Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10157
Views
22
Helpful
12
Replies

Switch - Force port to shutdown after interface status down

jacques_henry696
Level 1
Level 1

‎04-13-2011 12:43 AM - edited ‎03-06-2019 04:35 PM

Hi,

Is there a way to force a switch interface to be administratively down (shutdown) if it becomes physically down? (for example to prevent the network cable to be disconnected and reconnected).

i.e. a mix between port security and link state tracking

Thanks!

Labels:
0 Helpful
12 Replies 12

Wassim Aouadi
Level 4
Level 4

‎04-13-2011 01:29 AM

I think port-security with a maximum of 1 allowed MAC will do the job.

0 Helpful

jacques_henry696
Level 1
Level 1
In response to Wassim Aouadi

‎04-13-2011 06:57 AM

Unfortunately port security with a max of 1 MAC won't do the trick as this port is potentially connected to another switch!

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎04-13-2011 01:33 AM

Hi,

You could do this with SNMP.

Regards.

Alain.

Don't forget to rate helpful posts.

Wassim Aouadi
Level 4
Level 4
In response to cadet alain

‎04-13-2011 03:46 AM

Alain, could you suggest a document or an explanation? it seems interesting.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Wassim Aouadi

‎04-13-2011 04:01 AM

Hi,

I think I maybe talked too quick because if ther is a problem at L1/L2 how my snmp traps and set are gonna hit the device?

Sometimes it is better saying nothing than giving silly answers as the one I gave.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

hobbe
Level 7
Level 7
In response to cadet alain

‎04-13-2011 04:19 AM

No actually you are correct, however I have done this (snmp) with solarwinds orion, when you recieve link down on that interface I set a script to login to the machine and shut the port. however that said I am positive there are other, better ways.

I am thinking of ip-sla that could be an option. where on link down you wham the port once more with an admin down. (but I do not know if it works)

The third way is to script in TCL and use the internal log function to

The 4th way would be to use syslog and a script that logs in and kills the port.

A question

Does the port have to be down or is it enough that it can not send or recieve traffic ?,

I am thinking of changing to a different vlan.

I am sure I have seen a much better way but it is just not coming to me right now.

jacques_henry696
Level 1
Level 1
In response to hobbe

‎04-13-2011 06:59 AM

Hi,

I was more thinking about a "built-in" solution in the switch without the help of any 3rd party tools...

But thanks for your suggestions!

0 Helpful

hobbe
Level 7
Level 7
In response to jacques_henry696

‎04-14-2011 03:58 AM

Just found out what I was looking for.

The EEM will do this for you in the switch.

Just tested it on a testswitch that I happen to have and it worked like a charm.

event manager applet faeth24-down

event syslog pattern "%LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to down"

action 1.0 cli command "enable"

action 2.0 cli command "configure terminal"

action 3.0 cli command "interface Fastethernet0/24"

action 4.0 cli command "shutdown"

However this is just a start, via variables one should be able to do one script for all ports that you want to have shut down.
And no this is not "tested" and so on so there are shure to need som bugtesting and stuff.
.
.
hmm just realised you might want to use
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down"
instead since the first one will not allow you to eanble the port unless there is a link on it. it will just shut the port down again.
.
Good luck
HTH

Message was edited by: hobbe

jacques_henry696
Level 1
Level 1
In response to hobbe

‎04-14-2011 08:28 AM

Isn't EEM just available on ISR routers and on the 4500-6500-ASR1000 switches? (http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/datasheet_C78-573459.html)

I only have a 2960

But thanks for the advice, I didn't know EEM at all, seems very interesting!

0 Helpful

hobbe
Level 7
Level 7
In response to jacques_henry696

‎04-14-2011 12:30 PM

No it is available for atleast the 2960 2970 3560 and 3750 and 3400me.

it seams like to use eem you need to have ip-services or equivalent.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/release/notes/OL14630.html

0 Helpful

Elie Bassil
Level 1
Level 1

‎04-14-2011 06:14 AM

Hello,

You can use the "error disable" feature on the switch, this will admin shutdown a port whenever a violation occurs:

conf t
errdisable detect cause link-flap

Double check with "show errdisable detect"

--

regards,

EB:.

jacques_henry696
Level 1
Level 1
In response to Elie Bassil

‎04-14-2011 08:22 AM

Hi everyone,

First of all thanks for your valuable inputs.

Elie, I think you're the one approching the closest to what I need.

I changed the flap values to the minimum and enable the errdisable condition:

switch(config)#errdisable flap-setting cause link-flap max-flaps 1 time 120

switch#sh errdisable flap-values
ErrDisable Reason    Flaps    Time (sec)
-----------------    ------   ----------
pagp-flap              3       30
dtp-flap               3       30
link-flap              1       20

I've tested it and it works.... except that I have to unplug and re-plug twice the cable to get a shutdown on my interface.

Indeed, 1 is the threshold so it needs at least two "flaps"...

Almost there!

Thanks again!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card