is).") - Action on intrusion\n";
print "-n|--num-addr <num> - Number of secure macs to store\n";
print "-e|--enable - Enable port\n";
print "-d|--disable - Disable port\n";
print "--set [<num>] - Equal to '-e -m autoLearn -a disablePortTemporarily -n <num>' (default num=1)\n";
print "--reset - Equal to '-e -m noRestrictions -a noAction -n 0'\n";
print "--add-mac <mac> - Adds new secured MAC (--num-addr must be set to hold enough macs)\n";
print "--del-mac <mac> - Deletes secured MAC (--mode $portmode_is[3] deletes all macs)\n";
print "-c|--community <str> - Community string (default 'private')\n";
print "-t|--timeout <num> - SNMP timeout in microsecs (default 3000000)\n";
print "-r|--retries <num> - number of SNMP retries (default 3)\n";
print "-v|--verbose - show parsed input parameters\n";
exit 0;
}
sub strmac
{
my $mac = shift;
$mac = unpack('H*',$mac);
$mac =~ s/(.{2})/$1:/g;
$mac =~ s/:$//;
return $mac;
}
sub oidmac
{ #taken from http://forum.nag.ru/viewtopic.php?p=78192
my $mac = shift;
my @a_mac = split(/:|-/, $mac);
my $oid = '';
foreach my $t (@a_mac)
{
$oid .= '.'.hex($t);
}
return $oid;
}