Cisco – way to automatically have unused ports disable

ciscocisco-catalystport-securitysshtroubleshooting

Like many others I can see how to display ports that have no traffic flowing through them and go through and disable them but we have hundreds of cisco switches.

I like the idea of being able to see ports that have not seen activity in the last 6 weeks like I found here:

but I have not been able to make this work.

sh int count | i 0 + 0 + 0 works quiet well for identifying the ports.

Found here:

How can I see which switchports are not in use?

Is there a way to maybe use like port security or anything to turn ports off that have not see traffic for 90 days?

Best Answer

15.1T introduced show interface history. This might work for you.

The ports go into down state for both status and protocol by default when no endpoint NIC is connected (link down). You could syslog these events to a server and roll some script to correlate down vs up dates per port.

Cisco EEM could be utilized to automatically disable a port once it goes down, but I don't think this would be a good idea as it would be difficult to administer/manage. Look at 802.1X Port-Based Authentication if security is the concern.

Related Solutions

Cisco – Output Drops on Serial interface: Better queueing or Output queue size

You're right, you wouldn't really see the burstiness easily on SNMP. 1GE can send 1.48Mpps, so it takes very very little time to congest the the 45Mbps, which can handle less than 75kpps.

If your ingress is 1GE and egress is 45Mbps, then obviously the congestion point of 45Mbps will need to drop packets. This is normal and expected. If you increase buffers you'll introduce more delay.
1GE takes 0.45ms to send 40 1500B IP frames, which is right now the amount of burst you can handle. However dequeueing them on the 45Mbps already takes 10ms.

If you don't have any acute problem, I would probably not do anything about it. But if some traffic is more eligible for dropping than other, then you should replace FIFO with class-based queueing. Say maybe you want to prioritize so that more ftp is dropped and less voip.
Then it'll also make more sense to add more buffering on the ftp traffic, as it's not really sensitive to delay.

If you want to try your luck with deeper buffers, something like this should suffice:

policy-map WAN-OUT
 class class-default
    fair-queue
    queue-limit 200 packets
!
interface Serial1/0
  service-policy output WAN-OUT

This would cause 50ms buffers on the Serial1 and would allow you to handle up-to 2.25ms burst from single Gige interface.

Vlan/trunk/etherchannel differences in cisco switch (noob lots of q’s)

What you are trying to achieve is done with VLANs. A VLAN is basically a logical L2 domain so two hosts on the same VLAN will be able to communicate without a router.

Trunking basically means 'allow more than one VLAN on the same port'. You can do that to allow a host to be able to connect to different VLANs using the same port or for interswitch communications. If you have two switches you will want to connect them with a trunk so the hosts in VLAN A on SW1 can communicate with hosts in VLAN A on SW2.

Etherchannel is used to aggregate two ports into one logical port adding the bandwidth.

About the architecture of this specific hardware I am not sure. Usually ports are connected by groups. Ports 1-8 belong to the same ASIC, so port 2 to get to port 9 (which is in a different ASIC) will have to go through the backplane. However, from port 1 to port 2 you do not need to get to the backplane. However, this is very platform specific so read the switch architecture to be sure about this.

Regards.

Best Answer

Related Solutions

Cisco – Output Drops on Serial interface: Better queueing or Output queue size

Vlan/trunk/etherchannel differences in cisco switch (noob lots of q’s)

Related Topic