01-17-2012 10:51 AM - edited 03-10-2019 05:35 AM
Hi,
I am trying to monitor if the IPS is in bypass mode or not through SNMP.
Does anyone know which OID I should be looking at?
Thanks
01-19-2012 12:42 PM
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.0 = STRING: "Indicates that the specified network interface has lost link."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.1 = STRING: "Indicates that the specified network interface has established link."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.2 = STRING: "Indicates that packet traffic has started on the specified network interface."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.3 = STRING: "Indicates that packet traffic has stopped on the specified network interface."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.4 = STRING: "Indicates that the percentage of missed packets on the specified interface has exceeded the configured threshold."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.5 = STRING: "Indicates that the inline data bypass has started."
.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.6 = STRING: "Indicates that the inline data bypass has stopped."
There seems to be some mibs releated to this, but i'm guessing these are SNMP traps that can be sent. I haven't tested this, but might be worth a shot to setup SNMP traps and manually start bypass to see if you get them.
01-23-2012 10:10 AM
Thanks Brandon
I cannot seem to be able to relate these oids to anyting.
Where did you get them from?
Daniel
01-24-2012 02:35 PM
I did an SNMPWALK of the IDS.
snmpwalk -c communitystringhere -v2c ip.address.goes.here .1.3.6.1.4.1.9.9.138.1.1.2.1.3.0
I plan on testing some SNMP trap options in the near future, i'll let you know what I find out, but it might be a couple weeks.
01-30-2012 04:11 AM
Thank you Brandon
02-01-2012 08:26 AM
In the recent releases like 7.1-3 we can do a SNMP GET for ByPass State
By name :
qats-229:75> ./getone -v2c 10.89.148.204 public cidsHealthSecMonByPassMode.0
cidsHealthSecMonByPassMode.0 = on(1)
By OID:
qats-229:76> ./getone -v2c 10.89.148.204 public 1.3.6.1.4.1.9.9.383.1.4.27.0
cidsHealthSecMonByPassMode.0 = on(1)
In prior versions we can monitor through SNMP traps. Traps should look something like this :
Received SNMPv2c Trap: Community: "public" From: 10.89.149.204 mib_2.1.3.0 = 38429472 snmpModules.1.1.4.1.0 = ciscoMgmt.138.2.0.1 ciscoMgmt.138.1.3.3.1.3 = 3 <==== This tells the index is 3 which means GigabitEthernet0/0 (from above) ciscoMgmt.138.1.3.3.1.4 = 5 <==== Traffic bypass started ( 6 for stopped) ciscoMgmt.138.1.3.3.1.5 = 4 ciscoMgmt.138.1.3.3.1.6 = 38429472 Hope this helps Madhu
02-06-2012 04:24 AM
Hi Mahdu,
Thanks for the information on the trap side.
I do not know where you took version 7.1-3 but I have no access to that
the version I have is 7.0(6) E4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide