cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4883
Views
5
Helpful
42
Replies
Highlighted
Beginner

EEM and TcL Script to Disable Inactive Ports

I've browsed around to the other  support strings to make sure I didn't miss anything, but I can't seem to  get this to work.  I have the latest sl_suspend_ports.tcl and  tm_suspend_ports.tcl created by Joseph Clarke from strings that verified they worked as planned.   Here are the commands I issued to register the scripts -

Directory of flash:/policies/

    9  -rwx        3101   May 3 2013 07:58:03 +00:00  sl_suspend_ports.tcl

   10  -rwx        4669   May 3 2013 07:58:44 +00:00  tm_suspend_ports.tcl

conf t

event manager directory user policy flash:/policies

event manager policy sl_suspend_ports.tcl

event manager environment suspend_ports_days 1

event manager environment suspend_ports_config flash:/susp_ports.dat

event manager policy tm_suspend_ports.tcl

#show run | inc event manager environment

event manager environment suspend_ports_days 1

event manager environment suspend_ports_config flash:/susp_ports.dat

It doesn't appear to work though.  Essentially, we have a  need to make sure all computers are always on and all ports not active  for >24 hours to be shutdown and moved to a designated vlan (I added  the 'lappend' statement to the script to specify the additional command of assigning the vlan)

I'm running 12.2(55)SE7 on Catalyst 3560s and 3750s

Is there a way to manually run the script?  Did I miss anything in the configuration?

Thanks for your help!

Chris

42 REPLIES 42
Highlighted
Hall of Fame Cisco Employee

You should see some debugging provided you enabled "terminal monitor".  However, with command authorization, you will need to configure:

event manager session cli username USER

Where USER is a user authorized to run the "show ip int brief" command.

View solution in original post

Highlighted

Doh!  Yeah, terminal monitor....  And that is the problem -

2>enable

002093: May 14 04:16:51.592: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : SPOD-N-2-S-tcf-IGX-s2#

SPOD-N-2-S-tcf-IGX-s2#

002094: May 14 04:16:51.592: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : IN  : SPOD-N-2-S-tcf-IGX-s2#config t

002095: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : Command authorization failed.

002096: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT :

002097: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : SPOD-N-2-S-tcf-IGX-s2#

002098: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : IN  : SPOD-N-2-S-tcf-IGX-s2#end

002099: May 14 04:16:52.331: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : Command authorization failed.

I tried entering the command you suggested with a local account that has priv 15 access, but the output was the same when I manually ran the script. 

Highlighted
Hall of Fame Cisco Employee

You can't use a local account.  You need to use an account that is authorized by AAA.  For example, use your own username.

View solution in original post

Highlighted

That worked!  Now to see if it works with the scheduled tm overnight when I'm not here.  I'll report back in the morning (my time).   Thanks again for all the help!

susp_ports.dat contents -

FastEthernet0/8 1368505930 FastEthernet0/4 1368505930 FastEthernet0/10 1368505930 FastEthernet0/9 1368505930 FastEthernet0/5 1368505930 FastEthernet0/6 1368505930 FastEthernet0/2 1368505930 FastEthernet0/7 1368505930 FastEthernet0/3 1368505930

Highlighted

SUCCESS!  AWESOME!

I added one more line to the lappend statements to add a description with the time stamp, here's what happened -

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/2     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/3     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/4     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/5     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/6     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/7     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/8     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/9     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/10    Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

#sh run int fa0/2

Building configuration...

Current configuration : 408 bytes

!

interface FastEthernet0/2

description Disable by Inactivity Script last used on Tue May 14 04:32:10 ZULU 2013

switchport access vlan 666

shutdown

end

So to recap for any future folks that stumble upon this thread and want to use this method. 

1. Create a TACACS service account or use a TACACS/RADIUS account that has a high enough privilege to edit the config.

2. Create a "policies" directory on flash and copy the attached scripts to it.

3. Register the scripts using the following commands -

#conf t

(config)#event manager directory user policy flash:/policies

(config)#event manager policy sl_suspend_ports.tcl

(config)#event manager environment suspend_ports_days 1    "<--Or the number of days inactive you choose"

(config)#event manager environment suspend_ports_config flash:/susp_ports.dat

(config)#event manager policy tm_suspend_ports.tcl

(config)#event manager session cli username "svc.eemscript"  "<---The account you created to run in step 1"

The output of "show event manager policy registered" should then show the following -

#show event manager policy registered

No.  Class     Type    Event Type          Trap  Time Registered           Secu  Name

1    script    user    syslog              Off   Fri May 3 10:20:26 2013   2048  sl_suspend_ports.tcl

pattern {LINEPROTO-5-UPDOWN}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

2    script    user    timer cron          Off   Tue May 14 05:25:42 2013  2048  tm_suspend_ports.tcl

cron entry {0 0 * * *}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

NOTE: On lines 140-145 of the tm_suspend_ports.tcl file, you can edit the commands you want the script to execute to your liking.  I have it adding a description as seen in the above output and moving to an isolated non-routable VLAN of my network.

Thanks Joe Clarke for the awesome script and assistance in getting it running!

Highlighted

Joe.

I have implemented your script and it has worked wonders.  I do have a questions to ask.  I am wanting to have an exclusion included in one of the scripts to exclude ports in a VLAN.  The ports in the VLAN can never get disabled due to different times, days, weeks, users use the equipment.  It varies when the users use them but due to critical circumstances, it is required for the script to skip them.  If you could please provide some assistance in making this happen.

Highlighted
Hall of Fame Cisco Employee

The the tm_suspend_ports.tcl policy, you can add the following code in the loop that goes through the suspend_ports array:

set output [run_cli [list "show int $port switchport | inc Access Mode VLAN"]]

if { ! [regexp {Access Mode VLAN: NUM} $output] } {

   set cli [concat $cli [list "interface $port" "shut"]]
    action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"

}

Here, NUM is your special VLAN number.

Highlighted

Thank you for the code.  I will test it to see how it performs.  Once again you have saved the day!!

Highlighted

Joe,

The script worked.  One more question.  If I wanted more than one VLAN to be exempted how would the code look like.  Also, when I looked at the .dat file it still showed the port with the VLAN in it.  It never goes away.  I think we might have to update the sl_suspend_ports.tcl as well.  Thanks.

Highlighted
Hall of Fame Cisco Employee

Depending on the VLAN pattern, you could do VLAN1|VLAN2... as part of the regular expression itself.  Or, you could simply extend the if conditional with && to match multiple patterns.

Highlighted

I tried what you said but it gives me errors.  This is what I have:

if { ! [regexp {Access Mode VLAN: NUM} $output] } && if { ! [regexp {Access Mode VLAN: NUM} $output] } {

   set cli [concat $cli [list "interface $port" "shut"]]
    action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"

}

I am missing something very simple

Highlighted
Hall of Fame Cisco Employee

You can't string together statements like this.  Conditionals belong within a single if statement:

if { ! [regexp {Access Mode VLAN: NUM} $output] && ! [regexp {Access Mode VLAN: NUM} $output] } {

Highlighted

The script works with both VLANs being excluded.  I was noticing though that the .dat file that gets created still shows the ports of the VLANs being exlcuded.  Is there a way to get those off?

Highlighted
Hall of Fame Cisco Employee

You could, but it would be a bit more complex as you need to add code to the loop that goes through each line of the "show ip int brief" output to determine the port's VLAN, then filter it out of the ports array.  It shouldn't cause a problem by leaving them in there, though.

Highlighted

Joe,

I am having some issues when trying to the script you provided to work. When running the script, I am being prompted: 

invalid command name "::cisco::eem::event_register_syslog"
while executing
"::cisco::eem::event_register_syslog pattern "LINEPROTO-5-UPDOWN" maxrun 600"
(file "flash:/policies/suspend_ports/sl_suspend_ports.tcl" line 1)

And for the other script is the same thing:

invalid command name "::cisco::eem::event_register_timer"
while executing
"::cisco::eem::event_register_timer cron cron_entry "0 0 * * *" queue_priority normal maxrun 600"
(file "flash:/policies/suspend_ports/tm_suspend_ports.tcl" line 1)


Any insight on what I might be doing wrong or missing?

Content for Community-Ad