Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

SNMP trap - Port Security Violation Shutdown - Problem stumper

All:

Looking into a strange  issue; not sure if any of you have seen this before.  Basically, no snmp trap is sent for a violation of  shutdown.  SNMP traps with violation of restrict is sent just fine.   Thought this was interesting.  On a 6509 the SNMP trap of violation  shutdown trap works fine, but on 3560's I can not get it to work,  however 3560's violation restrict works great via SNMP.  Updated the 3560 ios to the newest version as well to try to resolve.

ip access-list standard SNMP

permit 1.1.1.1

deny any

snmp-server view myview iso included

snmp-server group test1 v3 priv read myview access SNMP

snmp-server user test test1 v3 auth md5 "test" priv aes "test" access SNMP

snmp-server enable traps port-security

snmp-server trap-source lo0

snmp-server host 1.1.1.1 version 3 priv test

int fa 0/0

switchport port-security

switchport port-security mac sti

switchport port-security vio shutdown (DOES NOT WORK)

switchport port-security vio restrict (WORKS!!)

of course port is shut and no shut everytime to generate a trap

debug snmp packets reveals no packets sent for a violation of shutdown. 

sh snmp (reveals no update count for sent in a violation shutdown)

15 REPLIES
New Member

SNMP trap - Port Security Violation Shutdown - Problem stumper

Does anyone know how to get a SNMP trap to be sent with a violation of shutdown on a Catalyst 3560 or 3750?  I have tested on both.

New Member

SNMP trap - Port Security Violation Shutdown - Problem stumper

bump

New Member

SNMP trap - Port Security Violation Shutdown - Problem stumper

bump

New Member

Re: SNMP trap - Port Security Violation Shutdown - Problem stum

Bump

Sent from Cisco Technical Support iPad App

New Member

SNMP trap - Port Security Violation Shutdown - Problem stumper

Port security traps works fine for me. My problem is when I set the port to restrict, it won't stop notifying me untill the port is fixed.

Pat

New Member

SNMP trap - Port Security Violation Shutdown - Problem stumper

I think merely shutting the port might not generate the trap for shutdown. What if you try violating it with another mac?

New Member

Re: SNMP trap - Port Security Violation Shutdown - Problem stum

I am reviolating the port not just a shut no shut.  I reset port security.  I feel it may be a bug in IOS with SNMPv3 aes priv implementation.  My hope was someone would lab it out. 

New Member

Re: SNMP trap - Port Security Violation Shutdown - Problem stum

Bump

Sent from Cisco Technical Support iPad App

New Member

SNMP trap - Port Security Violation Shutdown - Problem stumper

Evidently violation shutdown in 3560's and 3750's do not send a trap and a trap is only supported for a violation of restrict.  This is odd as all the text books teach that a SNMP trap is sent for violation shutdown. 

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1112934

   While the 6500 IOS does send a SNMP trap for violation shutdown.  

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html#wp1038526

  Quite interesting in my opinion.  Thanks again.

CISCO!!! WHERE IS THE UNIFORMITY ACROSS YOUR CATALYST PRODUCTS?????

New Member

SNMP trap - Port Security Violation Shutdown - Problem stumper

This is not true as our 3560s and 3750s and 3550s all send snmp traps when a switchport is shutdown due to port-security. My problem is that when ports are violated that are configured with restrict, the snmp trap keeps coming if the violating device doesn't unplug as the interface doesn't go down to stop it.

Pat-

New Member

Re: SNMP trap - Port Security Violation Shutdown - Problem stum

Pat

You must be running an older ios version. Did you go to the listed urls? Cisco says it is not a feature in these urls. It may have worked with older versions of ios but with recent versions it is not in the mib. Check it out yourself and go to the urls I posted before blasting. Thanks.

Sent from Cisco Technical Support iPad App

New Member

Re: SNMP trap - Port Security Violation Shutdown - Problem stum

Sorry for the blast.

we use: c3750-ipbasek9-mz.122-58.SE2.bin

            c3560-ipbasek9-mz.122-55.SE3.bin

            c3550-ipbasek9-mz.122-44.SE6.bin

These images are recent and we have no problem. I think the 3750 image is newer than the image you are refering to. I guess it's possible the Cisco documentation is wrong.

Pat-

New Member

Re: SNMP trap - Port Security Violation Shutdown - Problem stum

Pat:

I do appreciate your input.  Cisco TAC seems to agree that it is a bug and I am still pursuing it.  For the 3560 12.2-55.SE3 suprised it works due to 23-2 for that version stating it does not send a SNMP trap.  I am not doubting you, just stating it is wierd Cisco documentation does not agree with your statements.  See this URL below for the version

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swtrafc.html

New Member

Re: SNMP trap - Port Security Violation Shutdown - Problem stum

Table 28-1 Documentation for 3560X and 3750X specifically mentions that ONLY "restrict" sends a trap.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swtrafc.html

Table 25-1 For 3750 also says it ONLY sends trap on "restrict" mode

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1038501


xaeniac, are you using an SNMP v3 server? I have an SNMP v3 server, IOS is 12.2 (55) on my 3750X and 3560X, but traps only works on v2.


I'm attending the LMS 4.x training for a week, I'm going to straighten this up with the Cisco instructor.

From another thread/user:

"Enabling SNMP Traps on Switch Ports

Admin > Collection Settings: User Tracking > Device Trap Configuration

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port.  Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps."

ssssss

Table 28-1 Documentation for 3560X and 3750X specifically mentions that ONLY "restrict" sends a trap.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swtrafc.html

Table 25-1 For 3750 also says it ONLY sends trap on "restrict" mode

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1038501


xaeniac, I noticed that you are using SNMP v3 server.  I have an SNMP v3 server as well, IOS is 12.2 (55) on my 3750X and 3560X, but traps only works on v2.


I'm attending the LMS 4.x training for a week, I'm going to straighten this up with the Cisco instructor.

 
From another thread/user:

"Enabling SNMP Traps on Switch Ports

Admin > Collection Settings: User Tracking > Device Trap Configuration

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port.  Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps."

New Member

Re: SNMP trap - Port Security Violation Shutdown - Problem stum

Adam:
I did open a TAC Case and basically found out the IOS does not support it.  Cisco forwarded it to the coding development department, but specified that there will be no promises to fix this.  The wierd tidbit is that the snmp shutdown trap is sent on a Catalyst 6509.  I feel this would not be hard to implement this in the code and find it odd there is no SNMP uniformity amongst the Catalyst family.

4149
Views
5
Helpful
15
Replies
CreatePlease to create content