Solved: Re: snmp configuration for mac flapping?

WizardMage · ‎03-06-2013

Guys,

Would like to ask whats the correct snmp config so that it will send to our snmp server when a mac flapping occurs on a cisco switch specifically 4507 switches..

thanks...

Rolf Fischer · ‎03-07-2013

Hi Mark,

you could enable:

snmp-server enable traps syslog

which sends an additional SNMP-Trap when Syslog-Messages occur.

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-A5CD825A-78AD-4353-AEDD-8E11B34B7D9D

With an Embedded Event Manager (EEM) Applet you can create a more selective solution.

Here a simple example for the %CDP-4-DUPLEX_MISMATCH message (adapting it for the MAC-Flapping Msg should be a piece of cake):

event manager applet SYSLOG-2-TRAP

event syslog pattern "duplex mismatch"

action 1.0 snmp-trap strdata "Duplex Mismatch!!!"

!

snmp-server enable traps event-manager

The result is attached as a Wireshark capture.

Hope that helps

Rolf

View solution in original post

InayathUlla Sharieff · ‎03-06-2013

Hi Mark,

check the below link:

snmp-server trap mac-notification

Enables the SNMP trap notification on a LAN port when MAC addresses are added to or removed from the address table.

http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_m1.html#wp1012686

HTH

Regards

Inayath

*Plz rate the usefull posts.

WizardMage · ‎03-06-2013

Dear InayathUlla,

Thanks for your quick response. However, i need an alert when a host flapping occur (ex. duplicate Mac address between 2 ports). As off now, the alerts are generated in the syslog of the switch, what i need is to send an alert to snmp server when this happens...

InayathUlla Sharieff · ‎03-06-2013

HI Mark,

Please find the configuration which can help you to trigger the trap for mac move:-

CONFIG:

snmp-server enable traps MAC-Notification move threshold

(config)# mac address-table notification threshold

(config)# mac address-table notification threshold interval 120

(config)# mac address-table notification threshold limit 5

NOTE Mac limit 5 it's not an integer of 5 MAC moves, but percentage of moves (5%

movement in our case).

Check the status of the smae under the threshold defined/enabled:

#show mac-address-table notification threshold

Status limit Interval

-------------+-----------+-------------

disabled 50 120

HTH

Regards

Inayath

*Plz rate the usefull posts.

Rolf Fischer · ‎03-07-2013

Hi Mark,

you could enable:

snmp-server enable traps syslog

which sends an additional SNMP-Trap when Syslog-Messages occur.

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/command/nm-snmp-cr-s3.html#GUID-A5CD825A-78AD-4353-AEDD-8E11B34B7D9D

With an Embedded Event Manager (EEM) Applet you can create a more selective solution.

Here a simple example for the %CDP-4-DUPLEX_MISMATCH message (adapting it for the MAC-Flapping Msg should be a piece of cake):

event manager applet SYSLOG-2-TRAP

event syslog pattern "duplex mismatch"

action 1.0 snmp-trap strdata "Duplex Mismatch!!!"

!

snmp-server enable traps event-manager

The result is attached as a Wireshark capture.

Hope that helps

Rolf

WizardMage · ‎03-07-2013

Hi fischer..

I maybe able to do this on our server switch.. thanks for your input..

Rolf Fischer · ‎03-07-2013

Hi Mark,

your're welcome.

I maybe able to do this on our server switch.. thanks for your input..

If such syslog messages appear on your server switches as well, it should work.

I assume, the messages look like this:

%SW_MATM-4-MACFLAP_NOTIF: Host xxxx.xxxx.xxxx in vlan x is flapping between port x and port x

So you could use "is flapping between" as pattern.

Good luck,

Rolf

dayat · ‎02-07-2020

Hi Inayath,

if we want to display notification mac-flap switch by snmp, is it enough if just enabed mac-notification threshold ? or enabled also change and mac-move ?
Thanks,

Regards,

Arif