cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1793
Views
0
Helpful
16
Replies

SNMP-TRAPS

philrattenborg
Level 1
Level 1

I am trying to get my Catalyst 3550 to send snmp-traps for vlan-membership changes. I believe I have the correct syntax in the configuration because I can change traps to config and I get the trap messages but not for vlan-membership changes. I have posted part of the config. Is there something I am missing???

snmp-server engineID local

snmp-server community phil RW

snmp-server enable traps vlan-membership

snmp-server host 192.168.11.100 phil vlan-membership

16 Replies 16

Joe Clarke
Cisco Employee
Cisco Employee

What kind of trap are you expecting? The CISCO-VLAN-MEMBERSHIP-MIB only defines one trap, vmVmpsChange which is only sent when the VLAN membership policy server changes. Are you using VMPS on this switch?

I am not using VMPS.... I am trying to get the trap that would let me know whenever a vlan is changed on a switchport. I've looked at some of the other MIB's to find the right one and the description on this one sounded like the one I was looking for

You can enable traps for config, that will be for any configuration on the switch, and it will not give you the detail besides telling you that someone made a config change.

As Joe says, its vlan-membership is for vmps:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094aa1.shtml

You also see it in the mib decription for CISCO-VLAN-MEMBERSHIP-MIB

http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&mibName=CISCO-VLAN-MEMBERSHIP-MIB

There are 2 other traps for vlan, which are out of the topic, but I will mention it here in case someone is interested:

vlancreate Enable SNMP VLAN created traps

vlandelete Enable SNMP VLAN deleted traps

So what is the correct snmp trap for when a vlan assignment is changed on a port on the switch. Basically if a switchport is changed from vlan 330 to vlan 490, I need to get an snmp trap notification so I can follow up with the change

I don't see such a trap. Are these VLAN changes happening because of dot1x authorizations? Is there a syslog message related to these changes?

It is happening because of dot1x. we run multiple vendors equipment across our network and we vlan each vendor into their own vlan. There has to be a way to be notified when a port on a switch is changed from one vlan to another

What version of code is this switch running? Do you see any messages in the show logging output related to this? It may be possible to turn such messages into traps if you cannot process them directly as syslog messages.

Current version is 12.1(19)EA1c... I am thinking that they would not have to be traps if the syslog messages are showing the information.

There is no NAC or PAE MIB support in this version of code, so a direct trap will not be possible.

As Lucien said, you could parse the traps from the CISCO-MAC-NOTIFICATION-MIB to see when a MAC is learned on a specific port and VLAN. For example, a cmnMacChangedNotification trap will contain a cmnHistMacChangedMsg varbind in the following format:

...

Where is either 0 (for end of list), 1 (for a MAC being learned, or 2 (for a MAC being removed). The field will contain a 16-bit VLAN number, and the field will contain a 16-bit bridge port which can be mapped back to a switch port using the dot1dBasePortIfIndex object from the BRIDGE-MIB.

So, when a user switches from the login VLAN to their final VLAN, you should see a notification indicating that the MAC was removed from the login VLAN, and one for the MAC being added to the final VLAN.

These traps can be enabled with the following commands:

mac address-table notification interval 15

snmp-server enable traps mac-notification

Then, under each port:

snmp trap mac-notification added

snmp trap mac-notification removed

Not what I am looking to do. Is there a version that does support what I am looking for. I've been down the mac-notification road and just to much a pain to work with for something this simple.

The lastest version of code (12.2(52)SE) does have dot1x SNMP support, but I'm not seeing any traps which would give you what you want. However, it does offer Embedded Event Manager support which could provide you with custom traps provided there is an event (like a syslog message) on which an EEM policy could trigger. I don't have any NAC setup, so I'm not sure what messages (if any) you're seeing.

Clean access software actually has an internal database for the client mac addresses and the vlans that need to be switched. It's an added value NAC software gives you as there is a limitation on the snmp trap side.

Instead of traps, why dont you poll the vlan number the switchport is assigned on lets say every 5 minutes from an NMS server and then when the value is different have a script that sends you an email?

with over 300 switches nationwide that would not be practical. I was hoping that there was either an snmp trap to inform me that an administrator had made a change or a syslog message. But it doesn't look with that is the case. And even though a mac-notification is available, I don't want a trap message everytime a new pc gets plugged into the switch, in this case anyway.

you can receive a trap for any configuration change made on a switch with the config trap. If most of the changes done are only for vlan change that may be of help?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: