05-05-2021 12:40 AM
Hello,
can a switch port be automatically set to shutdown via the EEM if the RJ45 patch cable is unplugged on the device side? I would like to prevent attempts to compromise in the public sector even without an ISE. In the medium term, an ISE policy will prevent access, but since the device only supports MAB (certificates still to be clarified) I would like to write a simple shutdown in the event of unplug via the EEM. Is the? If yes how? Many greetings and thanks
Solved! Go to Solution.
05-05-2021 03:03 AM
You can do based on the event from syslog :
event manager applet port-shut
event syslog pattern "%LINK-3-UPDOWN: Interface GiXXXXXXXXX y/y, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface Gi y/y"
action 4.0 cli command "shutdown"
You can capture with regex based on the interface down and shutdown :
05-05-2021 08:40 AM - edited 05-05-2021 09:31 AM
Hello,
depending on which syslog message you actually get when the device connected to the port is unplugged, either one of the scripts below should work:
event manager applet IF_DOWN_SHUT_5
event syslog pattern " %LINEPROTO-5-UPDOWN: Line protocol on Interface"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "interface $intf"
action 5.0 cli command "shut"
action 6.0 cli command "end"
event manager applet IF_DOWN_SHUT_3
event syslog pattern " %LINK-3-UPDOWN: Interface"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "interface $intf"
action 5.0 cli command "shut"
action 6.0 cli command "end"
Edit: you might want to check if you get a syslog message if legitimate users shut down their devices, or if the NIC in the attached devices goes into sleep mode. You obviously do not want to shut down ports where legit users are connected...
05-05-2021 03:03 AM
You can do based on the event from syslog :
event manager applet port-shut
event syslog pattern "%LINK-3-UPDOWN: Interface GiXXXXXXXXX y/y, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface Gi y/y"
action 4.0 cli command "shutdown"
You can capture with regex based on the interface down and shutdown :
05-05-2021 08:40 AM - edited 05-05-2021 09:31 AM
Hello,
depending on which syslog message you actually get when the device connected to the port is unplugged, either one of the scripts below should work:
event manager applet IF_DOWN_SHUT_5
event syslog pattern " %LINEPROTO-5-UPDOWN: Line protocol on Interface"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "interface $intf"
action 5.0 cli command "shut"
action 6.0 cli command "end"
event manager applet IF_DOWN_SHUT_3
event syslog pattern " %LINK-3-UPDOWN: Interface"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "interface $intf"
action 5.0 cli command "shut"
action 6.0 cli command "end"
Edit: you might want to check if you get a syslog message if legitimate users shut down their devices, or if the NIC in the attached devices goes into sleep mode. You obviously do not want to shut down ports where legit users are connected...
03-06-2023 02:22 AM
Hello,
The configuration works as expected, but with one issue when I run (no shutdown) to the interface the EEM will run again and shut the port, do you have any idea how to solve this issue?
Thank in Advanced
03-06-2023 03:07 AM
If the device not connected when you issue no shutdown, the EEM script see the Log message the port down and put in shutdown mode.
you only unshut if the end device connected.
this is only short term solution to do using EEM,
Long term solution is 802.1X based authentication will solve many issues
03-07-2023 08:40 AM
BTW, just wondering if you've considered any other approaches, such as, perhaps locking ports to MACs (assuming your hardware supports). Such would allow normal host to reconnect w/o requiring you to re-enable port, but an unexpected host MAC would disable the port.
(I envision a bit of a nightmare scenario, such as a temporary power outages causes a huge number of hosts to drop the port, and then you need to manually reenable all the disabled ports.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide