Snmp traps on switchport security violation

Hi,
I configured switch interface to switchport security in sticky mode with violation is restricted. The snmp traps are continously sending to log server if violation occur. I want to fix the snmp trap only one time if any violation in mac-address. Any suggestion???
Thanks,
Aman

I am not sure I understand the question.
From what I understand you have the following assigned to an interface:
switchport port-security mac-address sticky
switchport port-security violation restrict
(some sort of snmp trap command)
You currently are recieving snmp trap alerts more frequently then you want. If this is correct check out this link:
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a05.shtml
If you still have questions let us know and good luck.

Similar Messages

SG-500-28P How to configure switchport port-security violation setting

Is there a way to do switchport port-security violation {protect | restrict | shutdown} in SG-500-28P in case of a BPDU Guard violation?
Seems like the default option is shutdown and I don't know how to change it.
Thank you!

Hi,
you can recover this Violation.By using below command:
To enable automatic re-activation of an interface after an Err-Disable shutdown,
use the errdisable recovery cause Global Configuration mode command. To
disable automatic re-activation, use the no form of this command.
Syntax
errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | loopback-detection | udld }
no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | loopback-detection | udld }
For more information:
Refer this URL:page no :406
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf
regards
Moorthy

SCOM 2012 SP1 Cisco Port Security Violations

Hello,
I'm fairly new to System Center but have learning quite a bit over the last year. I am looking for some information on how to generate an alert off of a port-security violation. There's not much information about this so i'm wondering if anyone
out there has experience doing this.
Also, we run a fairly large Cisco environment (20000+ switchports), so my next question is, do I have to be monitoring every switchport to see a port-sec event happen. I've run some debug snmp packets on my Cisco devices, and I do see the SNMP trap
sent for the port-security violation.
The universal device poller that I setup for this is: OID 1.3.6.1.4.1.9.9.315.1.2.1.1.2 or the MIB CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus, so i'm pretty confident that i've got the right data. I'm just looking for a way to see these events happen
without having to monitor every single switchport on my network and if the alert will tell me which switch, which port had the violation.
Any help is always appreciated.

Hi,
I have to say that I don't have experience doing this, but in my opinion, if you there is log files about that information, we can use SCOM to monitor the log file and fire alerts according to your requirements.
Based on my research, the output of the port-security debug may have information about which switch, which port had the violation. (I am not familiar with cisco device, if there is any misunderstanding, please feel free let know)
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
Donfrico

I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
Are there special attributes that need to be configured on the switch or IAS?

802.1X Port Based Authentication Security Violation

I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
Donfrico

I believe , you need to configure re-authentication on this switch port:
! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server

Re-routing of SNMP traps from port 162 to port greater than 1024

Hello,
I have to re-route SNMP traps received at port 162 to some other port greater that 1024 (say 2041). There is an application which sends SNMP traps to port 162 and our application running on Windows listens for SNMP traps on port 2041, so we want
to route/forward the traps internally from port 162 to 2041.
I have been looking at the rules defined in 'Windows Firewall with advanced security' but not able to succeed. I noticed that there is a predefined rule for SNMP traps but it does not give me an option to forward the trap to another port. I tried
creating a new rule but that also does not give me an option to change the port.
Please help.

Hi,
According to Technet Library:
SNMP uses the default UDP port 161 for general SNMP messages and UDP port 162 for SNMP trap messages. If these ports are being used by another protocol or service, you can change the settings by modifying the local Services file on the agent. The Services
file is located in \ % SystemRoot %\System32\Drivers\Etc
There is no file name extension. You can use any text - based editor to modify the file. The management system must also be configured to listen and send on the new ports.
Caution:
If you have previously configured IP security to encrypt SNMP messages on the default ports, you must also update the IP security policy with the new port settings. Otherwise, communication can be erroneously blocked or SNMP communications might not be secured.
You can access to the link below for this article:
http://technet.microsoft.com/en-us/library/cc959643.aspx
Roger Lu
TechNet Community Support

