cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1173
Views
0
Helpful
17
Replies

Port Security Traps Flooding NMS Servers

slcornish
Level 1
Level 1

All,

We have devices with port security set via command "set port security". The devices are expiring a maximum of 1 MAC address every minute and the action is to shutdown the port. An action of "shutdown" will trigger an SNMP trap to be sent to an SNMP trap receiver.

Is there a way to configure the device to not send the trap? We have all traps enabled except Authentication Failures and Syslog.

Please Advise.

Stephanie

17 Replies 17

yjdabear
VIP Alumni
VIP Alumni

Try "no snmp-server enable traps port-security" in global config mode. It doesn't appear to have a per-interface equivalent.

Oh wait, if this is CatOS, try "set snmp trap disable macnotification", I think.

Thank you.

I tried command "set snmp trap disable macnotification" and the traps are still being sent.

Stephanie

Can you post the complete text of the trap, as it's received on the NMS? Better yet, the OID(s) of trap as the NMS sees it raw.

[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 5 block changed by SecurityRx//

cisco-workgroup 6 9 2 args: [1] private.enterprises.cisco.workgroup.1.1.28.0 (Ticks): 100

[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 4 block changed by SecurityRx//

private.enterprises.cisco.workgroup.1.1.34.0 is sysConfigChangeInfo, which is toggled by "set snmp trap {enable | disable} config" according to the following doc:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.5/command/reference/set_q_s.html#wp1092892

I do want to caution that disabling this trap may potentially stop the generation of other config change notifications you do want to know about. An alternative is to configure your SNMP trap receiver to "log only" against this OID, so your operators do not get bombarded by it, but would still have access to such info if needed.

That worked and you're right it disables all traps associated with that OID.

My end users aren't seeing those traps. The issue is they're flooding our NMS servers and causing them to crash. This is happening with NetView and NetCool.

My solution is to try and get them turned off since no one looks at them.

Or maybe I can configure an ACL on the SNMP agent on my server and filter them out before they're passed to the process listening on UDP port 162.

Stephanie

Using NetView's distant "relative" OpenView NNM here, getting these same traps from a few hundred devices (and that traffic is doubled up as the traps are also sent as syslogs by the network devices, to the same server). No crash problem, knock on wood. In OpenView, it's possible to throttle excessively "noisy" SNMP senders, through ovtrapd.lrf and/or trapd.conf:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1110803

NetView might have something similar. Of course, this has its own tradeoffs of potentially blocking critical traps along with the "noise" when a device hits the threshold.

Our devices are also configured to send severity level 5 syslog messages.

Which syslog facility do the config change notifications belng to?

Maybe we can add "set snmp trap disable config" because we're still getting config change messages via Syslog.

Stephanie

Check if you CatOS also has "set logging level sys [severity-level] default" configured.

With both of the following present:

set logging level sys 6 default

set logging server severity 5

CatOS sends "SYS-6-CFG_CHG:Module # block changed by [somebody]" to its local logging buffer, but does not send it to the external syslog servers.

In addition, if the syslog server is getting plenty of "SNMP-5-SYSCONFIGCHANGENOTIF: sysConfigChangeTrap notification sent for Module # block changed by [somebody]", that's because of "set snmp trap enable syslog", which is really a waste of bandwidth.

We have configured:

set logging server enable

set logging server severity 5

set logging level all 5 default

So it sounds like we're not sending it via Syslog.

Do you know what SNMP messages we'd lose if we add command "set snmp trap disable config"?

The only description I come across is "Indicates which NVRAM block is changed by whom":

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=sysConfigChangeInfo

Our devices are sending 2 traps per port every minute. Their age timer is set to one minute.

What's the first trap listed below mean? The one starting with "cisco-workgroup".

cisco-workgroup 6 9 2 args: [1] private.enterprises.cisco.workgroup.1.1.28.0 (Ticks): 425

[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 4 block changed by SecurityRx//

This is sysConfigChangeTime, seems part-n-parcel with the 1.1.34 behind it.

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.5.1.1.28

Do you know which devices send traps 1.3.6.1.4.1.9.5.9 (sysConfigChangeTrap)?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco