Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Port Security Locked Ports Report/Alert

Does anyone know of a way to create both an alert and a report for ports that are locked out due to port security violations?

TIA,

Jon

Find more posts tagged with

Accepted answers

All comments

fcaron

what vendor and what MIB? If we had a MIB walk showing us what a locked-out port (security violation) looks like from a SNMP perspective, this would help.

In particular:

- what is theis status in the SNMP MIB?

- does the device sends TRAPs when this happens?

d09h

I created a web page to show this Report. I email that web page in response to a portsec violation.

I was also doing this via syslog, but that would show last XX syslogs rather than a line per occurrence.

irishjd

Any chance that you can export all of this and send it to me, or post it in the Content Exchange?

Jon

danielleh

Adding to Jon's post-

d09h- It's a great idea to upload this report you've created to the Content Exchange. Many other members of the community might find this kind of report useful.

Thanks!
DH

d09h

As simple as this report is, I believe showing how to get this information has more value than sharing the report itself. Teaching to fish versus giving a fish.

Creating a report from scratch will help one realize the power of ReportWriter.

Having said that, it's a little surprising that this functionality is not native to Orion. We're not talking about some obscure MIB on some obscure piece of hardware. This is the port security MIB on Cisco switches.

I'd much rather see what I created exist natively in Orion. Feature request?

Most importantly, I just realized that since I upgraded to 10.2.1 I lost the ability to search syslogs as well as the ability to launch the Universal Device Poller. I could not screen-shot the portsec MIB polling if I wanted to. I have to open another case or piggy back on the case I already have for the syslog issue (Case # 306680).

danielleh

Hi d09h-

Thanks for the in depth feedback. I'll make sure the PM sees it.

Thanks again,
DH

irishjd

Can you verify the OID that you are using for your polling? I understand that you can't get UDP to open right now, but I was hoping you might have it in your notes. After walking the MIB Tree, I am thinking that it might be: CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus OID: 1.3.6.1.4.1.9.9.315.1.2.1.1.2

d09h

That's the correct OID. The report would need to show the universal device poller status of the interface OID 1.3.6.1.4.1.9.9.315.1.2.1.1.2 or the MIB CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus.

When you have a report showing that, you can have an alert send the page that shows that report.

You may also notice that in your MIB walk, you can see the interface caption (description in IOS). That's good information to have, as hopefully you have been putting descriptions on interfaces to tell location and/or person. Can't imagine monitoring and alerting on portsec without that. Also the offending MAC can be seen in the MIB walk and included. And when it happened. Man, I guess I should post that up. I'll try to remember first thing tomorrow.

irishjd

I would definitely like to see this as a native feature as well. Also, we are moving toward 802.1x authentication, so having that built-in would be very helpful too!

Jon