I can not make IP SLA to signal SNMP traps upon timeout

Hello team.
I want SNMP traps to be sent every time an IP SLA (ICMP) object times out. For that purpose, I carried out the following
ip sla monitor logging traps
ip sla monitor 1
type echo protocol ipIcmpEcho 10.1.1.254
timeout 1000
frequency 15
ip sla monitor schedule 1 life forever start-time now
snmp-server enable traps rtr
snmp-server host 10.1.1.10 mycommunity
But no SNMP trap is sent when the IP SLA object times out. ¿ Am I missing something?
Any help will be greatly appreciated.
Rogelio Alvez
Argentina

SNMP traps for IP SLAs are handled through the system logging (syslog) process. This means that system logging messages for IP SLAs violations are generated when the specified conditions are met, then sent as SNMP traps using the CISCO-SYSLOG-MIB. The ip sla monitor logging traps command is used to enable the generation of these IP SLAs specific traps. The generation of IP SLAs specific logging messages is dependant on the configuration of the standard set of logging commands (for example, logging on). IP SLAs logging messages are generated at the "informational" system logging severity level.
The command ip sla monitor logging traps is sometime hidden and may not show with ?, so just copy and paste in global config mode and have logging on and check if any traps are generated.
-Thanks
Vinod
**Encourage Contributors. RATE them**

Switch por-security - - - Security Violation Count

I have some question with a device cisco 3400 metroaccess.
In a interface i have this config.
3400_METROACESS#sh run int g0/1
Building configuration...
Current configuration : 449 bytes
interface GigabitEthernet0/1
description
switchport access vlan 192
switchport port-security
switchport port-security violation restrict
bandwidth 800000
load-interval 30
media-type rj45
speed 1000
duplex full
mac access-group Block-Invalid-ERS-Frames in
service-policy input 800M
service-policy output LIMIT_QQ1
end
3400_METROACESS#sh port-security int g0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 5
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : XXXX.XXXX.XXXX:192
Security Violation Count   : 3515----------------------------------------->what is the default parameter or the petitions permited, for the security violation take the action mode.
I have many logs from the int g0/1
Apr 23 16:08:37: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address XXXX.XXXX.XXXX on port GigabitEthernet0/1.
Thanks you for your help.
Best Regards!!

The default (initial) count is 0, the number increases everything there is a violation.
you can reinitialize (clear) that counter by using the command : clear port-security all int g 0/1

SNMP TRAPS and SLA

HI
I am trying to configure IP SLA to send SNMP TRAPS but looks like doing some mistake ..
i have following configured
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
ip sla monitor 2
type echo protocol ipIcmpEcho 150.1.3.3 source-ipaddr 1.1.98.7
frequency 10!
ip sla monitor schedule 2 start-time now recurring
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
ip sla reaction-configuration 2 react rtt threshold-type immediate action-type trapOnly
ip sla logging traps
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
snmp-server community public RO
snmp-server enable traps rtr
snmp-server host 1.1.128.226 public
1.1.98.7 is the loopback ip on my network. To test the snmp traps, i enabled debug snmp packets and shutdown loopback interface (1.1.98.7)
I don't see any snmp message in debug output ..
am i missing something or it is not possible to get traps directly from ip sla .. do i need EEM for this?

sorry, it actually worked .. i just gave a restart to ip sla and it worked.
looks like router was already in threshold stage when i was activating reaction-config ..
but i am still confused which command is actualluy generating these traps since i have taken out some of the snmp config out and i stil get traps ..
below is the oputput of traps which i get when i restart ip sla .
*Feb 15 17:10:43.453: SNMP: 150.150.1.1 queue overflow, dropping packet
*Feb 15 17:10:43.453: SNMP: Queuing packet to 150.150.1.1
*Feb 15 17:10:43.453: SNMP: V1 Trap, ent rttMonNotificationsPrefix, addr 65.65.2.2, gentrap 6, spectrap 3
rttMonCtrlAdminTag.1 =
rttMonHistoryCollectionAddress.1 = 41 41 03 03
rttMonCtrlOperOverThresholdOccurred.1 = 1
*Feb 15 17:10:43.497: SNMP: 150.150.1.1 queue overflow, dropping packet
*Feb 15 17:10:43.501: SNMP: Queuing packet to 150.150.1.1
*Feb 15 17:10:43.501: SNMP: V1 Trap, ent rttMonNotificationsPrefix, addr 65.65.2.2, gentrap 6, spectrap 5
rttMonCtrlAdminTag.1 =
rttMonHistoryCollectionAddress.1 = 41 41 03 03
rttMonReactVar.1 = 1
rttMonReactOccurred.1 = 1
rttMonReactValue.1 = 12
rttMonReactThresholdRising.1 = 5
rttMonReactThresholdFalling.1 = 1
rttMonEchoAdminLSPSelector.1 = 00 00 00 00
*Feb 15 17:10:43.585: SNMP: 150.150.1.1 queue overflow, dropping packet
*Feb 15 17:10:43.585: SNMP: Queuing packet to 150.150.1.1
*Feb 15 17:10:43.585: SNMP: V1 Trap, ent rttMonNotificationsPrefix, addr 65.65.2.2, gentrap 6, spectrap 5
rttMonCtrlAdminTag.1 =
rttMonHistoryCollectionAddress.1 = 41 41 03 03
rttMonReactVar.1 = 1
rttMonReactOccurred.1 = 1
rttMonReactValue.1 = 12
rttMonReactThresholdRising.1 = 5
rttMonReactThresholdFalling.1 = 1
rttMonEchoAdminLSPSelector.1 = 00 00 00 00
below is my running config and sh ver
R2#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 19-Jun-09 15:13 by prod_rel_team
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)
R2 uptime is 8 hours, 9 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T1.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 2811 (revision 53.50) with 237568K/24576K bytes of memory.
Processor board ID FTX0952C333
2 FastEthernet interfaces
4 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
R2#
R2#sh run
Building configuration...
Current configuration : 2233 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
dot11 syslog
ip source-route
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
voice-card 0
vtp domain 29
vtp mode transparent
archive
log config
hidekeys
interface Loopback0
ip address 65.65.2.2 255.255.255.0
interface FastEthernet0/0
shutdown
duplex auto
speed auto
interface FastEthernet0/1
ip address 65.65.128.193 255.255.255.224
shutdown
duplex auto
speed auto
interface Serial0/2/0
ip address 65.65.13.2 255.255.255.224
encapsulation ppp
clock rate 2000000
interface Serial0/3/0
no ip address
shutdown
router ospf 65
router-id 65.65.2.2
log-adjacency-changes
network 65.65.2.2 0.0.0.0 area 1
network 65.65.13.2 0.0.0.0 area 1
network 65.65.128.193 0.0.0.0 area 1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip sla 1
icmp-echo 65.65.3.3 source-ip 65.65.2.2
request-data-size 1500
frequency 10
ip sla schedule 1 life forever start-time now
ip sla reaction-configuration 1 react rtt threshold-value 5 1 threshold-type immediate action-type trapOnly
snmp-server community public RO
snmp-server host 150.150.1.1 public
control-plane
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
line con 0
line aux 0
line vty 0 4
login
scheduler allocate 20000 1000
end
R2#
R2#

Throttle SNMP traps

What is the best way to throttle snmp traps? I have an HP NNM (Network Node Manger) server that is currently receiving traps from a number of network devices. Sometimes traps get sent from these devices at a higher rate than the NNM server can handle. When this happens the NNM server is basically so overwhelmed it gets hung.
I have a Cisco 1811 ISR that is acting as my remote tunnel device. The monitored devices (switches, firewalls, routers, etc.) are on the local LAN behind the ISR and all monitoring traffic is sent to the NNM server through the IPSec tunnel.
Is there a way to either batch process snmp traps or throttle/cap the rate that the messages get sent? I would prefer to do this somehow on the ISR as it will keep the number of configurations I have to do way down.
Thanks,
-mike

Luckily you have NNM. As long as you're running NNM 6.4 or later (up to 7.53 that I can testify for), you can configure throttling there. Instead of rehashing it, I point to the post by Prashant over at HP ITRC:
http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1289854149785+28353475&threadId=1011198
Note that I don't personally adopt Step 3 in Prashant's post, of blocking individual offending IP addrs specifically in ovtrapd.conf. Without that step, I simply configure ovtrapd.lrf to give whichever IP addr that crosses the "-B -r ##" threshold a temporary "time out". Once that offender's trap rate drops below the configured threshold, NNM unblocks it, until the next violation.
This is not a perfect "throttle", because all traps (interesting ones and noises) from the offending IP are tuned out during the blockade.

WLC 5508 - SNMP traps

OK, so I'm at wit's end with this one now.
I configured my SNMP items on the controller and let it roll.
I started to watch my SNMP monitor (SNMPc Management Console by CastleRock) and saw some life from my controller. Yay, woot and dance.
I then started narrowing down the SNMP trap controls because I was getting more than what I want/need currently. I really just want to know if an AP falls off the network or if the controller's link drops.
I continued to get alerts that were just not desireable at this point.
The traps were similar to this:
ciscoLwappDot11ClientAssocNacAlert [1] cldcClientMacAddress.0.36.214.60.32.32 (DisplayString): 00:24:d6:3c:20:20 [2] cldcClientWlanProfileName.0.36.214.60.32.32 (DisplayString): Wireless [3] cldcClientIPAddress.0.36.214.60.32.32 (IpAddress): 172.31.19.101 [4] cldcApMacAddress.0.36.214.60.32.32 (DisplayString): 00:08:30:39:6c:80 [5] cldcClientQuarantineVLAN.0.36.214.60.32.32 (Integer): 0 [6] cldcClientAccessVLAN.0.36.214.60.32.32 (Integer): 119
I couldn't find the culprit, so I turned off (unchecked) all trap controls in the web interface and then verified in the CLI with "show trapflags".
I continue to get these same messages.
Any ideas?
Model: AIR-CT5508-K9
Version: 7.2.103.0

I went through the entire log (about 2000 lines) and almost all are this same type:
(Cisco Controller) >show traplog
Number of Traps Since Last Reset ............ 323738
Number of Traps Since Log Last Displayed .... 0
Log System Time              Trap
0 Mon Mar 11 08:21:49 2013 Client with MAC address 00:24:d6:3c:20:20 has joi
                             ned profile SC Wireless
1 Mon Mar 11 08:20:16 2013 Client with MAC address 00:24:d6:3c:20:20 has joi
                             ned profile SC Wireless
2 Mon Mar 11 08:19:09 2013 Client with MAC address 00:24:d6:3c:20:20 has joi
                             ned profile SC Wireless
3 Mon Mar 11 08:10:21 2013 Client with MAC address cc:af:78:44:7d:2b has joi
                             ned profile SC Wireless
4 Mon Mar 11 08:10:18 2013 Client with MAC address cc:af:78:44:7d:2b has joi
                             ned profile SC Wireless
Keep in mind that I have all trap controls disabled.
(Cisco Controller) >show trapflags
Authentication Flag.............................. Disable
Link Up/Down Flag................................ Disable
Multiple Users Flag.............................. Disable
configsave....................................... Disabled
strong-pwd check................................. Disabled
Client Related Traps
        802.11 Disassociation........................... Disabled
        802.11 Association.............................. Disabled
        802.11 Deauthenticate........................... Disabled
        802.11 Authenticate Failure..................... Disabled
        802.11 Association Failure...................... Disabled
        Excluded........................................ Disabled
        Authentication.................................. Disabled
Cisco AP
        AuthFailure..................................... Disabled
        Register........................................ Disabled
        InterfaceUp..................................... Disabled
802.11 Security related traps
        WEP/WPA Decrypt Error........................... Disabled
        IDS Signature Attack............................ Disable
AAA
        auth............................................ Disabled
        servers......................................... Disabled
rogueap......................................... Disabled
Auto-RF Profiles
        Load............................................ Disabled
        Noise........................................... Disabled
        Interference.................................... Disabled
        Coverage........................................ Disabled
Auto-RF Thresholds
        tx-power........................................ Disabled
        channel......................................... Disabled
Mesh
        auth failure.................................... Disabled
        child excluded parent........................... Disabled
        parent change................................... Disabled
        child moved..................................... Disabled
        excessive parent change......................... Disabled
        onset SNR....................................... Disabled
        abate SNR....................................... Disabled
        console login................................... Disabled
        excessive association........................... Disabled
        default bridge group name....................... Disabled
        excessive hop count............................. Disabled
        excessive children.............................. Disabled
        sec backhaul change............................. Disabled
Hopefully I'm just missing something stupid, but it appears all flags are off.
Message was edited by: Casey Hearn
Added "Show TrapFlags" details.

SNMP traps configuration doesn't work in CUSTOMER-CONTEXT

Hi evryone;
I'm having some issues configurin SNMP traps on a ASA5520 USER-CONTEXT (Cisco Adaptive Security Appliance Software Version 8.2(4)):
I had already configured SNMP traps on ADMIN-CONTEXT and traps were getting the correspondig NETCOOL SERVERS (10.105.27.115 and 10.105.27.118) as you can see in point 2).
Cuold you please give me any clue of why I get this output for a non ADMIN-CONTEXT and why I do not even see SNMP packets output
1) CUST-09-CONTEXT
name 10.105.27.115 Netcool1_TESTBED description Netcool1_TESTBED SNMP server.
name 10.105.27.118 Netcool2_TESTBED description Netcool2_TESTBED SNMP server.
snmp-server community sjnemdhqksptabld
snmp-server host CUST-09-HCS-MNGT-TRANSIT Netcool1_TESTBED community sjnemdhqksptabld version 2c
snmp-server host CUST-09-HCS-MNGT-TRANSIT Netcool2_TESTBED community sjnemdhqksptabld version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
route CUST-09-HCS-MNGT-TRANSIT 10.105.27.0 255.255.255.0 192.168.228.1 1
CAPTURES
Lab-asa1-p/CUST-09-CONTEXT/act# capture TEST1 interface CUST-09-HCS-MNGT-TRANSIT match ip host 10.105.27.115 any
Lab-asa1-p/CUST-09-CONTEXT/act# show capture TEST1 trace detail
23 packets captured
   1: 15:17:16.373927 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 9815)
   2: 15:17:18.370433 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 10598)
   3: 15:17:20.370433 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 27648)
   4: 15:17:22.370433 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 3518)
   5: 15:17:24.370433 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 18995)
   6: 15:17:43.015258 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 2110)
   7: 15:17:45.010436 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 11567)
   8: 15:17:47.010436 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 25551)
   9: 15:17:49.010436 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 3716)
10: 15:17:51.010436 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 20820)
11: 15:48:16.998483 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 25423)
12: 15:48:18.990366 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 30357)
13: 15:48:20.990366 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 31174)
14: 15:48:22.990366 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 10878)
15: 15:48:39.735527 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 8146)
16: 15:48:41.730354 1200.0314.0600 0000.0c9f.fc14 0x8100 118: 802.1Q vlan#3092 P0 192.168.228.4 > 10.105.27.115: icmp: echo request (ttl 255, id 1803)
17: 15:49:01.881134 1200.0314.0600 0000.0c9f.fc14 0x8100 46: 802.1Q vlan#3092 P0 192.168.228.4.49175 > 10.105.27.115.33434: [udp sum ok] udp 0 [ttl 1] (id 15279)
18: 15:49:01.881744 1200.0314.0600 0000.0c9f.fc14 0x8100 46: 802.1Q vlan#3092 P0 192.168.228.4.49175 > 10.105.27.115.33435: [udp sum ok] udp 0 [ttl 1] (id 20090)
19: 15:49:01.884201 1200.0314.0600 0000.0c9f.fc14 0x8100 46: 802.1Q vlan#3092 P0 192.168.228.4.49175 > 10.105.27.115.33436: [udp sum ok] udp 0 [ttl 1] (id 24847)
20: 15:49:01.886672 1200.0314.0600 0000.0c9f.fc14 0x8100 46: 802.1Q vlan#3092 P0 192.168.228.4.49175 > 10.105.27.115.33437: [udp sum ok] udp 0 (ttl 2, id 8822)
21: 15:49:04.880356 1200.0314.0600 0000.0c9f.fc14 0x8100 46: 802.1Q vlan#3092 P0 192.168.228.4.49175 > 10.105.27.115.33438: [udp sum ok] udp 0 (ttl 2, id 20949)
22: 15:49:07.880371 1200.0314.0600 0000.0c9f.fc14 0x8100 46: 802.1Q vlan#3092 P0 192.168.228.4.49175 > 10.105.27.115.33439: [udp sum ok] udp 0 (ttl 2, id 9126)
