Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
0
Helpful
1
Replies

Monitor of DHCP_SNOOPING_DENY

katerina.dardoufa
Level 4
Level 4

‎12-24-2014 05:50 AM

Hello,

we are running DHCP snooping and ARP inspection on 2960 running 12.2(50)SE5. If there is a dhcp snooping denial it is logged with:

SW_DAI-4-DHCP_SNOOPING_DENY

These messages are logged every few seconds as long as the event is active.

I was wondering if there is a way for the switch to send traps or notifications, when such events occur. I could setup our lms (4.1) to run a script or send an e-mail when it receives such syslog messages, but the occurrence is every few seconds (when there is an active event), so we will be stormed by e-mails!!!!

I was looking for snmp-traps related with dhcp_snooping on the switch, but I couldn't find anything appropriate.

 

Has anyone used another method to monitor such events? If so, please share your experience.

 

Thank you all in advance,

Katerina

Labels:
0 Helpful
1 Reply 1

Brian Sullivan
Level 1
Level 1

‎01-28-2015 08:55 AM

We have a several hundred 2960 models with slightly later code and the number of trap choices is limited as you have found.

We haven't used LMS in several years so I'm fuzzy on my memory of the triggers and suppression on syslog alerts with LMS.

We do want you are trying to do in Solarwinds, (Can be done with other syslog server software products that are inexpensive as well)

SW for example we use SW_DAI-4-DHCP_SNOOPING_DENY  as the trigger. In ours we set the trigger threshold to 10, takes ten of these messages to generate an email. Then in the same alert we have the option to suppress (post trigger/email action) the additional actions/emails for a period of time. In our case we have it set to 1 hour.

This allows us time to address the issue without being blasted with emails. If the alert is generated during the night because of the 1 hour suppression we only have a handful of emails in the morning.

If other switches are in alert for the same thing because the syslogs are continuously receiving entries from other switches it will eventually generate the alert for that other switch. If during the day we can address the deny then the next switch to alert will trigger in short order.

LMS made be able to suppress. Third party syslog servers are cheap.

 

Hope this makes sense.

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card