Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Port Security Traps Flooding NMS Servers

All,

We have devices with port security set via command "set port security". The devices are expiring a maximum of 1 MAC address every minute and the action is to shutdown the port. An action of "shutdown" will trigger an SNMP trap to be sent to an SNMP trap receiver.

Is there a way to configure the device to not send the trap? We have all traps enabled except Authentication Failures and Syslog.

Please Advise.

Stephanie

17 REPLIES
Blue

Re: Port Security Traps Flooding NMS Servers

Try "no snmp-server enable traps port-security" in global config mode. It doesn't appear to have a per-interface equivalent.

Oh wait, if this is CatOS, try "set snmp trap disable macnotification", I think.

Community Member

Re: Port Security Traps Flooding NMS Servers

Thank you.

I tried command "set snmp trap disable macnotification" and the traps are still being sent.

Stephanie

Blue

Re: Port Security Traps Flooding NMS Servers

Can you post the complete text of the trap, as it's received on the NMS? Better yet, the OID(s) of trap as the NMS sees it raw.

Community Member

Re: Port Security Traps Flooding NMS Servers

[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 5 block changed by SecurityRx//

cisco-workgroup 6 9 2 args: [1] private.enterprises.cisco.workgroup.1.1.28.0 (Ticks): 100

[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 4 block changed by SecurityRx//

Blue

Re: Port Security Traps Flooding NMS Servers

private.enterprises.cisco.workgroup.1.1.34.0 is sysConfigChangeInfo, which is toggled by "set snmp trap {enable | disable} config" according to the following doc:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.5/command/reference/set_q_s.html#wp1092892

I do want to caution that disabling this trap may potentially stop the generation of other config change notifications you do want to know about. An alternative is to configure your SNMP trap receiver to "log only" against this OID, so your operators do not get bombarded by it, but would still have access to such info if needed.

Community Member

Re: Port Security Traps Flooding NMS Servers

That worked and you're right it disables all traps associated with that OID.

My end users aren't seeing those traps. The issue is they're flooding our NMS servers and causing them to crash. This is happening with NetView and NetCool.

My solution is to try and get them turned off since no one looks at them.

Or maybe I can configure an ACL on the SNMP agent on my server and filter them out before they're passed to the process listening on UDP port 162.

Stephanie

Blue

Re: Port Security Traps Flooding NMS Servers

Using NetView's distant "relative" OpenView NNM here, getting these same traps from a few hundred devices (and that traffic is doubled up as the traps are also sent as syslogs by the network devices, to the same server). No crash problem, knock on wood. In OpenView, it's possible to throttle excessively "noisy" SNMP senders, through ovtrapd.lrf and/or trapd.conf:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1110803

NetView might have something similar. Of course, this has its own tradeoffs of potentially blocking critical traps along with the "noise" when a device hits the threshold.

Community Member

Re: Port Security Traps Flooding NMS Servers

Our devices are also configured to send severity level 5 syslog messages.

Which syslog facility do the config change notifications belng to?

Maybe we can add "set snmp trap disable config" because we're still getting config change messages via Syslog.

Stephanie

Blue

Re: Port Security Traps Flooding NMS Servers

Check if you CatOS also has "set logging level sys [severity-level] default" configured.

With both of the following present:

set logging level sys 6 default

set logging server severity 5

CatOS sends "SYS-6-CFG_CHG:Module # block changed by [somebody]" to its local logging buffer, but does not send it to the external syslog servers.

In addition, if the syslog server is getting plenty of "SNMP-5-SYSCONFIGCHANGENOTIF: sysConfigChangeTrap notification sent for Module # block changed by [somebody]", that's because of "set snmp trap enable syslog", which is really a waste of bandwidth.

Community Member

Re: Port Security Traps Flooding NMS Servers

We have configured:

set logging server enable

set logging server severity 5

set logging level all 5 default

So it sounds like we're not sending it via Syslog.

Do you know what SNMP messages we'd lose if we add command "set snmp trap disable config"?

Blue

Re: Port Security Traps Flooding NMS Servers

The only description I come across is "Indicates which NVRAM block is changed by whom":

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=sysConfigChangeInfo

Community Member

Re: Port Security Traps Flooding NMS Servers

Our devices are sending 2 traps per port every minute. Their age timer is set to one minute.

What's the first trap listed below mean? The one starting with "cisco-workgroup".

cisco-workgroup 6 9 2 args: [1] private.enterprises.cisco.workgroup.1.1.28.0 (Ticks): 425

[2] private.enterprises.cisco.workgroup.1.1.34.0 (OctetString): Module 4 block changed by SecurityRx//

Blue

Re: Port Security Traps Flooding NMS Servers

This is sysConfigChangeTime, seems part-n-parcel with the 1.1.34 behind it.

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.5.1.1.28

Community Member

Re: Port Security Traps Flooding NMS Servers

Do you know which devices send traps 1.3.6.1.4.1.9.5.9 (sysConfigChangeTrap)?

Community Member

Re: Port Security Traps Flooding NMS Servers

Does the 6509 running cat6000-sup2k8.7-6-6.bin send trap 1.3.6.1.4.1.9.5.9 (sysConfigChangeTrap)?

Blue

Re: Port Security Traps Flooding NMS Servers

You can verify that by examining the "show snmp notification mapping" output in enable mode on CatOS.

Trap Keyword Notification Object Name Notif. Sent Syslog

--------------------------------------------------------------------------------

config sysConfigChangeTrap SYSCONFIGCHANGENOTIF

Community Member

Re: Port Security Traps Flooding NMS Servers

My 6509 doesn't have "notification" under "sh snmp".

Stephanie

391
Views
0
Helpful
17
Replies
CreatePlease to create content