23: 15:49:10.880340 1200.0314.0600 0000.0c9f.fc14 0x8100 46: 802.1Q vlan#3092 P0 192.168.228.4.49175 > 10.105.27.115.33440: [udp sum ok] udp 0 (ttl 3, id 24404)
23 packets shown
I had already configured SNMP traps on ADMIN-CONTEXT and traps were getting the correspondig NETCOOL SERVERS:
2) CONFIGURATION ADMIN-CONTEXT
IP Management ASA-FW -->10.105.89.38
interface GigabitEthernet0/3.710
nameif management
security-level 100
ip address 10.105.89.38 255.255.255.192 standby 10.105.89.39
management-only
name 10.105.27.115 Netcool1_TESTBED description Netcool1_TESTBED SNMP server.
name 10.105.27.118 Netcool2_TESTBED description Netcool2_TESTBED SNMP server.
snmp-server community sjnemdhqksptabld
snmp-server host management Netcool1_TESTBED community sjnemdhqksptabld version 2c
snmp-server host management Netcool2_TESTBED community sjnemdhqksptabld version 2c
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
ip route 0.0.0.0 0.0.0.0 10.105.89.1
CAPTURES : I could see 206 SNMP packets output and traffic towards the NETCOOL SERVERS (10.105.27.115 AND 10.105.27.118)
Lab-asa1-p/ADMIN-CONTEXT/act# sh snmp statistics
0 SNMP packets input
    0 Bad SNMP version errors
    0 Unknown community name
    0 Illegal operation for community name supplied
    0 Encoding errors
    0 Number of requested variables
    0 Number of altered variables
    0 Get-request PDUs
    0 Get-next PDUs
    0 Get-bulk PDUs
    0 Set-request PDUs (Not supported)
206 SNMP packets output
    0 Too big errors (Maximum packet size 512)
    0 No such name errors
    0 Bad values errors
    0 General errors
    0 Response PDUs
    206 Trap PDUs
Lab-asa1-p/ADMIN-CONTEXT/act#
Lab-asa1-p/ADMIN-CONTEXT/act# capture TEST1 interface management match ip host 10.105.27.115 any
Lab-asa1-p/ADMIN-CONTEXT/act# show capture TEST1
5 packets captured
   1: 18:36:17.631070 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.115.162: udp 356
   2: 18:36:18.491261 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.115.162: udp 355
   3: 18:36:22.389338 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.115.162: udp 266
   4: 18:36:29.491231 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.115.162: udp 355
   5: 18:36:40.491246 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.115.162: udp 355
5 packets shown
Lab-asa1-p/ADMIN-CONTEXT/act# capture TEST2 interface management match ip host 10.105.27.118 any
Lab-asa1-p/ADMIN-CONTEXT/act# show capture TEST2
13 packets captured
   1: 18:37:16.198094 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 356
   2: 18:37:24.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
   3: 18:37:35.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
   4: 18:37:46.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
   5: 18:37:57.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
   6: 18:38:08.491322 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
   7: 18:38:19.491292 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
   8: 18:38:30.491338 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
   9: 18:38:41.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
10: 18:38:52.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
11: 18:39:03.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
12: 18:39:14.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
13: 18:39:25.491307 802.1Q vlan#710 P0 10.105.89.38.162 > 10.105.27.118.162: udp 355
13 packets shown
thanks
Ana

