Hello.
I have been trying to filter out traps on an NMS (Castlerock SNMPc) based on the source address of a telnet attempt.
As we all know the tty snmp trap is sent by the switch or router after the connection is closed.
From what I was able to gather and understand, the trap sent is based on the CISCO-GENERAL-TRAPS, as it is described here:
http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2&mibName=CISCO-GENERAL-TRAPS
So the switch or router sends the trap based on the index of the connection table that corresponded to that connection when it was still open.That means that we get the index based on tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemAddress, tcpConnRemPort as they are defined in the OLD-CISCO-TCP mib (which can be found in the dependencies of the CISCO-GENERAL-TRAPS mib (follow the link above). So in the trap message we get, the source address is a part of the index that describes the instance of the table entry. To put it in simpler words, the telnet source address is part of the field, not part of the value. The only values we have access at are the ones that correspond to these fields:
loctcpConnElapsed, loctcpConnInBytes, loctcpConnOutBytes, tslineSesType, tsLineUser and tcpConnState.
So when I try to define a filter in my NMS, I don't have access to the source address as it's part of the fields (showing which record from the table corresponds to the closed connection).
Is there a way to make the cisco switch or router send the source of the connection as part of a value?
I don't want to disable those traps. What I want is to be able to filter out the ones I don't care about (from known source addresses) and be alerted for new ones I don't know about.
If anyone has any ideas on this, I would be most gratefull to read them.
Ioannis Theodoridis
Network Engineer
Bank of Greece.