02-04-2010 08:27 AM
Hello,
We've recently implemented some switch port security along with bpdu guard. I'm in the process of implementing OpenNMS to monitor but have discovered there is not a built in way to alter for ports disabled (errdisable) due to bpduguard. I would like to be notified of these as close to real-time as possible.
Has anyone any experience with SNMP traps for errdisabled status and OpenNMS?
Thanks,
Rob
02-04-2010 09:28 AM
Does it have to be SNMP traps?
02-04-2010 09:46 AM
I'm not sure, this is my first attempt with NMS and SNMP. What are the alternatives?
Ultimately, I need real-time altering for ports getting disabled, and preferably a free solution.
02-04-2010 12:17 PM
You could have OpenNMS poll the following MIBs and generate notifications accordingly:
CISCO-ERROR-DISABLE-MIB (reportedly for 2950/3550 non-modular switches only)
cErrDisableIfStatusCause / 1.3.6.1.4.1.9.9.548.1.3.1.1.2
an OID value of 2 corresponds to "bpduGuard"
AND
CISCO-STACK-MIB
portAdditionalOperStatus / 1.3.6.1.4.1.9.5.1.4.1.1.23
an OID value of 10 corresponds to "errdisable"
This is not the most favorable approach, because I consider it only "near real-time" with the usual polling intervals.
OTOH, Cisco OS's generally send BPDU alerts to syslog, about as "real-time" as it gets. So assuming you have the usual syslogging config + infrastructure:
logging trap
logging
Your syslog servers should get the following, for example:
CatOS
SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port. Disabling [mod/port].
SPANTREE-2-RX_BPDUGUARD: Received BPDU on bpdu guard enabled port. Disabling [mod/port].
...
IOS
PM-SP-4-ERR_DISABLE: bpduguard error detected on [mod/port], putting [mod/port] in err-disable state
...
A couple of catches with this method: 1) In order to configure the log watcher software to alert on those "interesting" BPDU text strings, one does need some prior knowledge of the variations of BPDU syslogs coming out of all the Cisco hw+sw in the environment. However, most of us can't access Cisco source codes. One way is to peruse the applicable Cisco OS/platform Release Notes. 2) The syslog server + log watcher sw must be able to handle the volume, especially if "debugging" logging ever gets turned on.
Last but not the least, if your Cisco gears all support EEM (Embedded Event Manger), you could write EEM applet and/or Tcl script to either 1) send SNMP traps keying off the BPDU syslogs above, or 2) poll those MIB OIDs above directly and alert. ESM (Embedded Syslog Manager) is another alternative to alert off syslog messages. Either would require certain IOS code levels. Deploying EEM/Tcl scripts would introduce another layer of complexity to config management; no such concern with EEM applets because they're embedded in IOS config.
02-04-2010 09:53 AM
Hello,
We've recently implemented some switch port security along with bpdu guard. I'm in the process of implementing OpenNMS to monitor but have discovered there is not a built in way to alter for ports disabled (errdisable) due to bpduguard. I would like to be notified of these as close to real-time as possible.
Has anyone any experience with SNMP traps for errdisabled status and OpenNMS?
Thanks,
Rob
Hi Rob,
Try snmp-server enable traps port-security command in switches to send snmp trp port security afftected ports.
Hope to help
Ganesh.H
02-04-2010 10:00 AM
The only port security trap defined in OpenNMS is SecureMacAddrViolation
This won't sent alerts for bpduguard or loopbacks.
02-04-2010 12:52 PM
That's where I'm stuck. I'm not finding it very intuitive to import the MIB to OpenNMS - and even though it's open source, they've recently gone to a paid-support system so the community has somewhat died.
02-04-2010 03:38 PM
It does look like it's not as straight-forward loading the MIBs as some of the commercial NMS (such as HPOV NNM. Never thought I'd say that ). Have you tried the "mib2opennms" tool at http://www.opennms.org/wiki/Converting_MIBs_Using_mib2opennms?
As mentioned earlier, syslog is my preferred way for monitoring BPDU errdisables.
02-08-2010 07:42 AM
I've managed to import the MIB into OpenNMS, however the outage is not causing a notification.
Being relatively new to SNMP, when I've enabled "snmp-server enable traps snmp linkdown linkup coldstart warmstart" is this going to include these types of notices?
12-14-2010 06:28 AM
I get all of my support from the community. It is still very much alive and well.
12-14-2010 06:27 AM
I know this is an old thread but you can send syslog messages to OpenNMS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: