Doh!  Yeah, terminal monitor....  And that is the problem -

2>enable

002093: May 14 04:16:51.592: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : SPOD-N-2-S-tcf-IGX-s2#

SPOD-N-2-S-tcf-IGX-s2#

002094: May 14 04:16:51.592: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : IN  : SPOD-N-2-S-tcf-IGX-s2#config t

002095: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : Command authorization failed.

002096: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT :

002097: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : SPOD-N-2-S-tcf-IGX-s2#

002098: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : IN  : SPOD-N-2-S-tcf-IGX-s2#end

002099: May 14 04:16:52.331: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : Command authorization failed.

I tried entering the command you suggested with a local account that has priv 15 access, but the output was the same when I manually ran the script. 

That worked!  Now to see if it works with the scheduled tm overnight when I'm not here.  I'll report back in the morning (my time).   Thanks again for all the help!

susp_ports.dat contents -

FastEthernet0/8 1368505930 FastEthernet0/4 1368505930 FastEthernet0/10 1368505930 FastEthernet0/9 1368505930 FastEthernet0/5 1368505930 FastEthernet0/6 1368505930 FastEthernet0/2 1368505930 FastEthernet0/7 1368505930 FastEthernet0/3 1368505930

SUCCESS!  AWESOME!

I added one more line to the lappend statements to add a description with the time stamp, here's what happened -

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/2     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/3     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/4     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/5     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/6     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/7     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/8     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/9     Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

Fa0/10    Disable by Inactiv disabled     666          auto   auto 10/100BaseTX

#sh run int fa0/2

Building configuration...

Current configuration : 408 bytes

!

interface FastEthernet0/2

description Disable by Inactivity Script last used on Tue May 14 04:32:10 ZULU 2013

switchport access vlan 666

shutdown

end

So to recap for any future folks that stumble upon this thread and want to use this method. 

1. Create a TACACS service account or use a TACACS/RADIUS account that has a high enough privilege to edit the config.

2. Create a "policies" directory on flash and copy the attached scripts to it.

3. Register the scripts using the following commands -

#conf t

(config)#event manager directory user policy flash:/policies

(config)#event manager policy sl_suspend_ports.tcl

(config)#event manager environment suspend_ports_days 1    "<--Or the number of days inactive you choose"

(config)#event manager environment suspend_ports_config flash:/susp_ports.dat

(config)#event manager policy tm_suspend_ports.tcl

(config)#event manager session cli username "svc.eemscript"  "<---The account you created to run in step 1"

The output of "show event manager policy registered" should then show the following -

#show event manager policy registered

No.  Class     Type    Event Type          Trap  Time Registered           Secu  Name

1    script    user    syslog              Off   Fri May 3 10:20:26 2013   2048  sl_suspend_ports.tcl

pattern {LINEPROTO-5-UPDOWN}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

2    script    user    timer cron          Off   Tue May 14 05:25:42 2013  2048  tm_suspend_ports.tcl

cron entry {0 0 * * *}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

NOTE: On lines 140-145 of the tm_suspend_ports.tcl file, you can edit the commands you want the script to execute to your liking.  I have it adding a description as seen in the above output and moving to an isolated non-routable VLAN of my network.

Thanks Joe Clarke for the awesome script and assistance in getting it running!

Joe.

I have implemented your script and it has worked wonders.  I do have a questions to ask.  I am wanting to have an exclusion included in one of the scripts to exclude ports in a VLAN.  The ports in the VLAN can never get disabled due to different times, days, weeks, users use the equipment.  It varies when the users use them but due to critical circumstances, it is required for the script to skip them.  If you could please provide some assistance in making this happen.

The the tm_suspend_ports.tcl policy, you can add the following code in the loop that goes through the suspend_ports array:

set output [run_cli [list "show int $port switchport | inc Access Mode VLAN"]]

if { ! [regexp {Access Mode VLAN: NUM} $output] } {

   set cli [concat $cli [list "interface $port" "shut"]]
    action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"

}

Here, NUM is your special VLAN number.

Thank you for the code.  I will test it to see how it performs.  Once again you have saved the day!!

Joe,

The script worked.  One more question.  If I wanted more than one VLAN to be exempted how would the code look like.  Also, when I looked at the .dat file it still showed the port with the VLAN in it.  It never goes away.  I think we might have to update the sl_suspend_ports.tcl as well.  Thanks.

Depending on the VLAN pattern, you could do VLAN1|VLAN2... as part of the regular expression itself.  Or, you could simply extend the if conditional with && to match multiple patterns.

I tried what you said but it gives me errors.  This is what I have:

if { ! [regexp {Access Mode VLAN: NUM} $output] } && if { ! [regexp {Access Mode VLAN: NUM} $output] } {

   set cli [concat $cli [list "interface $port" "shut"]]
    action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"

}

I am missing something very simple

You can't string together statements like this.  Conditionals belong within a single if statement:

if { ! [regexp {Access Mode VLAN: NUM} $output] && ! [regexp {Access Mode VLAN: NUM} $output] } {

The script works with both VLANs being excluded.  I was noticing though that the .dat file that gets created still shows the ports of the VLANs being exlcuded.  Is there a way to get those off?

You could, but it would be a bit more complex as you need to add code to the loop that goes through each line of the "show ip int brief" output to determine the port's VLAN, then filter it out of the ports array.  It shouldn't cause a problem by leaving them in there, though.

Joe,

I am having some issues when trying to the script you provided to work. When running the script, I am being prompted: 

invalid command name "::cisco::eem::event_register_syslog"
while executing
"::cisco::eem::event_register_syslog pattern "LINEPROTO-5-UPDOWN" maxrun 600"
(file "flash:/policies/suspend_ports/sl_suspend_ports.tcl" line 1)

And for the other script is the same thing:

invalid command name "::cisco::eem::event_register_timer"
while executing
"::cisco::eem::event_register_timer cron cron_entry "0 0 * * *" queue_priority normal maxrun 600"
(file "flash:/policies/suspend_ports/tm_suspend_ports.tcl" line 1)

Any insight on what I might be doing wrong or missing?