John,
Unfortunately, our test network does not contain a Cat 5500 or 6500, but I used the
following:
1 - Cisco 3548XL running 12.0(5)WC5a
2 - What's Up Gold Version 8.0
Prerequisites for the test:
1 - Ports are configured for switchport port security.
On a violation, there is no shutdown, just trap. - port security action trap
2 - SNMP Traps are enabled for the c2900 Notifications, - snmp-server enable traps
c2900.
3 - The SNMP Trap Handler is enabled on the WUG box.
Step 1 - Importing the cisco-c2900-mib
The notification for the "address violation" is defined in the CISCO-C2900-MIB. The
first thing that I did import the CISCO-C2900-MIB.my into the WUG application using
the program mibextra. These entries, I believe, are added into the mibs.txt and
traps.txt file. You can download the Cisco file from their website. Please note the
imports: SNMPv2-SMI, SNMPv2-TC, IF-MIB, CISCO-SMI, RFC1213-MIB. A comment: the
mibextra program gave me an error about a "line overflow" in the SNMPv2-TC MIB. I am
not an MIB expert, but it didn't seem to hamper the process.
Step 2 - Ensuring that the mib is in the events library.
There are three notifications defined in the c2900 MIB:
c2900AddressViolation - generated when an address violation is detected on a secured
port.
c2900BoradcastStorm - generated when a port is receiving broadcast packets at a rate
crossing the threshold.
c2900RpsFailed - generated when a redundant power supply fails.
We want to trigger an alert based on the first notification: c2900AddressViolation.
Using the "events library" (configure->events library) you should see these three
events listed under the heading "SNMP Trap". If not, something didn't work with the
mibextra.
Step 3: Associate the event to an alert.
In my test network map, I have an WUG object for the Cisco 3548. Under the properties
of this device, I have added the event, c2900AddressViolation as an solicited SNMP
trap. Then, under alerts, (again in the properties window) I associated a predefined
alert, (in my case, a local window pop-up message) to the c2900AddressViolation SNMP
trap using the "on event" box in the dialogue window.
It seemed to work fine. In your case, however, we would need to find the correct MIB
for the 5500 and 6500 devices. This should not be too much of a problem. Cisco has a
very nice and user friendly MIB page. With a little digging, you should be able to
find it. If not, just call you local Cisco rep.
Note: If you are running WUG 7.x, you still should be able to associate the trap with
an alert by using the trap number.
One final note: There is a MIB variable in the c2900 MIB that I find quiet
fascinating. If is c2900BandwidthUsageCurrent. From the description: "The current
bandwidth consumed." This value is presented in megabits per second. If I read this
correctly, it is the amount of traffic being "switched by the fabric engine. I setup
an SNMP graph this looks at this variable for several key 2950 and 3548 switches. By
graphing this variable (using absolute values and a one second sampling rate) I can
see which Cat switches are working hard and which aren't. It is a fascinating poll
and gives an indication just how much data is flowing through the network.
Okay, that was my two cents. Hope this helps.
Andrew Martin
-----Original Message-----
From: Richeal, John [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 12, 2003 8:03 AM
To: Martin, Andrew
Subject: RE: [WhatsUp Forum] Cisco Switch and Port Security
Thanks for the info Andrew
We have 2924, 6509, 5509 switches.
I'll look into the MIB and dependencies to see if I can get it working.
We are using "shutdown" for violation mode.
John
-----Original Message-----
From: Martin, Andrew [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 11, 2003 11:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [WhatsUp Forum] Cisco Switch and Port Security
John,
What type of Cisco switches are you running? 3548s,..2950s? The notification for
port address violations in these Catalyst switches is defined in the Cisco MIB:
CISCO-C2900-MIB. (Don't let the mib name fool you. It is good for the 3548XL
switches also) It is the first notification listed: c2900AddressViolation. You can
download this MIB from the Cisco site. www.cisco.com/go/mibs, then search for the
MIB.
I believe that you would compile this MIB into your WUG configuration using the
mibextra command. (note the dependencies listed in the IMPORT section of the MIB)
Then create an alert on this SNMP notification.
I have lurked on the WUG board for some time now and usually don't respond directly to
the board. But this thread caught my eye because I started looking into this
configuration about a month ago or so. Unfortunately, other more pressing issues have
kept me from looking into this further. This is just what I needed to go back to our
test lab and try this out.
Just wondering, are you using "restrict" or 'shutdown" for the violation mode?
Andrew Martin
-----Original Message-----
From: Richeal, John [mailto:[EMAIL PROTECTED]]
Sent: Mon 2/10/2003 3:27 PM
To: '[EMAIL PROTECTED]'
Cc:
Subject: [WhatsUp Forum] Cisco Switch and Port Security
We are running port security on Cisco switches. We would like WUG to monitor
the ports and then let us know when an illegal MAC has been inserted into the switch.
Has anyone done this or know how to do this?
Thanks,
John Richeal
Distributed Systems Specialist II
Pennsylvania Department of Corrections
Management Information Services
Email: [EMAIL PROTECTED]
Voice: 717.730.2760
Video:717.972.8362
Fax: 717.731.7058
>W����+a����0��0��!r����i������x%��l�٥��ޭ騽�_����+%��@�
܆+ޡ�a��b�جj�����y�a����
0���j�!����o���l�����X��*l�+\��&���������������������������������������������������������������
