03-24-2012 04:54 PM - edited 03-07-2019 05:45 AM
All:
Looking into a strange issue; not sure if any of you have seen this before. Basically, no snmp trap is sent for a violation of shutdown. SNMP traps with violation of restrict is sent just fine. Thought this was interesting. On a 6509 the SNMP trap of violation shutdown trap works fine, but on 3560's I can not get it to work, however 3560's violation restrict works great via SNMP. Updated the 3560 ios to the newest version as well to try to resolve.
ip access-list standard SNMP
permit 1.1.1.1
deny any
snmp-server view myview iso included
snmp-server group test1 v3 priv read myview access SNMP
snmp-server user test test1 v3 auth md5 "test" priv aes "test" access SNMP
snmp-server enable traps port-security
snmp-server trap-source lo0
snmp-server host 1.1.1.1 version 3 priv test
int fa 0/0
switchport port-security
switchport port-security mac sti
switchport port-security vio shutdown (DOES NOT WORK)
switchport port-security vio restrict (WORKS!!)
of course port is shut and no shut everytime to generate a trap
debug snmp packets reveals no packets sent for a violation of shutdown.
sh snmp (reveals no update count for sent in a violation shutdown)
03-24-2012 07:31 PM
Does anyone know how to get a SNMP trap to be sent with a violation of shutdown on a Catalyst 3560 or 3750? I have tested on both.
03-25-2012 05:55 PM
bump
03-26-2012 06:22 PM
bump
03-28-2012 04:18 AM
Bump
Sent from Cisco Technical Support iPad App
03-28-2012 06:47 AM
Port security traps works fine for me. My problem is when I set the port to restrict, it won't stop notifying me untill the port is fixed.
Pat
03-28-2012 06:49 AM
I think merely shutting the port might not generate the trap for shutdown. What if you try violating it with another mac?
03-28-2012 07:26 AM
I am reviolating the port not just a shut no shut. I reset port security. I feel it may be a bug in IOS with SNMPv3 aes priv implementation. My hope was someone would lab it out.
03-29-2012 06:44 PM
Bump
Sent from Cisco Technical Support iPad App
04-09-2012 06:50 PM
Evidently violation shutdown in 3560's and 3750's do not send a trap and a trap is only supported for a violation of restrict. This is odd as all the text books teach that a SNMP trap is sent for violation shutdown.
While the 6500 IOS does send a SNMP trap for violation shutdown.
Quite interesting in my opinion. Thanks again.
CISCO!!! WHERE IS THE UNIFORMITY ACROSS YOUR CATALYST PRODUCTS?????
04-10-2012 01:15 AM
This is not true as our 3560s and 3750s and 3550s all send snmp traps when a switchport is shutdown due to port-security. My problem is that when ports are violated that are configured with restrict, the snmp trap keeps coming if the violating device doesn't unplug as the interface doesn't go down to stop it.
Pat-
04-10-2012 03:59 AM
Pat
You must be running an older ios version. Did you go to the listed urls? Cisco says it is not a feature in these urls. It may have worked with older versions of ios but with recent versions it is not in the mib. Check it out yourself and go to the urls I posted before blasting. Thanks.
Sent from Cisco Technical Support iPad App
04-10-2012 04:52 AM
Sorry for the blast.
we use: c3750-ipbasek9-mz.122-58.SE2.bin
c3560-ipbasek9-mz.122-55.SE3.bin
c3550-ipbasek9-mz.122-44.SE6.bin
These images are recent and we have no problem. I think the 3750 image is newer than the image you are refering to. I guess it's possible the Cisco documentation is wrong.
Pat-
04-10-2012 09:18 AM
Pat:
I do appreciate your input. Cisco TAC seems to agree that it is a bug and I am still pursuing it. For the 3560 12.2-55.SE3 suprised it works due to 23-2 for that version stating it does not send a SNMP trap. I am not doubting you, just stating it is wierd Cisco documentation does not agree with your statements. See this URL below for the version
12-03-2012 12:58 PM
Table 28-1 Documentation for 3560X and 3750X specifically mentions that ONLY "restrict" sends a trap.
Table 25-1 For 3750 also says it ONLY sends trap on "restrict" mode
xaeniac, are you using an SNMP v3 server? I have an SNMP v3 server, IOS is 12.2 (55) on my 3750X and 3560X, but traps only works on v2.
I'm attending the LMS 4.x training for a week, I'm going to straighten this up with the Cisco instructor.
From another thread/user:
"Enabling SNMP Traps on Switch Ports
Admin > Collection Settings: User Tracking > Device Trap Configuration
You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port. Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps."
ssssss
Table 28-1 Documentation for 3560X and 3750X specifically mentions that ONLY "restrict" sends a trap.
Table 25-1 For 3750 also says it ONLY sends trap on "restrict" mode
xaeniac, I noticed that you are using SNMP v3 server. I have an SNMP v3 server as well, IOS is 12.2 (55) on my 3750X and 3560X, but traps only works on v2.
I'm attending the LMS 4.x training for a week, I'm going to straighten this up with the Cisco instructor.
From another thread/user:
"Enabling SNMP Traps on Switch Ports
Admin > Collection Settings: User Tracking > Device Trap Configuration
You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port. Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide