Re: Switch access port administratative down when computer is idle

Mangesh Kamerkar · ‎01-28-2020

hello community

one of our customer has given us a requirement like if computer is idle for let say 5 mins or if user is not at hie/her desk. the switch port connected to that computer should go in administrative down mode and should come up only by manual intervention by network helpdesk team.

can we achieve this feature and please let me know if any switch support this feature

thank you

mangesh

Seb Rupik · ‎01-29-2020

Hi there,

I've one question: if the user was idle and the switchport shutdown, when the user returns how would the network or any other system detect that the user was back when the line of communication has been disabled?

This is not a good idea!

cheers,

Seb.

Mangesh Kamerkar · ‎01-29-2020

I know this is not a good idea but customer asks this feature. every time whenever switch port go administrative down the user need to ask network helpdesk team to manually enable the switchport. of course there will huge overload on network helpdesk team but these is what our customer is looking for

if customer ask for any feature we have to provide this some solution to them.

Mark Malone · ‎01-29-2020

How would a switch know a user is idle , there would have to be some form of communication between there end device pc and the switch, telling the switch the pc is off, like a probe between both and then initiate a script to shut down the ports through EEM but the pc wouldn't be able to respond to ip sla so cant see how from switch side it would work

if you want to control something like i would do it at systems level and not switch layer 2 port would be lot easier would have thought as there is a lot more control options

Georg Pauwen · ‎01-29-2020

Hello,

the only thing I can think of is an EEM script that runs every 5 minutes, cycles through the out of 'show interfaces | inc Last input" and if the last input has been more than 5 minutes ago, runs an action that shuts down the interface...

I'll try and come up with something that does the above...

Seb Rupik · ‎01-29-2020

Even if the user is idle or away, the NIC in the PC will still be generating background chat on the network makign the interface always appear in use.

This needs to be implemented as an agent at the OS level which would fire off an notification to a control server to do *something*. Probably not shutting down the switchport, but maybe adding the PCs IP address to an inbound ACL on the local subnet gateway to prevent off subnet communication... ?

Georg Pauwen · ‎01-29-2020

Hello,

are these Windows machines ? If so, you could go to 'Power Options' and set all values under 'Power & sleep' to 5 minutes:

Power & sleep

Screen

When plugged in, turn off after 5 minutes

Sleep

When plugged in, PC goes to sleep after 5 minutes

Then, in 'Device Manager', expand 'Network Adapters', right-click the adapter > Properties > Power Management, and then select the 'Allow the computer to turn off this device to save power' check box.

Then, if you configure all switch interfaces with the command:

logging event link-status

This should generate a syslog message which in turn can trigger an EEM script that admin shuts down the interface, and even notify your administrators when that happens...

Georg Pauwen · ‎01-29-2020

Either way, if you decide to configure the Windows machines as outlined, you can install the script below on each switch:

event manager environment _email_to your-to-mail@domain.com
event manager environment _email_server your.mail.server
event manager environment _email_from your-from-mail@domain.com
!
event manager applet SHUT_INTF
event syslog pattern "changed state to down"
action 0.0 regexp "Interface ([^,]+)" "$_syslog_msg" match intf
action 1.0 syslog msg "Interface $intf, changed state to down"
action 2.0 cli command "enable"
action 3.0 cli command " interface $intf"
action 4.0 cli command "shut"
action 5.0 cli command "end"
action 6.0 cli command "send log Interface $intf has been administratively shut down"
action 7.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: $intf has been administratively shut down" body "$_syslog_msg"

casanavep · ‎01-29-2020

Why not approach it the right way, knowing everything you do on a switch will be garbage? Set the idle time on the PC to 5min with a locking screen that he or she doesn't have a password to unlock. Then the user would be required to seek his or her manager to unlock the system as needed. That puts administration and supervision for access where it belongs and is likely only truly going to work. In the end, this is someone asking for something impractical by design. At times we have to state facts, that being one. There's a solution but the customer is looking the wrong direction to find it. You can simply state it as that there is no practical way to do this from the network, since the computer is always talking to the network even when the user is idle. Add to that, the user can be doing something, like typing a report that has little to no internet interaction thus could be misdiagnosed as idle or low use time. Let them know that you've figured a way to actually lock access, but it would need to be done at the system using Windows idle time screen lock and her account not having the ability to unlock without assistance...

Mangesh Kamerkar · ‎01-29-2020

Hello Georg Pauwen

looks like this should resolve the issue, .we'll test this scenario in our lab. I'll update you on this once we succeeded in this

Thank you

Mangesh