05-21-2009 07:30 AM
All,
We have devices with port security set via command "set port security". The devices are expiring a maximum of 1 MAC address every minute and the action is to shutdown the port. An action of "shutdown" will trigger an SNMP trap to be sent to an SNMP trap receiver.
Is there a way to configure the device to not send the trap? We have all traps enabled except Authentication Failures and Syslog.
Please Advise.
Stephanie
05-21-2009 07:52 AM
Try "no snmp-server enable traps port-security" in global config mode. It doesn't appear to have a per-interface equivalent.
Oh wait, if this is CatOS, try "set snmp trap disable macnotification", I think.
05-21-2009 09:30 AM
Thank you.
I tried command "set snmp trap disable macnotification" and the traps are still being sent.
Stephanie
05-21-2009 09:33 AM
Can you post the complete text of the trap, as it's received on the NMS? Better yet, the OID(s) of trap as the NMS sees it raw.
05-21-2009 09:39 AM
[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 5 block changed by SecurityRx//
cisco-workgroup 6 9 2 args: [1] private.enterprises.cisco.workgroup.1.1.28.0 (Ticks): 100
[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 4 block changed by SecurityRx//
05-21-2009 10:26 AM
private.enterprises.cisco.workgroup.1.1.34.0 is sysConfigChangeInfo, which is toggled by "set snmp trap {enable | disable} config" according to the following doc:
I do want to caution that disabling this trap may potentially stop the generation of other config change notifications you do want to know about. An alternative is to configure your SNMP trap receiver to "log only" against this OID, so your operators do not get bombarded by it, but would still have access to such info if needed.
05-21-2009 10:49 AM
That worked and you're right it disables all traps associated with that OID.
My end users aren't seeing those traps. The issue is they're flooding our NMS servers and causing them to crash. This is happening with NetView and NetCool.
My solution is to try and get them turned off since no one looks at them.
Or maybe I can configure an ACL on the SNMP agent on my server and filter them out before they're passed to the process listening on UDP port 162.
Stephanie
05-21-2009 11:11 AM
Using NetView's distant "relative" OpenView NNM here, getting these same traps from a few hundred devices (and that traffic is doubled up as the traps are also sent as syslogs by the network devices, to the same server). No crash problem, knock on wood. In OpenView, it's possible to throttle excessively "noisy" SNMP senders, through ovtrapd.lrf and/or trapd.conf:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1110803
NetView might have something similar. Of course, this has its own tradeoffs of potentially blocking critical traps along with the "noise" when a device hits the threshold.
05-21-2009 11:12 AM
Our devices are also configured to send severity level 5 syslog messages.
Which syslog facility do the config change notifications belng to?
Maybe we can add "set snmp trap disable config" because we're still getting config change messages via Syslog.
Stephanie
05-21-2009 11:40 AM
Check if you CatOS also has "set logging level sys [severity-level] default" configured.
With both of the following present:
set logging level sys 6 default
set logging server severity 5
CatOS sends "SYS-6-CFG_CHG:Module # block changed by [somebody]" to its local logging buffer, but does not send it to the external syslog servers.
In addition, if the syslog server is getting plenty of "SNMP-5-SYSCONFIGCHANGENOTIF: sysConfigChangeTrap notification sent for Module # block changed by [somebody]", that's because of "set snmp trap enable syslog", which is really a waste of bandwidth.
05-21-2009 12:09 PM
We have configured:
set logging server enable
set logging server severity 5
set logging level all 5 default
So it sounds like we're not sending it via Syslog.
Do you know what SNMP messages we'd lose if we add command "set snmp trap disable config"?
05-21-2009 02:45 PM
The only description I come across is "Indicates which NVRAM block is changed by whom":
05-27-2009 08:35 AM
Our devices are sending 2 traps per port every minute. Their age timer is set to one minute.
What's the first trap listed below mean? The one starting with "cisco-workgroup".
cisco-workgroup 6 9 2 args: [1] private.enterprises.cisco.workgroup.1.1.28.0 (Ticks): 425
[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 4 block changed by SecurityRx//
05-28-2009 06:52 AM
This is sysConfigChangeTime, seems part-n-parcel with the 1.1.34 behind it.
05-29-2009 08:55 AM
Do you know which devices send traps 1.3.6.1.4.1.9.5.9 (sysConfigChangeTrap)?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide