05-05-2013 06:04 AM
I've browsed around to the other support strings to make sure I didn't miss anything, but I can't seem to get this to work. I have the latest sl_suspend_ports.tcl and tm_suspend_ports.tcl created by Joseph Clarke from strings that verified they worked as planned. Here are the commands I issued to register the scripts -
Directory of flash:/policies/
9 -rwx 3101 May 3 2013 07:58:03 +00:00 sl_suspend_ports.tcl
10 -rwx 4669 May 3 2013 07:58:44 +00:00 tm_suspend_ports.tcl
conf t
event manager directory user policy flash:/policies
event manager policy sl_suspend_ports.tcl
event manager environment suspend_ports_days 1
event manager environment suspend_ports_config flash:/susp_ports.dat
event manager policy tm_suspend_ports.tcl
#show run | inc event manager environment
event manager environment suspend_ports_days 1
event manager environment suspend_ports_config flash:/susp_ports.dat
It doesn't appear to work though. Essentially, we have a need to make sure all computers are always on and all ports not active for >24 hours to be shutdown and moved to a designated vlan (I added the 'lappend' statement to the script to specify the additional command of assigning the vlan)
I'm running 12.2(55)SE7 on Catalyst 3560s and 3750s
Is there a way to manually run the script? Did I miss anything in the configuration?
Thanks for your help!
Chris
Solved! Go to Solution.
05-13-2013 08:53 PM
You should see some debugging provided you enabled "terminal monitor". However, with command authorization, you will need to configure:
event manager session cli username USER
Where USER is a user authorized to run the "show ip int brief" command.
05-13-2013 09:22 PM
Doh! Yeah, terminal monitor.... And that is the problem -
2>enable
002093: May 14 04:16:51.592: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : SPOD-N-2-S-tcf-IGX-s2#
SPOD-N-2-S-tcf-IGX-s2#
002094: May 14 04:16:51.592: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : IN : SPOD-N-2-S-tcf-IGX-s2#config t
002095: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : Command authorization failed.
002096: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT :
002097: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : SPOD-N-2-S-tcf-IGX-s2#
002098: May 14 04:16:51.911: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : IN : SPOD-N-2-S-tcf-IGX-s2#end
002099: May 14 04:16:52.331: %HA_EM-6-LOG: tm_suspend_ports.tcl : DEBUG(cli_lib) : OUT : Command authorization failed.
I tried entering the command you suggested with a local account that has priv 15 access, but the output was the same when I manually ran the script.
05-13-2013 09:24 PM
You can't use a local account. You need to use an account that is authorized by AAA. For example, use your own username.
05-13-2013 09:57 PM
That worked! Now to see if it works with the scheduled tm overnight when I'm not here. I'll report back in the morning (my time). Thanks again for all the help!
susp_ports.dat contents -
FastEthernet0/8 1368505930 FastEthernet0/4 1368505930 FastEthernet0/10 1368505930 FastEthernet0/9 1368505930 FastEthernet0/5 1368505930 FastEthernet0/6 1368505930 FastEthernet0/2 1368505930 FastEthernet0/7 1368505930 FastEthernet0/3 1368505930
05-15-2013 09:52 PM
SUCCESS! AWESOME!
I added one more line to the lappend statements to add a description with the time stamp, here's what happened -
Port Name Status Vlan Duplex Speed Type
Fa0/2 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
Fa0/3 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
Fa0/4 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
Fa0/5 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
Fa0/6 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
Fa0/7 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
Fa0/8 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
Fa0/9 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
Fa0/10 Disable by Inactiv disabled 666 auto auto 10/100BaseTX
#sh run int fa0/2
Building configuration...
Current configuration : 408 bytes
!
interface FastEthernet0/2
description Disable by Inactivity Script last used on Tue May 14 04:32:10 ZULU 2013
switchport access vlan 666
shutdown
end
So to recap for any future folks that stumble upon this thread and want to use this method.
