Port Security Traps Flooding NMS Servers

Unanswered Question
May 21st, 2009


We have devices with port security set via command "set port security". The devices are expiring a maximum of 1 MAC address every minute and the action is to shutdown the port. An action of "shutdown" will trigger an SNMP trap to be sent to an SNMP trap receiver.

Is there a way to configure the device to not send the trap? We have all traps enabled except Authentication Failures and Syslog.

Please Advise.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yjdabear Thu, 05/21/2009 - 07:52

Try "no snmp-server enable traps port-security" in global config mode. It doesn't appear to have a per-interface equivalent.

Oh wait, if this is CatOS, try "set snmp trap disable macnotification", I think.

slcornish Thu, 05/21/2009 - 09:30

Thank you.

I tried command "set snmp trap disable macnotification" and the traps are still being sent.


yjdabear Thu, 05/21/2009 - 09:33

Can you post the complete text of the trap, as it's received on the NMS? Better yet, the OID(s) of trap as the NMS sees it raw.

slcornish Thu, 05/21/2009 - 09:39

[2] private.enterprises.cisco.workgroup. (OctetString): Module 5 block changed by SecurityRx//

cisco-workgroup 6 9 2 args: [1] private.enterprises.cisco.workgroup. (Ticks): 100

[2] private.enterprises.cisco.workgroup. (OctetString): Module 4 block changed by SecurityRx//

yjdabear Thu, 05/21/2009 - 10:26

private.enterprises.cisco.workgroup. is sysConfigChangeInfo, which is toggled by "set snmp trap {enable | disable} config" according to the following doc:


I do want to caution that disabling this trap may potentially stop the generation of other config change notifications you do want to know about. An alternative is to configure your SNMP trap receiver to "log only" against this OID, so your operators do not get bombarded by it, but would still have access to such info if needed.

slcornish Thu, 05/21/2009 - 10:49

That worked and you're right it disables all traps associated with that OID.

My end users aren't seeing those traps. The issue is they're flooding our NMS servers and causing them to crash. This is happening with NetView and NetCool.

My solution is to try and get them turned off since no one looks at them.

Or maybe I can configure an ACL on the SNMP agent on my server and filter them out before they're passed to the process listening on UDP port 162.


yjdabear Thu, 05/21/2009 - 11:11

Using NetView's distant "relative" OpenView NNM here, getting these same traps from a few hundred devices (and that traffic is doubled up as the traps are also sent as syslogs by the network devices, to the same server). No crash problem, knock on wood. In OpenView, it's possible to throttle excessively "noisy" SNMP senders, through ovtrapd.lrf and/or trapd.conf:


NetView might have something similar. Of course, this has its own tradeoffs of potentially blocking critical traps along with the "noise" when a device hits the threshold.

slcornish Thu, 05/21/2009 - 11:12

Our devices are also configured to send severity level 5 syslog messages.

Which syslog facility do the config change notifications belng to?

Maybe we can add "set snmp trap disable config" because we're still getting config change messages via Syslog.


yjdabear Thu, 05/21/2009 - 11:40

Check if you CatOS also has "set logging level sys [severity-level] default" configured.

With both of the following present:

set logging level sys 6 default

set logging server severity 5

CatOS sends "SYS-6-CFG_CHG:Module # block changed by [somebody]" to its local logging buffer, but does not send it to the external syslog servers.

In addition, if the syslog server is getting plenty of "SNMP-5-SYSCONFIGCHANGENOTIF: sysConfigChangeTrap notification sent for Module # block changed by [somebody]", that's because of "set snmp trap enable syslog", which is really a waste of bandwidth.

slcornish Thu, 05/21/2009 - 12:09

We have configured:

set logging server enable

set logging server severity 5

set logging level all 5 default

So it sounds like we're not sending it via Syslog.

Do you know what SNMP messages we'd lose if we add command "set snmp trap disable config"?

slcornish Wed, 05/27/2009 - 08:35

Our devices are sending 2 traps per port every minute. Their age timer is set to one minute.

What's the first trap listed below mean? The one starting with "cisco-workgroup".

cisco-workgroup 6 9 2 args: [1] private.enterprises.cisco.workgroup. (Ticks): 425

[2] private.enterprises.cisco.workgroup. (OctetString): Module 4 block changed by SecurityRx//

slcornish Fri, 05/29/2009 - 08:55

Do you know which devices send traps (sysConfigChangeTrap)?

slcornish Fri, 05/29/2009 - 09:00

Does the 6509 running cat6000-sup2k8.7-6-6.bin send trap (sysConfigChangeTrap)?

yjdabear Mon, 06/01/2009 - 06:27

You can verify that by examining the "show snmp notification mapping" output in enable mode on CatOS.

Trap Keyword Notification Object Name Notif. Sent Syslog


config sysConfigChangeTrap SYSCONFIGCHANGENOTIF

slcornish Mon, 06/01/2009 - 07:19

My 6509 doesn't have "notification" under "sh snmp".



This Discussion