Solved: EEM: automated switchport shutdown if device unpluged

Carsten.wehnert · ‎05-05-2021

Hello,

can a switch port be automatically set to shutdown via the EEM if the RJ45 patch cable is unplugged on the device side? I would like to prevent attempts to compromise in the public sector even without an ISE. In the medium term, an ISE policy will prevent access, but since the device only supports MAB (certificates still to be clarified) I would like to write a simple shutdown in the event of unplug via the EEM. Is the? If yes how? Many greetings and thanks

balaji.bandi · ‎05-05-2021

You can do based on the event from syslog :

event manager applet port-shut
event syslog pattern "%LINK-3-UPDOWN: Interface GiXXXXXXXXX y/y, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface Gi y/y"
action 4.0 cli command "shutdown"

You can capture with regex based on the interface down and shutdown :

https://community.cisco.com/t5/networking-documents/using-eem-to-migrate-static-end-device-to-a-managed-network/ta-p/3798550

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Georg Pauwen · ‎05-05-2021

Hello,

depending on which syslog message you actually get when the device connected to the port is unplugged, either one of the scripts below should work:

event manager applet IF_DOWN_SHUT_5
event syslog pattern " %LINEPROTO-5-UPDOWN: Line protocol on Interface"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "interface $intf"
action 5.0 cli command "shut"
action 6.0 cli command "end"

event manager applet IF_DOWN_SHUT_3
event syslog pattern " %LINK-3-UPDOWN: Interface"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "interface $intf"
action 5.0 cli command "shut"
action 6.0 cli command "end"

Edit: you might want to check if you get a syslog message if legitimate users shut down their devices, or if the NIC in the attached devices goes into sleep mode. You obviously do not want to shut down ports where legit users are connected...

View solution in original post

balaji.bandi · ‎05-05-2021

You can do based on the event from syslog :

event manager applet port-shut
event syslog pattern "%LINK-3-UPDOWN: Interface GiXXXXXXXXX y/y, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface Gi y/y"
action 4.0 cli command "shutdown"

You can capture with regex based on the interface down and shutdown :

https://community.cisco.com/t5/networking-documents/using-eem-to-migrate-static-end-device-to-a-managed-network/ta-p/3798550

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎05-05-2021

Hello,

depending on which syslog message you actually get when the device connected to the port is unplugged, either one of the scripts below should work:

event manager applet IF_DOWN_SHUT_5
event syslog pattern " %LINEPROTO-5-UPDOWN: Line protocol on Interface"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "interface $intf"
action 5.0 cli command "shut"
action 6.0 cli command "end"

event manager applet IF_DOWN_SHUT_3
event syslog pattern " %LINK-3-UPDOWN: Interface"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "interface $intf"
action 5.0 cli command "shut"
action 6.0 cli command "end"

Edit: you might want to check if you get a syslog message if legitimate users shut down their devices, or if the NIC in the attached devices goes into sleep mode. You obviously do not want to shut down ports where legit users are connected...

Raad Saad · ‎03-06-2023

Hello,

The configuration works as expected, but with one issue when I run (no shutdown) to the interface the EEM will run again and shut the port, do you have any idea how to solve this issue?

Thank in Advanced

balaji.bandi · ‎03-06-2023

If the device not connected when you issue no shutdown, the EEM script see the Log message the port down and put in shutdown mode.

you only unshut if the end device connected.

this is only short term solution to do using EEM,

Long term solution is 802.1X based authentication will solve many issues

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎03-07-2023

BTW, just wondering if you've considered any other approaches, such as, perhaps locking ports to MACs (assuming your hardware supports). Such would allow normal host to reconnect w/o requiring you to re-enable port, but an unexpected host MAC would disable the port.

(I envision a bit of a nightmare scenario, such as a temporary power outages causes a huge number of hosts to drop the port, and then you need to manually reenable all the disabled ports.)