cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5307
Views
75
Helpful
48
Replies
ANDAFBCCO
Beginner

Shutdown Ports not in use for a while with EEM Tcl

I have downloaded these 2 Tcl scripts from this previous discussion and from the sounds of it it's exactly what I've been looking for. But the problem is I'm new to EEM and have no idea how to go about putting these on the switches themselves. I've searched for configuration guides but to no prevail. Any help is greatly appreciated. Here's the link to previous discussion:

https://supportforums.cisco.com/thread/164684.pdf;jsessionid=EEEEE143342DAAB34706D608D5C4C920.node0

48 REPLIES 48
Joe Clarke
Hall of Fame Cisco Employee

Try this version.  You'll have to change the ED line to run it manually.

Forgive me but what is the ED line?

I just tried to load event man pol tm_suspend_ports.tcl configuration and it spit out this error:

error: tag statement required when using multiple events: policy tm_suspend_ports.tcl

JOSHUA M. PEAVY, SSgt, USAF

CONFIGURATION MANAGEMENT

Joe Clarke
Hall of Fame Cisco Employee

You need to comment out the timer line so that only the event_register_none line is active.  The first line should be:

::cisco::eem::event_register_none maxrun 600

You have no idea how much work you just saved me. I'm posting the scipt that worked so you can double over it if you don't mind to execute at 00:00 every night. Now if i change the amount of seconds in half would it essentially go off twice a day. Also, if I modify the script to put it in a vlan would it look something like this:

set cli [list "config t"]
foreach port [array name suspend_ports] {
    set cli [concat $cli [list "interface $port" "shut" "switchp access vlan 187"]]

Joe Clarke
Hall of Fame Cisco Employee

This version will run at midnight.  If you need it to run more often than that you will need to adjust the cron entry in the event registration line.  You can change the second 0 to 0,12 to run at midnight and noon every day.

Yes, your change will configure a new access VLAN on the switchports that are shutdown.

Thank you very much. You are well deserving of the Hall of Fame status.

Joseph - will this procedure work for 4500 and 6500 series switches?  I know they do not log port up/down events by default.

Thanks

Joe Clarke
Hall of Fame Cisco Employee

Yes, it will if you enable logging for port event statuses.  You need to report the link up events to EEM so it can record the last time the port is used.

So would enabling the logging overutilize resources on the switch?  My thought is to use this as an automated security solution.  I want to use this and other scripts to create a policy that will assigned ports that have not been up in more than 2 weeks to a parking VLAN.  Then when a specific MAC, or MACs, is detected on the port it is then reassigned a standard access port configuration appropriate for that particular switch.

Thanks.

Joe Clarke
Hall of Fame Cisco Employee

Nope, no resource limit.  The reason people typically turn this off is to avoid the noise one would get in an NMS when users enter and leave the network.  As long as you are good with filtering these out from your fault management system, then it is fine to leave these messages on.

Thanks Joseph!

Joseph,

I believe I have this configured to move the switchport to a parking VLAN.  What scripting would I need to add to tm_suspend_ports8.tcl to send an e-mail, or an SNMP trap, with the ports that were moved?

If you haven't gathered I know just enough about scripting to be dangerous!

Thanks for all your help

Joe Clarke
Hall of Fame Cisco Employee

Please start a new thread for your specific use case.  Thanks.

Clifton Fourie
Beginner

Hi,

I have tried the same scripts and seem to experience the same results as mentioned above that it shows the ports are shutting down but it does not disable the ports. Please assist with this as I'm not clued up with TCL scipting as well.

Thanks.