BPDU Guard SNMP Traps and OpenNMS

Unanswered Question
Feb 4th, 2010
User Badges:

Hello,


We've recently implemented some switch port security along with bpdu guard.  I'm in the process of implementing OpenNMS to monitor but have discovered there is not a built in way to alter for ports disabled (errdisable) due to bpduguard.  I would like to be notified of these as close to real-time as possible.


Has anyone any experience with SNMP traps for errdisabled status and OpenNMS?


Thanks,


Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
yjdabear Thu, 02/04/2010 - 09:28
User Badges:
  • Gold, 750 points or more

Does it have to be SNMP traps?

rcoote5902_2 Thu, 02/04/2010 - 09:46
User Badges:

I'm not sure, this is my first attempt with NMS and SNMP.  What are the alternatives?


Ultimately, I need real-time altering for ports getting disabled, and preferably a free solution.

yjdabear Thu, 02/04/2010 - 12:17
User Badges:
  • Gold, 750 points or more

You could have OpenNMS poll the following MIBs and generate notifications accordingly:


CISCO-ERROR-DISABLE-MIB (reportedly for 2950/3550 non-modular switches only)

cErrDisableIfStatusCause / 1.3.6.1.4.1.9.9.548.1.3.1.1.2

an OID value of 2 corresponds to "bpduGuard"


AND


CISCO-STACK-MIB

portAdditionalOperStatus / 1.3.6.1.4.1.9.5.1.4.1.1.23

an OID value of 10 corresponds to "errdisable"


This is not the most favorable approach, because I consider it only "near real-time" with the usual polling intervals.



OTOH, Cisco OS's generally send BPDU alerts to syslog, about as "real-time" as it gets. So assuming you have the usual syslogging config + infrastructure:


logging trap
logging


Your syslog servers should get the following, for example:


CatOS

SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port. Disabling [mod/port].
SPANTREE-2-RX_BPDUGUARD: Received BPDU on bpdu guard enabled port. Disabling [mod/port].
...
IOS

PM-SP-4-ERR_DISABLE: bpduguard error detected on [mod/port], putting [mod/port] in err-disable state
...


A couple of catches with this method: 1) In order to configure the log watcher software to alert on those "interesting" BPDU text strings, one does need some prior knowledge of the variations of BPDU syslogs coming out of all the Cisco hw+sw in the environment. However, most of us can't access Cisco source codes. One way is to peruse the applicable Cisco OS/platform Release Notes. 2) The syslog server + log watcher sw must be able to handle the volume, especially if "debugging" logging ever gets turned on.



Last but not the least, if your Cisco gears all support EEM (Embedded Event Manger), you could write EEM applet and/or Tcl script to either 1) send SNMP traps keying off the BPDU syslogs above, or 2) poll those MIB OIDs above directly and alert. ESM (Embedded Syslog Manager) is another alternative to alert off syslog messages. Either would require certain IOS code levels. Deploying EEM/Tcl scripts would introduce another layer of complexity to config management; no such concern with EEM applets because they're embedded in IOS config.

Ganesh Hariharan Thu, 02/04/2010 - 09:53
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hello,


We've recently implemented some switch port security along with bpdu guard. I'm in the process of implementing OpenNMS to monitor but have discovered there is not a built in way to alter for ports disabled (errdisable) due to bpduguard.  I would like to be notified of these as close to real-time as possible.


Has anyone any experience with SNMP traps for errdisabled status and OpenNMS?


Thanks,


Rob


Hi Rob,


Try snmp-server enable traps port-security command in switches to send snmp trp port security afftected ports.


Hope to help


Ganesh.H

rcoote5902_2 Thu, 02/04/2010 - 10:00
User Badges:

The only port security trap defined in OpenNMS is SecureMacAddrViolation


This won't sent alerts for bpduguard or loopbacks.

rcoote5902_2 Thu, 02/04/2010 - 12:52
User Badges:

That's where I'm stuck.  I'm not finding it very intuitive to import the MIB to OpenNMS - and even though it's open source, they've recently gone to a paid-support system so the community has somewhat died.

yjdabear Thu, 02/04/2010 - 15:38
User Badges:
  • Gold, 750 points or more

It does look like it's not as straight-forward loading the MIBs as some of the commercial NMS (such as HPOV NNM. Never thought I'd say that ). Have you tried the "mib2opennms" tool at http://www.opennms.org/wiki/Converting_MIBs_Using_mib2opennms?


As mentioned earlier, syslog is my preferred way for monitoring BPDU errdisables.

rcoote5902_2 Mon, 02/08/2010 - 07:42
User Badges:

I've managed to import the MIB into OpenNMS, however the outage is not causing a notification.


Being relatively new to SNMP, when I've enabled "snmp-server enable traps snmp linkdown linkup coldstart warmstart" is this going to include these types of notices?

robert_rhoads Tue, 12/14/2010 - 06:28
User Badges:

I get all of my support from the community.  It is still very much alive and well.

robert_rhoads Tue, 12/14/2010 - 06:27
User Badges:

I know this is an old thread but you can send syslog messages to OpenNMS.

Actions

This Discussion

Related Content