05-05-2013 06:04 AM
I've browsed around to the other support strings to make sure I didn't miss anything, but I can't seem to get this to work. I have the latest sl_suspend_ports.tcl and tm_suspend_ports.tcl created by Joseph Clarke from strings that verified they worked as planned. Here are the commands I issued to register the scripts -
Directory of flash:/policies/
9 -rwx 3101 May 3 2013 07:58:03 +00:00 sl_suspend_ports.tcl
10 -rwx 4669 May 3 2013 07:58:44 +00:00 tm_suspend_ports.tcl
conf t
event manager directory user policy flash:/policies
event manager policy sl_suspend_ports.tcl
event manager environment suspend_ports_days 1
event manager environment suspend_ports_config flash:/susp_ports.dat
event manager policy tm_suspend_ports.tcl
#show run | inc event manager environment
event manager environment suspend_ports_days 1
event manager environment suspend_ports_config flash:/susp_ports.dat
It doesn't appear to work though. Essentially, we have a need to make sure all computers are always on and all ports not active for >24 hours to be shutdown and moved to a designated vlan (I added the 'lappend' statement to the script to specify the additional command of assigning the vlan)
I'm running 12.2(55)SE7 on Catalyst 3560s and 3750s
Is there a way to manually run the script? Did I miss anything in the configuration?
Thanks for your help!
Chris
Solved! Go to Solution.
05-07-2013 02:28 PM
You didn't get the latest tm_suspend_ports.tcl script. The proper version is a timer policy, not a none policy. Try this version.
05-13-2013 08:53 PM
You should see some debugging provided you enabled "terminal monitor". However, with command authorization, you will need to configure:
event manager session cli username USER
Where USER is a user authorized to run the "show ip int brief" command.
05-13-2013 09:24 PM
You can't use a local account. You need to use an account that is authorized by AAA. For example, use your own username.
05-05-2013 09:20 PM
Exactly what versions of the scripts are you using? How long have they been registered? What are the contents of susp_ports.dat? The logic requires the timer script to see a down port for at least two days initially before it will be shutdown.
05-05-2013 09:37 PM
I attached the versions I'm running to the original discussion. It hasn't created the susp_ports.dat file though. The variable is set, but over the 30 switches I deployed it to, none have a susp_ports.dat created on the flash. Do I have to manually create this file?
Added the scripts to the 30 switches across my network on 2MAY, and this morning (6MAY), still no disabled ports or creation of susp_ports.dat
Thanks for the help!
05-06-2013 09:07 PM
Sorry, the attachments hadn't come through at the time. The susp_ports.dat is only created when the tm_suspend_ports.tcl script runs. That script runs at midnight. If the file isn't created after one day check the logging buffer to see if there are any errors. Even if no ports qualify, the file should still be created.
05-06-2013 11:28 PM
Nothing in the syslogs showing any errors. Actually, no action at all around midnight. I can manually run the policy and it successfully creates the susp_ports.dat, so I'm wondering if somehow EEM has to be scheduled to run these policies?
#event manager run tm_suspend_ports.tcl
#dir flash:
Directory of flash:/
2 drwx 128 May 3 2013 07:58:44 +00:00 policies
3 -rwx 12750343 Apr 5 2013 07:45:08 +00:00 c3560-ipservicesk9-mz.122-55.SE7.bin
4 -rwx 47 Dec 20 2012 11:12:50 +00:00 dhcp-snooping.txt
5 -rwx 2216 May 2 2013 02:53:16 +00:00 vlan.dat
6 -rwx 5718 May 6 2013 23:00:04 +00:00 private-config.text
7 -rwx 2072 May 6 2013 23:00:04 +00:00 multiple-fs
8 -rwx 0 May 7 2013 06:24:29 +00:00 susp_ports.dat
11 -rwx 38996 May 6 2013 23:00:03 +00:00 config.text
But then from this text, it appears they are registered -
#show event manager policy registered
No. Class Type Event Type Trap Time Registered Secu Name
1 script user syslog Off Fri May 3 10:20:26 2013 2048 sl_suspend_ports.tcl
pattern {LINEPROTO-5-UPDOWN}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
2 script user none Off Fri May 3 10:48:47 2013 2048 tm_suspend_ports.tcl
policyname {tm_suspend_ports.tcl} sync {yes}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
05-07-2013 02:28 PM
05-08-2013 03:18 AM
Alright, updated the file on the flash and re-registered -
#show even manager policy registered
No. Class Type Event Type Trap Time Registered Secu Name
1 script user syslog Off Fri May 3 10:20:26 2013 2048 sl_suspend_ports.tcl
pattern {LINEPROTO-5-UPDOWN}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
2 script user timer cron Off Wed May 8 09:46:52 2013 2048 tm_suspend_ports.tcl
cron entry {0 0 * * *}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
One thing, I changed the following line so that I can put the additional command in. I'm not sure if I could have just appended it to the concat line starting at line 140 -
Version you replied with -
foreach port [array name suspend_ports] {
set cli [concat $cli [list "interface $port" "shut"]]
action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"
}
My change -
foreach port [array name suspend_ports] {
lappend cli "interface $port"
lappend cli "shut"
lappend cli "switchport access vlan 668"
action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"
}
Or should I make line 141 -
set cli [concat $cli [list "interface $port" "shut" "switchport access vlan 668"]]
05-08-2013 11:48 PM
The latter example would fit, but provided "cli" is an empty string your change would work, too.
05-09-2013 12:02 AM
Thanks for all the help, going to monitor for a day or so to see if it works. No errors overnight in the creation of the susp_ports.dat files. I've got a few ports I brought up with a host and unplugged to generate the lineproto5-updown messages. Hopefully a day from now they'll be disabled and moved to vlan 668!
05-10-2013 03:39 AM
It appears to have recreated the susp_ports.dat file again at midnight. Does this happen everynight? I looked at the .dat and it is blank as it was yesterday. The sl_suspend_ports.tcl is what should be writing to this file, correct?
So here I have the policies registered -
#sh event manager policy registered
No. Class Type Event Type Trap Time Registered Secu Name
1 script user syslog Off Mon Mar 1 00:02:24 1993 2048 sl_suspend_ports.tcl
pattern {LINEPROTO-5-UPDOWN}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
2 script user timer cron Off Mon Mar 1 00:02:24 1993 2048 tm_suspend_ports.tcl
cron entry {0 0 * * *}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
And here I bring a port up and take it down -
000188: May 10 10:24:00.246: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/6, changed state to up
000189: May 10 10:24:11.445: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/6, changed state to down
The way I'm understanding the sl_suspend_ports.tcl is that is continuosly listens syslog events looking for the pattern "LINEPROTO-5-UPDOWN" at which time a down state would record to the 'susp_port.dat', but after the above logged items, the susp_ports.dat file is still blank.
I'm very appreciative of all the assistance you're providing. I really hope to make this work so that it can help some of our larger bases out as well.
05-10-2013 03:27 PM
Yes, it does recreate the dat file every night. It should contain those ports that are admin up/oper down and a timestamp. If that's not working, post the output of "show ip interface brief | include Ethernet" in a text file attachment. The syslog policy only serves to remove the port from the list if it comes up.
05-12-2013 08:13 PM
05-13-2013 01:20 PM
Using your output, I ran my script, and it produces a proper susp_ports.dat file. The only thing I can think of is that the script isn't getting the right CLI output because maybe you have command authorization enabled. Turn on "debug event manager tcl cli" then register the original version of the script you had (with the none ED). Run it manually and post the output.
05-13-2013 08:15 PM
I deleted the existing susp_ports.dat, then copied the old tm to the policies folder. Nothing showed with the debug. (I turned on
'logging monitor debugging' before)
dir flash:
Directory of flash:/
2 drwx 128 May 14 2013 02:56:15 +00:00 policies
3 -rwx 12750343 Apr 5 2013 07:45:08 +00:00 c3560-ipservicesk9-mz.122-55.SE7.bin
4 -rwx 47 Dec 20 2012 11:12:50 +00:00 dhcp-snooping.txt
5 -rwx 2156 May 9 2013 12:20:31 +00:00 vlan.dat
6 -rwx 5718 May 13 2013 23:00:03 +00:00 private-config.text
10 -rwx 2072 May 13 2013 23:00:03 +00:00 multiple-fs
11 -rwx 39231 May 13 2013 23:00:03 +00:00 config.text
32514048 bytes total (19701760 bytes free)
#show event manager policy registered
No. Class Type Event Type Trap Time Registered Secu Name
1 script user syslog Off Fri May 3 10:20:26 2013 2048 sl_suspend_ports.tcl
pattern {LINEPROTO-5-UPDOWN}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
2 script user none Off Tue May 14 02:59:54 2013 2048 tm_suspend_ports.tcl
policyname {tm_suspend_ports.tcl} sync {yes}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
#debug event manager tcl cli
Debug EEM Tcl CLI library debugging is on
SPOD-N-2-S-tcf-IGX-s2#event manager run tm_suspend_ports.tcl
SPOD-N-2-S-tcf-IGX-s2#dir flash:
Directory of flash:/
2 drwx 128 May 14 2013 02:56:15 +00:00 policies
3 -rwx 12750343 Apr 5 2013 07:45:08 +00:00 c3560-ipservicesk9-mz.122-55.SE7.bin
4 -rwx 47 Dec 20 2012 11:12:50 +00:00 dhcp-snooping.txt
5 -rwx 2156 May 9 2013 12:20:31 +00:00 vlan.dat
6 -rwx 5718 May 13 2013 23:00:03 +00:00 private-config.text
8 -rwx 0 May 14 2013 03:07:16 +00:00 susp_ports.dat
10 -rwx 2072 May 13 2013 23:00:03 +00:00 multiple-fs
11 -rwx 39231 May 13 2013 23:00:03 +00:00 config.text
32514048 bytes total (19701760 bytes free)
#
Still an empty susp_ports.dat, even with the interface status as follows -
#show ip int br | i Ethernet
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset down down
FastEthernet0/6 unassigned YES unset down down
FastEthernet0/7 unassigned YES unset down down
FastEthernet0/8 unassigned YES unset down down
FastEthernet0/9 unassigned YES unset down down
FastEthernet0/10 unassigned YES unset down down
FastEthernet0/11 unassigned YES unset administratively down down
FastEthernet0/12 unassigned YES unset administratively down down
FastEthernet0/13 unassigned YES unset administratively down down
FastEthernet0/14 unassigned YES unset administratively down down
FastEthernet0/15 unassigned YES unset administratively down down
FastEthernet0/16 unassigned YES unset administratively down down
FastEthernet0/17 unassigned YES unset administratively down down
FastEthernet0/18 unassigned YES unset administratively down down
FastEthernet0/19 unassigned YES unset administratively down down
FastEthernet0/20 unassigned YES unset administratively down down
FastEthernet0/21 unassigned YES unset administratively down down
FastEthernet0/22 unassigned YES unset administratively down down
FastEthernet0/23 unassigned YES unset up up
FastEthernet0/24 unassigned YES unset administratively down down
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
05-13-2013 08:20 PM
As for the command authorization, I believe that could be it.
#show run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login CON local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide