Port-Security ?

nawas · ‎09-19-2012

Can I run an EEM script to shut down a switch port when it disconnects? or is there any other way to do that with any other script? I'm trying to save my network from pen testers. I have pretty much locked down everything but last time when they showed they pulled a cable from a printer and connected their laptop and started testing. printer was set to use NAC profile and they spoofed the MAC address. they I'm open to other solution and ideas if mine is not the best one.

hobbe · ‎09-19-2012

Hi

Depending on your switch model, yes or no.

if the switch supports EEM then yes that is possible.

But that is a "bad" way of doing the setup since you will have problems everytime the printer restarts.

Things you can do is rather dependant on the Printer.

some food for thought

Set printers on separate Vlan ?

setting up 802.1x (if the printer supports it) ?

printers are only allowed to speak to certain print servers ?

Printers are controlled with ACLs that does only allow printing

Setup an EEM with an access-list on incoming traffic on that switchport, if it logs a hit on a special ip address or port shuts down the port and sends you an email ?

setup Cisco ISE

Or you can just live with the knowledge that you have the problem with the printers and state that that is a known and tell them to move on and do all the other tests.

Just some things you can do

Hope This Helps

Good luck

singhaam007 · ‎09-19-2012

Hi Nawas,

Yes you can use EEM script but I will suggest you to use SNMP trap when ever there is any interface down . you can set up email alerts with SNMP trap.

Please see DEMO EEM script and you can change it according to you need.

thanks

event manager applet highcpu
event snmp oid "1.3.6.1.4.1.9.9.109.1.1.1.1.10.1" get-type exact entry-op ge entry-val 50 exit-op le exit-val 5 poll-interval 5
action 1.0 cli command "enable"
action 2.0 cli command "show proc cpu sorted"
action 3.0 mail server "172.18.24.31" to abc@example.com from "tester@domain.com" subject "High CPU Alert" body "$_cli_result"

action 1.1 cli command "enable"

action 1.2 cli command "conf t"

action 1.3 cli command "interface g0/0"

action 1.4 cli command "shut"

action 1.5 cli command "end"

action 1.6 syslog msg "Interface GigabitEthernet 0/1 shutdown"

action 1.7 - wait 30 seconds?

action 2.1 cli command "enable"

action 2.2 cli command "conf t"

action 2.3 cli command "interface g0/0"

action 2.4 cli command "no shut"

action 2.5 cli command "end"

http://blog.ioshints.info/2008/06/generate-snmp-trap-on-high-cpu-load.html

nawas · ‎10-02-2012

I came up with this script it works but when I try to enable the disabled port the EEM disables the pot right away

Am I missing something here?

event manager applet interface_down

event syslog pattern ".*UPDOWN.*FastEthernet0/4.* changed state to down"

action 1.0 syslog msg "Interface FastEthernet0/4 has gone down"

action 1.0 cli command "enable"

action 2.0 cli command "conf t"

action 3.0 cli command "Interface FastEthernet0/4"

action 4.0 cli command "shut"

action 5.0 cli command "end"

singhaam007 · ‎10-02-2012

Hello,

You can use debug event manager action cli to see where the actually problem is . then use show logg .

It may be authorization issue. You may be need to add

event manager session cli username "twdadmin"

if there is any user name involve.

Please try and let me know.

thanks