how to use eem on core to shutdown ports on access-layer stacks

Answered Question
Aug 19th, 2009
User Badges:

Hi,

We have a 6509 core with 8 stacks of 9*3750PS. We want to use eem on the core to turn off the ports on the 3750's outside office hours(green-it initiative).

Is this possible? If so do have a link to scripts we could use?

The core runs s3223_rp Software (s3223_rp-IPBASE_WAN-M), Version 12.2(18)SXF16, RELEA

SE SOFTWARE (fc2)

The 3750's run c3750-IPBASE-M 12.2(25)SEE2


Thanks!

Marco

Correct Answer by Joe Clarke about 7 years 9 months ago

I was more interested in CONFIG. You have configured the community string "private". However, your 6500 config is using a different RW community. Make sure the community string in your CONFIG file is the read-write community string configured on the 3750, and that any access-list you have tied to that community string allows the 6500.


My default, a timeout will occupy 90 seconds of time. Given the number of ifIndexes, this can overflow the allowed 10 minutes of execution time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Lucien Avramov Wed, 08/19/2009 - 07:03
User Badges:
  • Red, 2250 points or more

You can actually use just KRON for this task:


kron occurrence TIME2at 17:00 recurring

policy-list interface-down


kron occurrence TIME1 at 09:00 recurring

policy-list interface-up

kron policy-list interface-up

cli interface range f0/1-4

cli no shut


kron policy-list interface-down

cli interface range f0/1-4

cli shut


Joe Clarke Wed, 08/19/2009 - 08:18
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I don't think so. The cli policy run in EXEC mode.

Joe Clarke Wed, 08/19/2009 - 08:17
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

There is actually an example like this on our Cisco Beyond repository now. See http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1701 . If you'd rather use an applet, you could go with something as simple as:


event manager applet shut-ports

event timer cron cron-entry "0 17 * * *"

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "interface range $PORT_RANGE"

action 4.0 cli command "shut"

action 5.0 cli command "end"

action 6.0 syslog msg "Ports in range $PORT_RANGE were shutdown"


event manager applet up-ports

event timer cron cron-entry "0 8 * * *"

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "interface range $PORT_RANGE"

action 4.0 cli command "no shut"

action 5.0 cli command "end"

action 6.0 syslog msg "Ports in range $PORT_RANGE were brought back up"


Then, set the PORT_RANGE environment variable:


event manager environment PORT_RANGE Gi1/1-24


This will then take down those ports at 5 pm, and bring them back up at 8 am.


Joe Clarke Wed, 08/19/2009 - 08:20
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I should point out, that these policies are for the 6500s. The 3750s would need to be upgraded to 12.2(40)SE to get EEM support.

marco.bernardy Wed, 08/19/2009 - 21:56
User Badges:

I wanted to run the scripts from the core because it has eem support and the 3750's don't. I am running C3750-IPBASE-M now, i tested with C3750-IPSERVICES-M 12.2.(50)SE2 and that does support eem. But our cisco contact told me that if we would upgrade from IPBASE to IPSERVICES we would need to buy a license of about $2000 per 3750 switch? Is this correct? ifso i'm still looking for a way to have the scripts on the core trigger something on the 3750's to shut down the ports.

Thanks

Joe Clarke Wed, 08/19/2009 - 22:30
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I believe it is correct that you'd need to purchase a license to move feature set.


As for running an EEM policy on the 6500 to trigger a port down on the 3750, that is certainly possible. You can use SNMP on the 6500 to shut the ports down on the 3750. You could even use telnet/SSH from the 6500. SNMP would be the easiest of the two to implement. To do it, you would first need to know the list of ifIndex values of the ports to shutdown.


I can write up a script for you depending on the approach you'd like to take.

marco.bernardy Wed, 08/19/2009 - 23:07
User Badges:

Hi,

Thanks a lot for your support sofar,if snmp is the easiest way to go i'd prefer that. I attached the ifIndex values of the ports on my test-3750. I really appreciate you offer to write the script for me as i've no expirience in this area.

Thanks,

Marco



Joe Clarke Thu, 08/20/2009 - 08:39
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

These two policies should do what you want. First, define three required environment variables:


event manager environment shutdown_ports_cron DOWN_CRON_ENTRY


event manager environment up_ports_cron UP_CRON_ENTRY


event manager environment shutdown_ports_config CONFIG


Where DOWN_CRON_ENTRY is a cron entry specifying when to shutdown ports. For example, to shutdown ports at 5 pm:


event manager environment shutdown_ports_cron 0 17 * * *


UP_CRON_ENTRY us a cron entry specifying when to bring ports back up. For example, to bring ports up at 8 am:


event manager environment up_ports_cron 0 8 * * *


And CONFIG is a path to a file containing the configuration on which switches and ports to shutdown. The format of the file lists individual switches on different lines with colon-separated fields specifying switch name/IP, read-write community string, and a comma-separated list of port ifIndexes to shutdown:


SWITCH:COMMUNITY:PORTS


For example:


10.1.1.1:private:10001,10002,10003

20.1.1.1:private:1,2,3


Once the environment variables and the config file are in place, then you can register the two policies. Be sure to set initial cron entries close to the current time for testing.





Joe Clarke Thu, 08/20/2009 - 11:01
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Grrr, I got greedy with my search and replace in the up script. New version attached.



Attachment: 
marco.bernardy Fri, 08/21/2009 - 01:01
User Badges:

Hi,

Thanks for the scripts.

I copied them to disk0/USER_TCL, and i did 'event manager directory user policy disk0:/USER_TCL.

I create a text file CONFIG with ifindexec of the ports as you explained and put this in the root of disk0.

But when i try to register the policie

i get this error:

event manager policy tm_up_ports.tcl type user

Compile check and registration failed:Wrong # args, usage is "::cisco::eem::even

t_register_timer watchdog|countdown|absolute|cron name ? cron_entry ? time ? que

ue_priority normal|low|high maxrun ? nice ?"

while executing

"::cisco::eem::event_register_timer cron cron_entry $up_ports_cron

"

Tcl policy execute failed: Wrong # args, usage is "::cisco::eem::event_register_

timer watchdog|countdown|absolute|cron name ? cron_entry ? time ? queue_priority

normal|low|high maxrun ? nice ?"


Embedded Event Manager configuration: failed to retrieve intermediate registrati

on result for policy tm_up_ports.tcl: Unknown error 0


Can you tell me what i'm doing wrong?


Thanks!

Marco

Joe Clarke Fri, 08/21/2009 - 06:47
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Your version of IOS requires another argument. Try these.



Joe Clarke Fri, 08/21/2009 - 06:49
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Just in case, I am reposting with a higher maxrun time. I tested with only two ifIndexes, but more could overrun the 20 second default.



marco.bernardy Fri, 08/21/2009 - 06:53
User Badges:

Hi,

I found the syntax for the command online and changed on both scripts the first line: ::cisco::eem::event_register_timer cron name up_ports_cron cron_entry $up_ports_cron

The bit i added was 'name up_ports_cron'and on the other one 'name shutdown_ports_cron'. After this i could register them. The results of 'show event manager policy registered'is in the attached events.txt. In the attached syslog you can see the error i get. I put all files on disk0:/USER_TCL

Can you see what's wrong?

Thanks!

Marco




Joe Clarke Fri, 08/21/2009 - 06:58
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You need to register the new versions I just posted. You're hitting the maxrun limitation.

marco.bernardy Fri, 08/21/2009 - 07:31
User Badges:

Hi,

My previous post just crossed yours, thanks for the new scripts. These register without any problem. However the error looks the same. I attached the syslog file and added the output of 'show event manager policy registered'

Hope you can find what's wrong.

Thanks!

Marco



Joe Clarke Fri, 08/21/2009 - 08:02
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The error looks the same, but the time does not compute. It would be helpful to see your config file.

marco.bernardy Fri, 08/21/2009 - 09:23
User Badges:

Hi,

I wasn't sure which config file you meant so i sent both my running config and the config file containing the snmp info of the target 3750 switch.

HTH

Thanks!

Marco




Correct Answer
Joe Clarke Fri, 08/21/2009 - 10:02
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I was more interested in CONFIG. You have configured the community string "private". However, your 6500 config is using a different RW community. Make sure the community string in your CONFIG file is the read-write community string configured on the 3750, and that any access-list you have tied to that community string allows the 6500.


My default, a timeout will occupy 90 seconds of time. Given the number of ifIndexes, this can overflow the allowed 10 minutes of execution time.

marco.bernardy Fri, 08/21/2009 - 22:43
User Badges:

Hi,


Again thanks for all the help.

Could you please remove the running config, for security reasons?


Thanks for everything!

Marco


Joe Clarke Fri, 08/21/2009 - 22:51
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You should see a trashcan icon next to all of the attachments you post (after you login). Simply click that and the attachment will be deleted.

marco.bernardy Tue, 09/01/2009 - 23:55
User Badges:

Hi,


The scripts work fine, thanks. Just one additional question: is it possible to adjust the scripts to instead of shutting down the port only turning off PoE?


Thanks,

Marco


Joe Clarke Wed, 09/02/2009 - 08:33
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Sure. Modify the script code, and change the "shut" and "no shut" commands to be whatever you want. Multiple commands are separated by spaces. For example:


run_cli [list "config t" "int fa0/1" "no power inline"]

marco.bernardy Tue, 09/15/2009 - 07:00
User Badges:

Hi,

When the code bit runs that manipulates the device":

foreach port [split $ports($device) ","] {

run_cli [list "snmp set v1 $device $comm oid ${ifAdminStatus}.${port} integer $DOWN"]


The system only knows the ip of the switch and the ifindex of the port. So i cannot replace the command with :

run_cli [list "config t" "int fa0/1" "no power inline"]

I mean what do i enter for "int fa0/1", or should i use 1 entry per access-layer stack, with only ifindex and then enter a list of all the ports that need to be shutdown per stack?

Thanks!

Marco

Joe Clarke Tue, 09/15/2009 - 07:08
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Sorry, I had confused this with something else. Yes, this is only using SNMP, so you'll need to find an object that does what you want. For example, pethPsePortAdminEnable should work for you, but this object is indexed by two objects, pethPsePortGroupIndex and pethPsePortIndex. If you locate the values for these two objects, you could modify the code to set the pethPsePortAdminEnable object to 2 to disable PoE on that port. This assumes the POWER-ETHERNET-MIB is supported on these devices.

Actions

This Discussion