Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
6
Replies

EEM Script to remove port security from an interface.

SimpsonM
Level 1
Level 1

‎02-19-2019 07:42 AM - edited ‎03-08-2019 05:23 PM

Our team uses port security to force phones to not move from their locations for 911 location services, we have not found a way to exclude any access vlans with in the port security functions. Does anyone have a sample script that can clear port security macs for non voice vlan macs that are sticky or stuck on the port allowing for users to move pc / laptop with out rendering useless within same switch. We are using 4500's and some stackables.

Labels:
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎02-19-2019 07:52 AM

Hello,

 

post a sample of a port configuration as it is right now, and a sample of what you want the port configuration to look like once the EEM script has executed...

0 Helpful

SimpsonM
Level 1
Level 1
In response to Georg Pauwen

‎02-19-2019 07:58 AM

interface GigabitEthernet1/11
switchport access vlan 321
switchport mode access
switchport voice vlan 2321
switchport port-security maximum 11
switchport port-security maximum 10 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky <<<if a pc is plugged in thru phone it traps the data vlan mac here this is what we want to remove.
switchport port-security mac-address sticky 001a.e85b.bbba vlan voice <<< this should remain to keep the port locked
spanning-tree portfast
ip dhcp snooping limit rate 100
end

 

We would want this script to run nightly to clear data macs as indicated. 

Some switches are stackables with g1/0/1 naming vs g1/11 interface naming.

 

I would be happy with something that runs on 4500 and 9400's.

0 Helpful

Georg Pauwen
VIP
VIP
In response to SimpsonM

‎02-19-2019 09:42 AM

Hello,

 

since the sticky MAC addresses are different for each port, the EEM script cannot be totally automated. It comes down to configuring a section such as the one below for each interface (the script runs each day at midnight):

 

event manager applet CLEAR_MAC_STICKY
event timer cron cron-entry "0 0 * * *" maxrun 99999999
action 1.0 cli command "enable"
action 1.1 cli command "conf t"
action 1.2 cli command "interface GigabitEthernet1/11"
action 1.3 cli command "no switchport port-security mac-address sticky"
action 1.4 cli command "shut"
action 1.5 cli command "no shut"
action 1.6 cli command "switchport port-security mac-address sticky 001a.e85b.bbba vlan voice"
action 1.7 cli command "end"

0 Helpful

SimpsonM
Level 1
Level 1
In response to Georg Pauwen

‎02-19-2019 09:51 AM

I guess this may need to be a tcl script instead of eem then eem could be used to call up the tcl ever night. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to SimpsonM

‎02-19-2019 10:07 AM

I don't know if a TCL script would make much of a difference, to be honest. The sticky MAC address for the voice vlan is not a variable and is not dynamic, so somehow you need to enter it manually...

0 Helpful

SimpsonM
Level 1
Level 1
In response to Georg Pauwen

‎02-19-2019 10:12 AM

I dont want to touch the voice vlan sticky mac it will remain regardless of clearing the other. Couldnt a TCL read the mac for the data subnet entry then feed it back in with a no statement to clear it. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card