Is there a way to get NPM trap viewer to decode Cisco mac-notification SNMP traps?
SolarWinds has solved the problem in NPM 10.1.2
The OIDValue has now the form:
0100.5E00.237D.4A64.3D00.2E00
where 005E is the VLAN in hex (-> 94 dec), 00.237D.4A64.3D is the MAC and 002E is the interface number in hex (-> 46 dec)
The following SQL statement lists the entries from the NetPerfMon database:
SELECT TOP 10 Traps.TrapID, Traps.[DateTime], Traps.[NodeID], Nodes.Caption AS Node, substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2) AS VLAN_hex, dbo.hex2int(substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2)) AS VLAN, substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2) AS Port_hex, dbo.hex2int(substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2)) AS Port, substring(TrapVarbinds.OIDValue, 8, 15) AS MAC FROM [NetPerfMon].[dbo].[TrapVarbinds] INNER JOIN [NetPerfMon].[dbo].[Traps] ON [NetPerfMon].[dbo].[Traps].TrapID = [NetPerfMon].[dbo].[TrapVarbinds].TrapID INNER JOIN [NetPerfMon].[dbo].[Nodes] ON [NetPerfMon].[dbo].[Traps].NodeID = [NetPerfMon].[dbo].[Nodes].NodeID WHERE TrapVarbinds.OIDName = 'cmnHistMacChangedMsg.1' ORDER BY Traps.[DateTime] DESC
Where hex2int is:
CREATE function [dbo].[hex2int](@s varchar(16)) --Convert hex to bigint RETURNS bigint -- e.g. select dbo.hex2int('7ff2a5')ASBEGIN SET @s=upper(@s) DECLARE @i int, @len int, @c char(1), @result bigint SET @len = len(@s) SET @i = @len SET @result = CASE WHEN @len>0 THEN 0 END WHILE (@i>0) BEGIN SET @c = substring(@s, @i, 1) SET @result = @result + (ASCII(@c) - (CASE WHEN @c between 'A' and 'F' THEN 55 ELSE CASE WHEN @c between '0' and '9' THEN 48 END END)) * power(16., @len-@i) SET @i = @i-1 END -- while RETURN @resultEND -- function
Thomas
Could you post a the details of one of the traps the way you see it in the Trap Viewer?
The latest Orion MIB db contains the CISCO-MAC-NOTIFICATION-MIB mib.
Yann
snmpTrapEnterprise = CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotificationPrefix experimental.1057.1 = <ip address of switch deleted> cmnHistMacChangedMsg.27 = AQAyABX5YFBwAAcA snmpTrapOID = CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotifications.1 sysUpTime = 3178811706
I think the data I'm looking for (MAC address, port number, etc...) is in the third line (cmnHistMacChangedMsg). But I don't know how to get those values from that string.
Yust a me too message! Would be great to have these decoded to mac / port=InterfaceIndex.
snmpTrapOID=CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotifications.1
cmnHistMacChangedMsg=AQFNABVYhArWAAkBAU0AGk1WB24AGAEBTQAaoJN7SAACAQFNABqgk4D6ABMBAU0AoMWI+sUACgECZQAwGgGv9QACAQKaABadJ9jAABMBApoAGVXdtgAAAgEO2QACmxhyYQAFAQ7ZAAgC17vJAAIBAmUAMBoBr/UAAgECZQAwGgGv9QACAQJlADAaAa/1AAIBARYADM7xpxEAAwEMsAAdoe8bHgABAQABABadEPsIAAUBAAEAGVXdtgEAAgEARAAKzQsgAgAFAQBEAAwpv1icAAUBARYABV43iN8AEwEBFgAFXnzZbAATAQEWAAzO8acRAAMBARYAMJTCYysADgA=
experimental.1057.1=<IP Removed>
snmpTrapEnterprise=CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotificationPrefix
I do not know yet how to decode that string but here is what it means as per the Cisco SNMP Object Locator:
cmnHistMacChangedMsg OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..254)) MAX-ACCESS read-only STATUS current DESCRIPTION "This object contains the information of a MAC change notification event. It consists of several tuples packed together in the format of ' < tuple1 > < tuple2 >...'. Each tuple consist of 11 octets in the format of ' < operation > < VLAN > < MAC > < dot1dBasePort > ' where < operation > is of size 1 octet and supports the following values 0 - End of MIB object. 1 - MAC learnt. 2 - MAC removed. < VLAN > is vlan number of the VLAN which the MAC address is belonged to and has size of 2 octet. < MAC > is the Layer2 Mac Address and has size of 6 octets. < dot1dBasePort > is the value of dot1dBasePort for the interface from which the MAC address is learnt and has size of 2 octets." ::= { cmnHistoryEntry 2 }
Does anyone have additional information on decoding the string?
Cisco must have the response. If one of you could contact his Cisco Support, that could help all of us.
Thanks,
I have opened a case with the Cisco NMS Team. They suggested I do a packet capture of the trap.
The packet does contain the information as outlined in the mib. See BOLD info below.
This example was an ADD [01] on VLAN 1 [00 01] with the PC MAC [00 15 C5 1D DD 97] and port index of 8 [00 08].
It appears that the conversion is taking place within Orion.
Simple Network Management Protocol version: v2c (1) community: REMOVED data: sNMPv2-Trap (7) sNMPv2-Trap request-id: 449095 error-status: noError (0) error-index: 0 variable-bindings: 4 items SNMPv2-MIB::sysUpTime.0 (1.3.6.1.2.1.1.3.0): 466178427 Object Name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0) Scalar Instance Index: 0 SNMPv2-MIB::sysUpTime: 466178427 SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.215.2.0.1 (SNMPv2-SMI::enterprises.9.9.215.2.0.1) Object Name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0) Scalar Instance Index: 0 SNMPv2-MIB::snmpTrapOID: 1.3.6.1.4.1.9.9.215.2.0.1 (SNMPv2-SMI::enterprises.9.9.215.2.0.1) SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.30 (1.3.6.1.4.1.9.9.215.1.1.8.1.2.30): 0100010015C51DDD97000800 Object Name: 1.3.6.1.4.1.9.9.215.1.1.8.1.2.30 (SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.30) Value (OctetString): 0100010015C51DDD97000800 SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.3.30 (1.3.6.1.4.1.9.9.215.1.1.8.1.3.30): 466178427 Object Name: 1.3.6.1.4.1.9.9.215.1.1.8.1.3.30 (SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.3.30) Value (Integer32): 466178427
I am experiencing the same problem. Has anyone found the solution for decoding Cisco mac-notification traps in Orion yet?
How do you get the switch to send these snmp traps? Is it one of the default ones, or do you need to enable it?
