Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

BPDU Guard SNMP Traps and OpenNMS

Hello,

We've recently implemented some switch port security along with bpdu guard.  I'm in the process of implementing OpenNMS to monitor but have discovered there is not a built in way to alter for ports disabled (errdisable) due to bpduguard.  I would like to be notified of these as close to real-time as possible.

Has anyone any experience with SNMP traps for errdisabled status and OpenNMS?

Thanks,

Rob

Everyone's tags (4)
10 REPLIES
Blue

Re: BPDU Guard SNMP Traps and OpenNMS

Does it have to be SNMP traps?

New Member

Re: BPDU Guard SNMP Traps and OpenNMS

I'm not sure, this is my first attempt with NMS and SNMP.  What are the alternatives?

Ultimately, I need real-time altering for ports getting disabled, and preferably a free solution.

Blue

Re: BPDU Guard SNMP Traps and OpenNMS

You could have OpenNMS poll the following MIBs and generate notifications accordingly:

CISCO-ERROR-DISABLE-MIB (reportedly for 2950/3550 non-modular switches only)

cErrDisableIfStatusCause / 1.3.6.1.4.1.9.9.548.1.3.1.1.2

an OID value of 2 corresponds to "bpduGuard"

AND

CISCO-STACK-MIB

portAdditionalOperStatus / 1.3.6.1.4.1.9.5.1.4.1.1.23

an OID value of 10 corresponds to "errdisable"


This is not the most favorable approach, because I consider it only "near real-time" with the usual polling intervals.


OTOH, Cisco OS's generally send BPDU alerts to syslog, about as "real-time" as it gets. So assuming you have the usual syslogging config + infrastructure:

logging trap
logging


Your syslog servers should get the following, for example:

CatOS

SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port. Disabling [mod/port].
SPANTREE-2-RX_BPDUGUARD: Received BPDU on bpdu guard enabled port. Disabling [mod/port].
...
IOS

PM-SP-4-ERR_DISABLE: bpduguard error detected on [mod/port], putting [mod/port] in err-disable state
...


A couple of catches with this method: 1) In order to configure the log watcher software to alert on those "interesting" BPDU text strings, one does need some prior knowledge of the variations of BPDU syslogs coming out of all the Cisco hw+sw in the environment. However, most of us can't access Cisco source codes. One way is to peruse the applicable Cisco OS/platform Release Notes. 2) The syslog server + log watcher sw must be able to handle the volume, especially if "debugging" logging ever gets turned on.


Last but not the least, if your Cisco gears all support EEM (Embedded Event Manger), you could write EEM applet and/or Tcl script to either 1) send SNMP traps keying off the BPDU syslogs above, or 2) poll those MIB OIDs above directly and alert. ESM (Embedded Syslog Manager) is another alternative to alert off syslog messages. Either would require certain IOS code levels. Deploying EEM/Tcl scripts would introduce another layer of complexity to config management; no such concern with EEM applets because they're embedded in IOS config.

Re: BPDU Guard SNMP Traps and OpenNMS

Hello,

We've recently implemented some switch port security along with bpdu guard. I'm in the process of implementing OpenNMS to monitor but have discovered there is not a built in way to alter for ports disabled (errdisable) due to bpduguard.  I would like to be notified of these as close to real-time as possible.

Has anyone any experience with SNMP traps for errdisabled status and OpenNMS?

Thanks,

Rob

Hi Rob,

Try snmp-server enable traps port-security command in switches to send snmp trp port security afftected ports.

Hope to help

Ganesh.H

New Member

Re: BPDU Guard SNMP Traps and OpenNMS

The only port security trap defined in OpenNMS is SecureMacAddrViolation

This won't sent alerts for bpduguard or loopbacks.

New Member

Re: BPDU Guard SNMP Traps and OpenNMS

That's where I'm stuck.  I'm not finding it very intuitive to import the MIB to OpenNMS - and even though it's open source, they've recently gone to a paid-support system so the community has somewhat died.

Blue

Re: BPDU Guard SNMP Traps and OpenNMS

It does look like it's not as straight-forward loading the MIBs as some of the commercial NMS (such as HPOV NNM. Never thought I'd say that ). Have you tried the "mib2opennms" tool at http://www.opennms.org/wiki/Converting_MIBs_Using_mib2opennms?

As mentioned earlier, syslog is my preferred way for monitoring BPDU errdisables.

New Member

Re: BPDU Guard SNMP Traps and OpenNMS

I've managed to import the MIB into OpenNMS, however the outage is not causing a notification.

Being relatively new to SNMP, when I've enabled "snmp-server enable traps snmp linkdown linkup coldstart warmstart" is this going to include these types of notices?

New Member

Re: BPDU Guard SNMP Traps and OpenNMS

I get all of my support from the community.  It is still very much alive and well.

New Member

Re: BPDU Guard SNMP Traps and OpenNMS

I know this is an old thread but you can send syslog messages to OpenNMS.

4316
Views
5
Helpful
10
Replies
CreatePlease to create content