cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1406
Views
0
Helpful
11
Replies

pull disconnected interfaces with last input higher than 10week on a switch with EEM script

hi.sadiki
Level 1
Level 1

hello Guys,

I need your help please,

I am asked to secure our LAN by pulling all disconnected users interfaces with a last input higher than 10weeks in first step and shut them down LATER

Is that possible with EEM script to browse interfaces on a switch and pull the ones concerted  then send the result to a file on the flash :

otherwise, Is there any other way please .

I never worked with EEM so far

Thanks for helping me.

11 Replies 11

Joe Clarke
Cisco Employee
Cisco Employee

Have a look at this solution:

https://supportforums.cisco.com/docs/DOC-39192

These policies track down ports, but you could modify the policy to look at when the ports last saw traffic fairly easily.

Hello Joe,

thanks  for your help,

I have basic skills and i coudn't enter the script.

i did 

event manager environment test::cisco::eem::event_register_syslog pattern "LINEPROTO-5-UPDOWN" maxrun 600

But its always taking only the last line i entered.

How can i enter the script please ?

Thanks again for helping me

Hello Joe,

Thanks for your answer, I did register the EEMs correctly.

I looked to the link you sent me : https://supportforums.cisco.com/docs/DOC-39192

but i don't know which script to use as there is 3 of them.

Thanks again for your help.

Since you care about last data on an interface, you don't need the syslog policy that matches on interfaces coming up.  Instead you could do everything you need with the timer policy.  I'm attaching the original here for you.

Hello Joseph,

I tryed to follow what you showed me.

- I created a  "policies" directory on flash and copy the script tm_suspend_ports.txt to it.

- Register the script using the following commands

(config)#event manager directory user policy flash:/policies

(config)#event manager policy tm_suspend_ports.tcl

Is that all it need, or is there any other steps ?

How can I enter the number of days which after the ports will go down  please ?

I  thank you

This is all that's needed to register this policy as-is.  But you will need to make changes to add support for your specific use case of looking at last packet input.  The code as it stands now looks for ports that are operational down.  You'll need to add the code that looks at the "show interface" output to see when the last input was.

To set the number of days, configure:

event manager environment suspend_ports_days NUM_DAYS

hello Joe,

On forums, i saw that some people said that I need my switch to be connected to tacacs, otherwise it won't work.

I am doing my tests on a isolated switch that works with a local username.

Would it be a problem you think ?

Not at all. It will work better since you do not need the roundtrip to the AAA server.

Hello Joe,

I tryed and tryed. but it seems that i am missin on something.

Could we togheter at my configuration ?

The config looks okay for the original behavior of the scripts.  The timer policy should run every night at midnight provided your clock is properly synced (but you're not running NTP, so that is likely not the case).  You'll need to look at your logging output to see if there are errors, plus you'll need to configure an authoritative clock source.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco