Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6429
Views
5
Helpful
10
Replies

BPDU Guard SNMP Traps and OpenNMS

rcoote5902_2
Level 2
Level 2

‎02-04-2010 08:27 AM

Hello,

We've recently implemented some switch port security along with bpdu guard.  I'm in the process of implementing OpenNMS to monitor but have discovered there is not a built in way to alter for ports disabled (errdisable) due to bpduguard.  I would like to be notified of these as close to real-time as possible.

Has anyone any experience with SNMP traps for errdisabled status and OpenNMS?

Thanks,

Rob

1 person had this problem
Labels:
0 Helpful
10 Replies 10

yjdabear
VIP Alumni
VIP Alumni

‎02-04-2010 09:28 AM

Does it have to be SNMP traps?

0 Helpful

rcoote5902_2
Level 2
Level 2
In response to yjdabear

‎02-04-2010 09:46 AM

I'm not sure, this is my first attempt with NMS and SNMP.  What are the alternatives?

Ultimately, I need real-time altering for ports getting disabled, and preferably a free solution.

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to rcoote5902_2

‎02-04-2010 12:17 PM

You could have OpenNMS poll the following MIBs and generate notifications accordingly:

CISCO-ERROR-DISABLE-MIB (reportedly for 2950/3550 non-modular switches only)

cErrDisableIfStatusCause / 1.3.6.1.4.1.9.9.548.1.3.1.1.2

an OID value of 2 corresponds to "bpduGuard"

AND

CISCO-STACK-MIB

portAdditionalOperStatus / 1.3.6.1.4.1.9.5.1.4.1.1.23

an OID value of 10 corresponds to "errdisable"


This is not the most favorable approach, because I consider it only "near real-time" with the usual polling intervals.


OTOH, Cisco OS's generally send BPDU alerts to syslog, about as "real-time" as it gets. So assuming you have the usual syslogging config + infrastructure:

logging trap
logging


Your syslog servers should get the following, for example:

CatOS

SPANTREE-2-RX_PORTFAST:Received BPDU on PortFast enable port. Disabling [mod/port].
SPANTREE-2-RX_BPDUGUARD: Received BPDU on bpdu guard enabled port. Disabling [mod/port].
...
IOS

PM-SP-4-ERR_DISABLE: bpduguard error detected on [mod/port], putting [mod/port] in err-disable state
...


A couple of catches with this method: 1) In order to configure the log watcher software to alert on those "interesting" BPDU text strings, one does need some prior knowledge of the variations of BPDU syslogs coming out of all the Cisco hw+sw in the environment. However, most of us can't access Cisco source codes. One way is to peruse the applicable Cisco OS/platform Release Notes. 2) The syslog server + log watcher sw must be able to handle the volume, especially if "debugging" logging ever gets turned on.


Last but not the least, if your Cisco gears all support EEM (Embedded Event Manger), you could write EEM applet and/or Tcl script to either 1) send SNMP traps keying off the BPDU syslogs above, or 2) poll those MIB OIDs above directly and alert. ESM (Embedded Syslog Manager) is another alternative to alert off syslog messages. Either would require certain IOS code levels. Deploying EEM/Tcl scripts would introduce another layer of complexity to config management; no such concern with EEM applets because they're embedded in IOS config.

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎02-04-2010 09:53 AM 

Hello,
We've
recently implemented some switch port security along with bpdu guard. 
I'm in the process of implementing OpenNMS to monitor but have
discovered there is not a built in way to alter for ports disabled
(errdisable) due to bpduguard.  I would like to be notified of these as
close to real-time as possible.
Has anyone any experience with SNMP traps for errdisabled status and OpenNMS?
Thanks,
Rob

Hi Rob,

Try snmp-server enable traps port-security command in switches to send snmp trp port security afftected ports.

Hope to help

Ganesh.H

0 Helpful

rcoote5902_2
Level 2
Level 2
In response to Ganesh Hariharan

‎02-04-2010 10:00 AM

The only port security trap defined in OpenNMS is SecureMacAddrViolation

This won't sent alerts for bpduguard or loopbacks.

0 Helpful

rcoote5902_2
Level 2
Level 2

‎02-04-2010 12:52 PM

That's where I'm stuck.  I'm not finding it very intuitive to import the MIB to OpenNMS - and even though it's open source, they've recently gone to a paid-support system so the community has somewhat died.

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to rcoote5902_2

‎02-04-2010 03:38 PM

It does look like it's not as straight-forward loading the MIBs as some of the commercial NMS (such as HPOV NNM. Never thought I'd say that ). Have you tried the "mib2opennms" tool at http://www.opennms.org/wiki/Converting_MIBs_Using_mib2opennms?

As mentioned earlier, syslog is my preferred way for monitoring BPDU errdisables.

0 Helpful

rcoote5902_2
Level 2
Level 2
In response to yjdabear

‎02-08-2010 07:42 AM

I've managed to import the MIB into OpenNMS, however the outage is not causing a notification.

Being relatively new to SNMP, when I've enabled "snmp-server enable traps snmp linkdown linkup coldstart warmstart" is this going to include these types of notices?

0 Helpful

robert_rhoads
Level 1
Level 1
In response to rcoote5902_2

‎12-14-2010 06:28 AM

I get all of my support from the community.  It is still very much alive and well.

0 Helpful

robert_rhoads
Level 1
Level 1

‎12-14-2010 06:27 AM

I know this is an old thread but you can send syslog messages to OpenNMS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents