Protecting a C3750 from SNMP polling

Unanswered Question
Mar 24th, 2010
User Badges:
  • Bronze, 100 points or more

Hello,


We have a WS-C3750G-48TS switch. This switch has only 3 OSPF neighbors, of which 2 neighbors are subsecond:


with "ip ospf dead-interval minimal hello-multiplier 4"


#sh ip ospf neigh


Neighbor ID     Pri   State           Dead Time   Address         Interface
10.96.24.4        1   FULL/DR         984 msec    10.102.68.37    Port-channel33
10.96.24.3        1   FULL/DR         757 msec    10.102.68.17    Port-channel31
10.102.68.1       1   FULL/BDR        00:00:31    10.102.68.252   Vlan300



EVERY time this switch is polled by a "discovery" from HPOV, it drops the OSPF sessions (every hour by default) !

The HPOV polling station is doing a discovery, so i guess it is polling the routing table, ARP table and MAC table.


Is the CPU this weak that it can't even stand this ? How do i prevent this from happening ? CoPP is not supported on C3750, and

i don't want to loosen our OSPF timers...



017253: Mar 23 00:37:44.563 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017254: Mar 23 01:38:00.300 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017255: Mar 23 01:38:00.300 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017256: Mar 23 01:38:14.653 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017257: Mar 23 01:38:14.653 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017258: Mar 23 01:38:15.911 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017259: Mar 23 01:38:15.911 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017260: Mar 23 02:38:48.366 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017261: Mar 23 02:38:48.366 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017262: Mar 23 03:39:20.528 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017263: Mar 23 03:39:20.562 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017264: Mar 23 04:39:52.950 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017265: Mar 23 04:39:52.959 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017266: Mar 23 05:40:27.620 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017267: Mar 23 06:41:01.928 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017268: Mar 23 06:41:01.928 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017269: Mar 23 07:41:32.461 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017270: Mar 23 07:41:32.461 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017271: Mar 23 07:41:33.795 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.3 on Port-channel31 from LOADING to FULL, Loading Done
017272: Mar 23 07:41:33.804 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done
017273: Mar 23 08:41:50.245 CET: %OSPF-5-ADJCHG: Process 1000, Nbr 10.96.24.4 on Port-channel33 from LOADING to FULL, Loading Done


BTW the routing table is very little because the switch is in a stubby domain. It only has local routes and a default route:


#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is 10.102.68.37 to network 0.0.0.0


     10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
C       10.102.68.32/29 is directly connected, Port-channel33
O       10.102.68.8/29 [110/21] via 10.102.68.252, 02:53:19, Vlan300
                       [110/21] via 10.102.68.17, 02:53:19, Port-channel31
O       10.102.68.1/32 [110/2] via 10.102.68.252, 02:53:19, Vlan300
C       10.102.68.2/32 is directly connected, Loopback0
O       10.102.68.24/29 [110/21] via 10.102.68.252, 02:53:19, Vlan300
                        [110/21] via 10.102.68.37, 02:53:19, Port-channel33
C       10.102.68.16/29 is directly connected, Port-channel31
C       10.102.68.128/25 is directly connected, Vlan300
O*IA 0.0.0.0/0 [110/21] via 10.102.68.37, 02:53:19, Port-channel33
               [110/21] via 10.102.68.17, 02:53:19, Port-channel31


MAC table has only  64 entries .

#   sh mac-address-table

<surpressed>

Total Mac Addresses for this criterion: 64


ARP table has 29 entries.


regards,

Geert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 03/24/2010 - 12:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Geert,

in a similar case I tried to implement SNMP view to limit what type of SNMP get OIDs are considered by the device.


In my case I see a logic like IP ACL: a statement was used to deny a specific OID tree and then a second statement permitted all other OIDs otherwise the device would not answer to any SNMP GET.


see

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_snmp_sup_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1026473


so I had a first line with exclude directive and a second line with directive include.


My device was a C3640 router.


Hope to help

Giuseppe

Actions

This Discussion