1. Create a TACACS service account or use a TACACS/RADIUS account that has a high enough privilege to edit the config.
2. Create a "policies" directory on flash and copy the attached scripts to it.
3. Register the scripts using the following commands -
#conf t
(config)#event manager directory user policy flash:/policies
(config)#event manager policy sl_suspend_ports.tcl
(config)#event manager environment suspend_ports_days 1 "<--Or the number of days inactive you choose"
(config)#event manager environment suspend_ports_config flash:/susp_ports.dat
(config)#event manager policy tm_suspend_ports.tcl
(config)#event manager session cli username "svc.eemscript" "<---The account you created to run in step 1"
The output of "show event manager policy registered" should then show the following -
#show event manager policy registered
No. Class Type Event Type Trap Time Registered Secu Name
1 script user syslog Off Fri May 3 10:20:26 2013 2048 sl_suspend_ports.tcl
pattern {LINEPROTO-5-UPDOWN}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
2 script user timer cron Off Tue May 14 05:25:42 2013 2048 tm_suspend_ports.tcl
cron entry {0 0 * * *}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary
NOTE: On lines 140-145 of the tm_suspend_ports.tcl file, you can edit the commands you want the script to execute to your liking. I have it adding a description as seen in the above output and moving to an isolated non-routable VLAN of my network.
Thanks Joe Clarke for the awesome script and assistance in getting it running!
11-14-2015 05:21 PM
Joe.
I have implemented your script and it has worked wonders. I do have a questions to ask. I am wanting to have an exclusion included in one of the scripts to exclude ports in a VLAN. The ports in the VLAN can never get disabled due to different times, days, weeks, users use the equipment. It varies when the users use them but due to critical circumstances, it is required for the script to skip them. If you could please provide some assistance in making this happen.
11-15-2015 11:49 AM
The the tm_suspend_ports.tcl policy, you can add the following code in the loop that goes through the suspend_ports array:
set output [run_cli [list "show int $port switchport | inc Access Mode VLAN"]]
if { ! [regexp {Access Mode VLAN: NUM} $output] } {
set cli [concat $cli [list "interface $port" "shut"]]
action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"
}
Here, NUM is your special VLAN number.
11-15-2015 04:45 PM
Thank you for the code. I will test it to see how it performs. Once again you have saved the day!!
11-16-2015 01:19 PM
Joe,
The script worked. One more question. If I wanted more than one VLAN to be exempted how would the code look like. Also, when I looked at the .dat file it still showed the port with the VLAN in it. It never goes away. I think we might have to update the sl_suspend_ports.tcl as well. Thanks.
11-16-2015 02:20 PM
Depending on the VLAN pattern, you could do VLAN1|VLAN2... as part of the regular expression itself. Or, you could simply extend the if conditional with && to match multiple patterns.
11-18-2015 07:11 AM
I tried what you said but it gives me errors. This is what I have:
if { ! [regexp {Access Mode VLAN: NUM} $output] } && if { ! [regexp {Access Mode VLAN: NUM} $output] } {
set cli [concat $cli [list "interface $port" "shut"]]
action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"
}
I am missing something very simple
11-18-2015 08:11 AM
You can't string together statements like this. Conditionals belong within a single if statement:
if { ! [regexp {Access Mode VLAN: NUM} $output] && ! [regexp {Access Mode VLAN: NUM} $output] } {
12-07-2015 04:19 AM
The script works with both VLANs being excluded. I was noticing though that the .dat file that gets created still shows the ports of the VLANs being exlcuded. Is there a way to get those off?
12-07-2015 08:07 AM
You could, but it would be a bit more complex as you need to add code to the loop that goes through each line of the "show ip int brief" output to determine the port's VLAN, then filter it out of the ports array. It shouldn't cause a problem by leaving them in there, though.
12-14-2015 07:48 PM
Joe,
I am having some issues when trying to the script you provided to work. When running the script, I am being prompted:
invalid command name "::cisco::eem::event_register_syslog"
while executing
"::cisco::eem::event_register_syslog pattern "LINEPROTO-5-UPDOWN" maxrun 600"
(file "flash:/policies/suspend_ports/sl_suspend_ports.tcl" line 1)
And for the other script is the same thing:
invalid command name "::cisco::eem::event_register_timer"
while executing
"::cisco::eem::event_register_timer cron cron_entry "0 0 * * *" queue_priority normal maxrun 600"
(file "flash:/policies/suspend_ports/tm_suspend_ports.tcl" line 1)
Any insight on what I might be doing wrong or missing?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: