cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10158
Views
5
Helpful
15
Replies

SNMP trap - Port Security Violation Shutdown - Problem stumper

xaeniac
Level 1
Level 1

All:

Looking into a strange  issue; not sure if any of you have seen this before.  Basically, no snmp trap is sent for a violation of  shutdown.  SNMP traps with violation of restrict is sent just fine.   Thought this was interesting.  On a 6509 the SNMP trap of violation  shutdown trap works fine, but on 3560's I can not get it to work,  however 3560's violation restrict works great via SNMP.  Updated the 3560 ios to the newest version as well to try to resolve.

ip access-list standard SNMP

permit 1.1.1.1

deny any

snmp-server view myview iso included

snmp-server group test1 v3 priv read myview access SNMP

snmp-server user test test1 v3 auth md5 "test" priv aes "test" access SNMP

snmp-server enable traps port-security

snmp-server trap-source lo0

snmp-server host 1.1.1.1 version 3 priv test

int fa 0/0

switchport port-security

switchport port-security mac sti

switchport port-security vio shutdown (DOES NOT WORK)

switchport port-security vio restrict (WORKS!!)

of course port is shut and no shut everytime to generate a trap

debug snmp packets reveals no packets sent for a violation of shutdown. 

sh snmp (reveals no update count for sent in a violation shutdown)

15 Replies 15

xaeniac
Level 1
Level 1

Does anyone know how to get a SNMP trap to be sent with a violation of shutdown on a Catalyst 3560 or 3750?  I have tested on both.

bump

bump

Bump

Sent from Cisco Technical Support iPad App

Port security traps works fine for me. My problem is when I set the port to restrict, it won't stop notifying me untill the port is fixed.

Pat

I think merely shutting the port might not generate the trap for shutdown. What if you try violating it with another mac?

I am reviolating the port not just a shut no shut.  I reset port security.  I feel it may be a bug in IOS with SNMPv3 aes priv implementation.  My hope was someone would lab it out. 

Bump

Sent from Cisco Technical Support iPad App

Evidently violation shutdown in 3560's and 3750's do not send a trap and a trap is only supported for a violation of restrict.  This is odd as all the text books teach that a SNMP trap is sent for violation shutdown. 

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1112934

   While the 6500 IOS does send a SNMP trap for violation shutdown.  

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html#wp1038526

  Quite interesting in my opinion.  Thanks again.

CISCO!!! WHERE IS THE UNIFORMITY ACROSS YOUR CATALYST PRODUCTS?????

This is not true as our 3560s and 3750s and 3550s all send snmp traps when a switchport is shutdown due to port-security. My problem is that when ports are violated that are configured with restrict, the snmp trap keeps coming if the violating device doesn't unplug as the interface doesn't go down to stop it.

Pat-

Pat

You must be running an older ios version. Did you go to the listed urls? Cisco says it is not a feature in these urls. It may have worked with older versions of ios but with recent versions it is not in the mib. Check it out yourself and go to the urls I posted before blasting. Thanks.

Sent from Cisco Technical Support iPad App

Sorry for the blast.

we use: c3750-ipbasek9-mz.122-58.SE2.bin

            c3560-ipbasek9-mz.122-55.SE3.bin

            c3550-ipbasek9-mz.122-44.SE6.bin

These images are recent and we have no problem. I think the 3750 image is newer than the image you are refering to. I guess it's possible the Cisco documentation is wrong.

Pat-

Pat:

I do appreciate your input.  Cisco TAC seems to agree that it is a bug and I am still pursuing it.  For the 3560 12.2-55.SE3 suprised it works due to 23-2 for that version stating it does not send a SNMP trap.  I am not doubting you, just stating it is wierd Cisco documentation does not agree with your statements.  See this URL below for the version

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swtrafc.html

Table 28-1 Documentation for 3560X and 3750X specifically mentions that ONLY "restrict" sends a trap.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swtrafc.html

Table 25-1 For 3750 also says it ONLY sends trap on "restrict" mode

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1038501


xaeniac, are you using an SNMP v3 server? I have an SNMP v3 server, IOS is 12.2 (55) on my 3750X and 3560X, but traps only works on v2.


I'm attending the LMS 4.x training for a week, I'm going to straighten this up with the Cisco instructor.

From another thread/user:

"Enabling SNMP Traps on Switch Ports

Admin > Collection Settings: User Tracking > Device Trap Configuration

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port.  Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps."

ssssss

Table 28-1 Documentation for 3560X and 3750X specifically mentions that ONLY "restrict" sends a trap.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swtrafc.html

Table 25-1 For 3750 also says it ONLY sends trap on "restrict" mode

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1038501


xaeniac, I noticed that you are using SNMP v3 server.  I have an SNMP v3 server as well, IOS is 12.2 (55) on my 3750X and 3560X, but traps only works on v2.


I'm attending the LMS 4.x training for a week, I'm going to straighten this up with the Cisco instructor.

 
From another thread/user:

"Enabling SNMP Traps on Switch Ports

Admin > Collection Settings: User Tracking > Device Trap Configuration

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port.  Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps."

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: