SNMP-TRAPS

Unanswered Question
Oct 2nd, 2009

I am trying to get my Catalyst 3550 to send snmp-traps for vlan-membership changes. I believe I have the correct syntax in the configuration because I can change traps to config and I get the trap messages but not for vlan-membership changes. I have posted part of the config. Is there something I am missing???

snmp-server engineID local

snmp-server community phil RW

snmp-server enable traps vlan-membership

snmp-server host 192.168.11.100 phil vlan-membership

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Fri, 10/02/2009 - 08:59

What kind of trap are you expecting? The CISCO-VLAN-MEMBERSHIP-MIB only defines one trap, vmVmpsChange which is only sent when the VLAN membership policy server changes. Are you using VMPS on this switch?

philrattenborg Fri, 10/02/2009 - 10:02

I am not using VMPS.... I am trying to get the trap that would let me know whenever a vlan is changed on a switchport. I've looked at some of the other MIB's to find the right one and the description on this one sounded like the one I was looking for

Lucien Avramov Fri, 10/02/2009 - 10:22

You can enable traps for config, that will be for any configuration on the switch, and it will not give you the detail besides telling you that someone made a config change.

As Joe says, its vlan-membership is for vmps:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094aa1.shtml

You also see it in the mib decription for CISCO-VLAN-MEMBERSHIP-MIB

http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&mibName=CISCO-VLAN-MEMBERSHIP-MIB

There are 2 other traps for vlan, which are out of the topic, but I will mention it here in case someone is interested:

vlancreate Enable SNMP VLAN created traps

vlandelete Enable SNMP VLAN deleted traps

philrattenborg Fri, 10/02/2009 - 10:37

So what is the correct snmp trap for when a vlan assignment is changed on a port on the switch. Basically if a switchport is changed from vlan 330 to vlan 490, I need to get an snmp trap notification so I can follow up with the change

Joe Clarke Fri, 10/02/2009 - 11:03

I don't see such a trap. Are these VLAN changes happening because of dot1x authorizations? Is there a syslog message related to these changes?

philrattenborg Fri, 10/02/2009 - 11:12

It is happening because of dot1x. we run multiple vendors equipment across our network and we vlan each vendor into their own vlan. There has to be a way to be notified when a port on a switch is changed from one vlan to another

Joe Clarke Fri, 10/02/2009 - 11:14

What version of code is this switch running? Do you see any messages in the show logging output related to this? It may be possible to turn such messages into traps if you cannot process them directly as syslog messages.

philrattenborg Fri, 10/02/2009 - 11:17

Current version is 12.1(19)EA1c... I am thinking that they would not have to be traps if the syslog messages are showing the information.

Joe Clarke Fri, 10/02/2009 - 11:32

There is no NAC or PAE MIB support in this version of code, so a direct trap will not be possible.

As Lucien said, you could parse the traps from the CISCO-MAC-NOTIFICATION-MIB to see when a MAC is learned on a specific port and VLAN. For example, a cmnMacChangedNotification trap will contain a cmnHistMacChangedMsg varbind in the following format:

...

Where is either 0 (for end of list), 1 (for a MAC being learned, or 2 (for a MAC being removed). The field will contain a 16-bit VLAN number, and the field will contain a 16-bit bridge port which can be mapped back to a switch port using the dot1dBasePortIfIndex object from the BRIDGE-MIB.

So, when a user switches from the login VLAN to their final VLAN, you should see a notification indicating that the MAC was removed from the login VLAN, and one for the MAC being added to the final VLAN.

These traps can be enabled with the following commands:

mac address-table notification interval 15

snmp-server enable traps mac-notification

Then, under each port:

snmp trap mac-notification added

snmp trap mac-notification removed

philrattenborg Fri, 10/02/2009 - 11:45

Not what I am looking to do. Is there a version that does support what I am looking for. I've been down the mac-notification road and just to much a pain to work with for something this simple.

Joe Clarke Fri, 10/02/2009 - 12:00

The lastest version of code (12.2(52)SE) does have dot1x SNMP support, but I'm not seeing any traps which would give you what you want. However, it does offer Embedded Event Manager support which could provide you with custom traps provided there is an event (like a syslog message) on which an EEM policy could trigger. I don't have any NAC setup, so I'm not sure what messages (if any) you're seeing.

Lucien Avramov Fri, 10/02/2009 - 12:44

Clean access software actually has an internal database for the client mac addresses and the vlans that need to be switched. It's an added value NAC software gives you as there is a limitation on the snmp trap side.

Instead of traps, why dont you poll the vlan number the switchport is assigned on lets say every 5 minutes from an NMS server and then when the value is different have a script that sends you an email?

philrattenborg Fri, 10/02/2009 - 12:50

with over 300 switches nationwide that would not be practical. I was hoping that there was either an snmp trap to inform me that an administrator had made a change or a syslog message. But it doesn't look with that is the case. And even though a mac-notification is available, I don't want a trap message everytime a new pc gets plugged into the switch, in this case anyway.

Lucien Avramov Fri, 10/02/2009 - 13:01

you can receive a trap for any configuration change made on a switch with the config trap. If most of the changes done are only for vlan change that may be of help?

Joe Clarke Fri, 10/02/2009 - 15:06

If you move to 12.2(52)SE, you will get EEM 3.2 which offers a lot of capabilities to create custom SNMP traps and syslog messages. For example, here is a simple applet which will send out a trap when a new MAC is learned on the non-default VLAN:

event manager environment default_vlan 1

event manager applet port-vlan-notif

event event mat interface regexp .*Ethernet.* type add

action 001 cli command "show interface $_mat_intf_name switchport | include Access Mode VLAN"

action 002 regexp ": ([0-9]+) " "$_cli_result" ignore vlan_num

action 003 if $vlan_num ne $default_vlan

action 004 snmp-trap strdata "Interface $_mat_intf_name has VLAN $vlan_num"

action 005 end

You could trigger an EEM policy on other events as well. For example, you could also trigger an event on a config change, and send a trap if a port's VLAN is changed by an interactive user. This type of policy would be a little more complicated, but there is an example which could be adapted at http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1103 .

Lucien Avramov Fri, 10/02/2009 - 11:16

The way we track this is with linkup linkdown trap and mac-address notifications trap. Are you using NAC / Clean-access? That is what NAC is tracking.

Actions

This Discussion