Showing results for 
Search instead for 
Did you mean: 

Port-Security ?


Can I run an EEM script to shut down a switch port when it disconnects? or is there any other way to do that with any other script? I'm trying to save my network from pen testers. I have pretty much locked down everything but last time when they showed they pulled a cable from a printer and connected their laptop and started testing. printer was set to use NAC profile and they spoofed the MAC address. they I'm open to other solution and ideas if mine is not the best one.

4 Replies 4

Rising star
Rising star


Depending on your switch model, yes or no.

if the switch supports EEM then yes that is possible.

But that is a "bad" way of doing the setup since you will have problems everytime the printer restarts.

Things you can do is rather dependant on the Printer.

some food for thought

Set printers on separate Vlan ?

setting up 802.1x (if the printer supports it) ?

printers are only allowed to speak to certain print servers ?

Printers are controlled with ACLs that does only allow printing

Setup an EEM with an access-list on incoming traffic on that switchport, if it logs a hit on a special ip address or port shuts down the port and sends you an email  ?

setup Cisco ISE

Or you can just live with the knowledge that you have the problem with the printers and state that that is a known and tell them to move on and do all the other tests.

Just some things you can do

Hope This Helps

Good luck


Hi Nawas,

Yes you can use EEM script but I will suggest you to use SNMP trap when ever there is any interface down . you can set up email alerts with SNMP trap.

Please see  DEMO EEM script and you can change it according to you need.


event manager applet highcpu
event snmp oid "" get-type exact entry-op ge entry-val 50 exit-op le exit-val 5 poll-interval 5
action 1.0 cli command "enable"
action 2.0 cli command "show proc cpu sorted"
action 3.0 mail server "" to from "" subject "High CPU Alert" body "$_cli_result"

action 1.1 cli command "enable"

action 1.2 cli command "conf t"

action 1.3 cli command "interface g0/0"

action 1.4 cli command "shut"

action 1.5 cli command "end"

action 1.6 syslog msg "Interface GigabitEthernet 0/1 shutdown"

action 1.7 - wait 30 seconds?

action 2.1 cli command "enable"

action 2.2 cli command "conf t"

action 2.3 cli command "interface g0/0"

action 2.4 cli command "no shut"

action 2.5 cli command "end"

I came up with this script it works but when I try to enable the disabled port the EEM disables the pot right away

Am I missing something here?

event manager applet interface_down

event syslog pattern ".*UPDOWN.*FastEthernet0/4.* changed state to down"

action 1.0 syslog msg "Interface FastEthernet0/4 has gone down"

action 1.0 cli command "enable"

action 2.0 cli command "conf t"

action 3.0 cli command "Interface FastEthernet0/4"

action 4.0 cli command "shut"

action 5.0 cli command "end"


You can use debug event manager action cli to see where the actually problem is . then use show logg .

It may be authorization issue. You may be need to add

event manager session cli username "twdadmin"

if there is any user name involve.

Please try and let me know.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers