Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS-4260 Traps

We would like to be able to generate a trap or some how determine if/when our IPS-4260 sensor goes into bypass mode. In addition, we'd like to be able to monitor the CPU, memory, and interface status.. It would appear the 4260 has limited monitoring capabilities.

Based on the IPS release notes, I have loaded the Cisco-CIDS-MIB, Cisco-PROCESS-MIB, Cisco-ENHANCED-MEMPOOL-MIB, and Cisco-ENTITY-ALARM-MIB into WhatsUp Gold v14.3. However, uncertain what to check for. I can see traps showing up; however, they are not descriptive enough to tell what is what.

How do we trap/monitor for bypass mode? Anyone else have traps/monitoring operational on their 4260?

Thanks.

4 REPLIES
Cisco Employee

Re: IPS-4260 Traps

Gary;

  As you have noted, SNMP management of the IPS appliances is quite limited.  There is an enhancement request currently filed to increase SNMP monitoring visibility; the enhancement ID is CSCsu08529.

Scott

New Member

Re: IPS-4260 Traps

Thanks. I'm looking into this. Although there is a reference to version 7.1; unknown if that version has the additional SNMP/Trap functionality. I'll continue to explore.

Gold

Re: IPS-4260 Traps

If you used an external device to perform your bypass function, such a STP in

a switch, you could have the switch issue a trap when STP reconfigured.

For CPU and Memory, you're stuck polling SNMP for them and watching for the threshold to be exceeded externally.

- Bob

New Member

Re: IPS-4260 Traps

After some research, finally was able to get the sensor traps to work properly.

I had to ensure the sensor was actually sending traps.

Once configured using:

service notification

error-filter warning|error|fatal
enable-detail-traps true
enable-notifications true
trap-destinations
trap-community-name
trap-port 162

I confirmed traps were being sent off the sensor using a tcpdump:

# tcpdump -ni ma0_0 udp and port 162

I also confirmed traps were being obtained on the monitor application - in my case WhatsUp Gold (system trap logs)

The strings you want to search for in your monitor application are:

%PassiveMonitor.Payload.Protocol Version=SNMPv2 %PassiveMonitor.Payload.1.3.6.1.4.1.9.9.383.1.3.3=Inline data bypass has started.

(this one means the IPS sensor is presently in bypass mode and NOT checking traffic)

%PassiveMonitor.Payload.Protocol Version=SNMPv2 %PassiveMonitor.Payload.1.3.6.1.4.1.9.9.383.1.3.3=Inline data bypass has stopped.

(this means the IPS sensor is no longer in bypass mode)

In order to make it work, I had to ignore the major and minor event numbers and match on the respective strings only (Inline data bypass ...)

Another message that might be of interest, just prior to stopping the inspection generated is:

%PassiveMonitor.Payload.Protocol Version=SNMPv2 %PassiveMonitor.Payload.1.3.6.1.4.1.9.9.383.1.3.3=Bypass Mode has been enabled, stopping packet inspection.

IPS version 7.1 is supposed to be released towards end of the year with additional trap/snmp support (according to Cisco). The above is working on version 6.2.

As mentioned in release notes, the following MIBS are the only ones supported:

-CISCO-CIDS-MIB

-CISCO-PROCESS-MIB

-CISCO-ENHANCED-MEMPOOL-MIB

-CISCO-ENTITY-ALARM-MIB

I'm hoping this information might assist someone else.

987
Views
5
Helpful
4
Replies
CreatePlease login to create content