Hi guys coould you please help me out ??
BR
ANA

Re:SNMP Trap in 10.3

Hello
We are migrating Applications for 8.1 to 10.3
So we wanted to set SNMP Traps in the 10.3 at the domain Level
We had setup the traps in 10.3 and restarted but we are not able to recevie any traps
Please let me know if you have any suggestions
Regards
-nar-

When you start the managed server, you should see a message such as the following:
<Feb 18, 2010 12:39:04 AM EST> <Notice> <SNMP> <BEA-320931> <The SNMP trap version is 2>
Are you using a port > 1000 on your Server agent? 161 is probably just your port on the Domain agent. There are 2 ports to be careful of, SNMP UDP Port and Master AgentX Port; both on the General tab for the server agent.
Here's an extract of the SNMP config, showing the "Server SNMP Agents" and a single String Monitor for the server status
<snmp-agent-deployment>
<name>Name_of_server_SNMPAgent</name>
<enabled>true</enabled>
<send-automatic-traps-enabled>true</send-automatic-traps-enabled>
<snmp-port>1161</snmp-port>
<snmp-trap-version>2</snmp-trap-version>
<community-prefix>public</community-prefix>
<snmp-trap-destination>
<name>some name</name>
<host>xxx.xxx.xxx.xxx</host>
<port>162</port>
<community>public</community>
<security-level>noAuthNoPriv</security-level>
</snmp-trap-destination>
<snmp-string-monitor>
<name>ServerStatus</name>
<enabled-server>Server1,Server2</enabled-server>
<monitored-m-bean-type>ServerRuntime</monitored-m-bean-type>
<monitored-m-bean-name></monitored-m-bean-name>
<monitored-attribute-name>HealthState</monitored-attribute-name>
<polling-interval>10</polling-interval>
<string-to-compare>OK</string-to-compare>
<notify-differ>true</notify-differ>
<notify-match>false</notify-match>
</snmp-string-monitor>
<community-based-access-enabled>true</community-based-access-enabled>
<snmp-engine-id>Name_of_server_SNMPAgent</snmp-engine-id>
<authentication-protocol>noAuth</authentication-protocol>
<privacy-protocol>noPriv</privacy-protocol>
<inform-retry-interval>10000</inform-retry-interval>
<max-inform-retry-count>1</max-inform-retry-count>
<localized-key-cache-invalidation-interval>3600000</localized-key-cache-invalidation-interval>
<snmp-access-for-user-m-beans-enabled>false</snmp-access-for-user-m-beans-enabled>
<inform-enabled>false</inform-enabled>
<master-agent-x-port>1705</master-agent-x-port>
<target>AdminServer,Cluster1,Cluster2</target>
</snmp-agent-deployment>

SF300/SG300 and SNMP Traps

Hello,
as mentioned in the documentation, the SF300/SG300 series switches are capable of sending SNMP-Traps.
What kind of SNMP traps are they sending? I need "Link Up / Link Down" Traps. Do the switches send such traps or is it possible to configure these switches to send them?
Thanks a lot,
Marco

Hi,
Here is a link to the Data Sheet on the 300's:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10898/data_sheet_c78-610061.html
It states that SNMP versions 1, 2c, and 3 with support for traps, and SNMP version 3 user-based security model (USM)
So you should be able to configure "Link Up / Link Down" Traps. See chapter 19 Configuring SNMP:
http://www.cisco.com/en/US/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
Thanks,
Nick

Enabled SNMP trap

Hi Experts,
When i configure Snmp trap in switches it is showing a list of commands, What exacatly is these are?
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps stpx
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps copy-config
snmp-server enable traps fru-ctrl
snmp-server enable traps flash insertion removal
snmp-server enable traps syslog
snmp-server enable traps bridge
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps hsrp
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rtr
snmp-server enable traps vlan-membership
Does it cause more CPU utilization? Do i need to enable snmp traps to monitor network using solarwinds NPM. I have configured community string and snmpserver host address.
Thanks
Vipin

Hi Vipin,
We usually configure SNMP traps to monitor our network reachability and availability. If anything goes on Device whether it is a link down situation or any issue with protocol running on the Device. So, whenever anything goes wrong on the device it generates an SNMP Trap and notify you if you have configure SNMP-Server host to receive the notifications/traps.
To configure SNMP host command following is the command that you need to configure:
(config)#snmp-server host
E.g.:
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
Above trap will send you send you following information :
>Authentication : if any one tries to poll the device using wrong community string
>linkdown/linkup : if any of the interface/ports/links goes down it will notify you
snmp-server enable traps bgp
Above trap will send you traps regarding problems with BGP running on your Device
Now I come to CPU part, yes it may spike CPU sometime if regular polling is done from the Management Server or if any MIB has long output. You can use Solarwinds NPM for the same however if it causes high cpu then you have to openup a TAC Case with NMS team to have the issue resolved.
To know more about MIB's on your device you can execute command on your Device 'show snmp mib' and can translate the MIB's using following link to know more about particular MIB :
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.2.1.15
Kindly let me know in case you have any other doubts.
Thanks & Regards,
Nikhil Gakhar

Snmp traps on switchport security violation

Similar Messages

Maybe you are looking for