how to use eem on core to shutdown ports on access-layer stacks

Answered Question
Aug 19th, 2009

Hi,

We have a 6509 core with 8 stacks of 9*3750PS. We want to use eem on the core to turn off the ports on the 3750's outside office hours(green-it initiative).

Is this possible? If so do have a link to scripts we could use?

The core runs s3223_rp Software (s3223_rp-IPBASE_WAN-M), Version 12.2(18)SXF16, RELEA

SE SOFTWARE (fc2)

The 3750's run c3750-IPBASE-M 12.2(25)SEE2

Thanks!

Marco

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 3 months ago

I was more interested in CONFIG. You have configured the community string "private". However, your 6500 config is using a different RW community. Make sure the community string in your CONFIG file is the read-write community string configured on the 3750, and that any access-list you have tied to that community string allows the 6500.

My default, a timeout will occupy 90 seconds of time. Given the number of ifIndexes, this can overflow the allowed 10 minutes of execution time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Lucien Avramov Wed, 08/19/2009 - 07:03

You can actually use just KRON for this task:

kron occurrence TIME2at 17:00 recurring

policy-list interface-down

kron occurrence TIME1 at 09:00 recurring

policy-list interface-up

kron policy-list interface-up

cli interface range f0/1-4

cli no shut

kron policy-list interface-down

cli interface range f0/1-4

cli shut

Joe Clarke Wed, 08/19/2009 - 08:17

There is actually an example like this on our Cisco Beyond repository now. See http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1701 . If you'd rather use an applet, you could go with something as simple as:

event manager applet shut-ports

event timer cron cron-entry "0 17 * * *"

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "interface range $PORT_RANGE"

action 4.0 cli command "shut"

action 5.0 cli command "end"

action 6.0 syslog msg "Ports in range $PORT_RANGE were shutdown"

event manager applet up-ports

event timer cron cron-entry "0 8 * * *"

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "interface range $PORT_RANGE"

action 4.0 cli command "no shut"

action 5.0 cli command "end"

action 6.0 syslog msg "Ports in range $PORT_RANGE were brought back up"

Then, set the PORT_RANGE environment variable:

event manager environment PORT_RANGE Gi1/1-24

This will then take down those ports at 5 pm, and bring them back up at 8 am.

Joe Clarke Wed, 08/19/2009 - 08:20

I should point out, that these policies are for the 6500s. The 3750s would need to be upgraded to 12.2(40)SE to get EEM support.

marco.bernardy Wed, 08/19/2009 - 21:56

I wanted to run the scripts from the core because it has eem support and the 3750's don't. I am running C3750-IPBASE-M now, i tested with C3750-IPSERVICES-M 12.2.(50)SE2 and that does support eem. But our cisco contact told me that if we would upgrade from IPBASE to IPSERVICES we would need to buy a license of about $2000 per 3750 switch? Is this correct? ifso i'm still looking for a way to have the scripts on the core trigger something on the 3750's to shut down the ports.

Thanks

Joe Clarke Wed, 08/19/2009 - 22:30

I believe it is correct that you'd need to purchase a license to move feature set.

As for running an EEM policy on the 6500 to trigger a port down on the 3750, that is certainly possible. You can use SNMP on the 6500 to shut the ports down on the 3750. You could even use telnet/SSH from the 6500. SNMP would be the easiest of the two to implement. To do it, you would first need to know the list of ifIndex values of the ports to shutdown.

I can write up a script for you depending on the approach you'd like to take.

marco.bernardy Wed, 08/19/2009 - 23:07

Hi,

Thanks a lot for your support sofar,if snmp is the easiest way to go i'd prefer that. I attached the ifIndex values of the ports on my test-3750. I really appreciate you offer to write the script for me as i've no expirience in this area.

Thanks,

Marco

Joe Clarke Thu, 08/20/2009 - 08:39

These two policies should do what you want. First, define three required environment variables:

event manager environment shutdown_ports_cron DOWN_CRON_ENTRY

event manager environment up_ports_cron UP_CRON_ENTRY

event manager environment shutdown_ports_config CONFIG

Where DOWN_CRON_ENTRY is a cron entry specifying when to shutdown ports. For example, to shutdown ports at 5 pm:

event manager environment shutdown_ports_cron 0 17 * * *

UP_CRON_ENTRY us a cron entry specifying when to bring ports back up. For example, to bring ports up at 8 am:

event manager environment up_ports_cron 0 8 * * *

And CONFIG is a path to a file containing the configuration on which switches and ports to shutdown. The format of the file lists individual switches on different lines with colon-separated fields specifying switch name/IP, read-write community string, and a comma-separated list of port ifIndexes to shutdown:

SWITCH:COMMUNITY:PORTS

For example:

10.1.1.1:private:10001,10002,10003

20.1.1.1:private:1,2,3

Once the environment variables and the config file are in place, then you can register the two policies. Be sure to set initial cron entries close to the current time for testing.

marco.bernardy Fri, 08/21/2009 - 01:01

Hi,

Thanks for the scripts.

I copied them to disk0/USER_TCL, and i did 'event manager directory user policy disk0:/USER_TCL.

I create a text file CONFIG with ifindexec of the ports as you explained and put this in the root of disk0.

But when i try to register the policie

i get this error:

event manager policy tm_up_ports.tcl type user

Compile check and registration failed:Wrong # args, usage is "::cisco::eem::even

t_register_timer watchdog|countdown|absolute|cron name ? cron_entry ? time ? que

ue_priority normal|low|high maxrun ? nice ?"

while executing

"::cisco::eem::event_register_timer cron cron_entry $up_ports_cron

"

Tcl policy execute failed: Wrong # args, usage is "::cisco::eem::event_register_

timer watchdog|countdown|absolute|cron name ? cron_entry ? time ? queue_priority

normal|low|high maxrun ? nice ?"

Embedded Event Manager configuration: failed to retrieve intermediate registrati

on result for policy tm_up_ports.tcl: Unknown error 0

Can you tell me what i'm doing wrong?

Thanks!

Marco

marco.bernardy Fri, 08/21/2009 - 06:53

Hi,

I found the syntax for the command online and changed on both scripts the first line: ::cisco::eem::event_register_timer cron name up_ports_cron cron_entry $up_ports_cron

The bit i added was 'name up_ports_cron'and on the other one 'name shutdown_ports_cron'. After this i could register them. The results of 'show event manager policy registered'is in the attached events.txt. In the attached syslog you can see the error i get. I put all files on disk0:/USER_TCL

Can you see what's wrong?

Thanks!

Marco

Joe Clarke Fri, 08/21/2009 - 06:58

You need to register the new versions I just posted. You're hitting the maxrun limitation.

marco.bernardy Fri, 08/21/2009 - 07:31

Hi,

My previous post just crossed yours, thanks for the new scripts. These register without any problem. However the error looks the same. I attached the syslog file and added the output of 'show event manager policy registered'

Hope you can find what's wrong.

Thanks!

Marco

Joe Clarke Fri, 08/21/2009 - 08:02

The error looks the same, but the time does not compute. It would be helpful to see your config file.

marco.bernardy Fri, 08/21/2009 - 09:23

Hi,

I wasn't sure which config file you meant so i sent both my running config and the config file containing the snmp info of the target 3750 switch.

HTH

Thanks!

Marco

Correct Answer
Joe Clarke Fri, 08/21/2009 - 10:02

I was more interested in CONFIG. You have configured the community string "private". However, your 6500 config is using a different RW community. Make sure the community string in your CONFIG file is the read-write community string configured on the 3750, and that any access-list you have tied to that community string allows the 6500.

My default, a timeout will occupy 90 seconds of time. Given the number of ifIndexes, this can overflow the allowed 10 minutes of execution time.

marco.bernardy Fri, 08/21/2009 - 22:43

Hi,

Again thanks for all the help.

Could you please remove the running config, for security reasons?

Thanks for everything!

Marco

Joe Clarke Fri, 08/21/2009 - 22:51

You should see a trashcan icon next to all of the attachments you post (after you login). Simply click that and the attachment will be deleted.

marco.bernardy Tue, 09/01/2009 - 23:55

Hi,

The scripts work fine, thanks. Just one additional question: is it possible to adjust the scripts to instead of shutting down the port only turning off PoE?

Thanks,

Marco

Joe Clarke Wed, 09/02/2009 - 08:33

Sure. Modify the script code, and change the "shut" and "no shut" commands to be whatever you want. Multiple commands are separated by spaces. For example:

run_cli [list "config t" "int fa0/1" "no power inline"]

marco.bernardy Tue, 09/15/2009 - 07:00

Hi,

When the code bit runs that manipulates the device":

foreach port [split $ports($device) ","] {

run_cli [list "snmp set v1 $device $comm oid ${ifAdminStatus}.${port} integer $DOWN"]

The system only knows the ip of the switch and the ifindex of the port. So i cannot replace the command with :

run_cli [list "config t" "int fa0/1" "no power inline"]

I mean what do i enter for "int fa0/1", or should i use 1 entry per access-layer stack, with only ifindex and then enter a list of all the ports that need to be shutdown per stack?

Thanks!

Marco

Joe Clarke Tue, 09/15/2009 - 07:08

Sorry, I had confused this with something else. Yes, this is only using SNMP, so you'll need to find an object that does what you want. For example, pethPsePortAdminEnable should work for you, but this object is indexed by two objects, pethPsePortGroupIndex and pethPsePortIndex. If you locate the values for these two objects, you could modify the code to set the pethPsePortAdminEnable object to 2 to disable PoE on that port. This assumes the POWER-ETHERNET-MIB is supported on these devices.

Actions

This Discussion