Is there a way to get NPM trap viewer to decode Cisco mac-notification SNMP traps?
SolarWinds has solved the problem in NPM 10.1.2
The OIDValue has now the form:
0100.5E00.237D.4A64.3D00.2E00
where 005E is the VLAN in hex (-> 94 dec), 00.237D.4A64.3D is the MAC and 002E is the interface number in hex (-> 46 dec)
The following SQL statement lists the entries from the NetPerfMon database:
SELECT TOP 10 Traps.TrapID, Traps.[DateTime], Traps.[NodeID], Nodes.Caption AS Node, substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2) AS VLAN_hex, dbo.hex2int(substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2)) AS VLAN, substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2) AS Port_hex, dbo.hex2int(substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2)) AS Port, substring(TrapVarbinds.OIDValue, 8, 15) AS MAC FROM [NetPerfMon].[dbo].[TrapVarbinds] INNER JOIN [NetPerfMon].[dbo].[Traps] ON [NetPerfMon].[dbo].[Traps].TrapID = [NetPerfMon].[dbo].[TrapVarbinds].TrapID INNER JOIN [NetPerfMon].[dbo].[Nodes] ON [NetPerfMon].[dbo].[Traps].NodeID = [NetPerfMon].[dbo].[Nodes].NodeID WHERE TrapVarbinds.OIDName = 'cmnHistMacChangedMsg.1' ORDER BY Traps.[DateTime] DESC
Where hex2int is:
CREATE function [dbo].[hex2int](@s varchar(16)) --Convert hex to bigint RETURNS bigint -- e.g. select dbo.hex2int('7ff2a5')ASBEGIN SET @s=upper(@s) DECLARE @i int, @len int, @c char(1), @result bigint SET @len = len(@s) SET @i = @len SET @result = CASE WHEN @len>0 THEN 0 END WHILE (@i>0) BEGIN SET @c = substring(@s, @i, 1) SET @result = @result + (ASCII(@c) - (CASE WHEN @c between 'A' and 'F' THEN 55 ELSE CASE WHEN @c between '0' and '9' THEN 48 END END)) * power(16., @len-@i) SET @i = @i-1 END -- while RETURN @resultEND -- function
Thomas
Could you post a the details of one of the traps the way you see it in the Trap Viewer?
The latest Orion MIB db contains the CISCO-MAC-NOTIFICATION-MIB mib.
Yann
snmpTrapEnterprise = CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotificationPrefix experimental.1057.1 = <ip address of switch deleted> cmnHistMacChangedMsg.27 = AQAyABX5YFBwAAcA snmpTrapOID = CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotifications.1 sysUpTime = 3178811706
I think the data I'm looking for (MAC address, port number, etc...) is in the third line (cmnHistMacChangedMsg). But I don't know how to get those values from that string.
Yust a me too message! Would be great to have these decoded to mac / port=InterfaceIndex.
snmpTrapOID=CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotifications.1
cmnHistMacChangedMsg=AQFNABVYhArWAAkBAU0AGk1WB24AGAEBTQAaoJN7SAACAQFNABqgk4D6ABMBAU0AoMWI+sUACgECZQAwGgGv9QACAQKaABadJ9jAABMBApoAGVXdtgAAAgEO2QACmxhyYQAFAQ7ZAAgC17vJAAIBAmUAMBoBr/UAAgECZQAwGgGv9QACAQJlADAaAa/1AAIBARYADM7xpxEAAwEMsAAdoe8bHgABAQABABadEPsIAAUBAAEAGVXdtgEAAgEARAAKzQsgAgAFAQBEAAwpv1icAAUBARYABV43iN8AEwEBFgAFXnzZbAATAQEWAAzO8acRAAMBARYAMJTCYysADgA=
experimental.1057.1=<IP Removed>
snmpTrapEnterprise=CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotificationPrefix
I do not know yet how to decode that string but here is what it means as per the Cisco SNMP Object Locator:
cmnHistMacChangedMsg OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..254)) MAX-ACCESS read-only STATUS current DESCRIPTION "This object contains the information of a MAC change notification event. It consists of several tuples packed together in the format of ' < tuple1 > < tuple2 >...'. Each tuple consist of 11 octets in the format of ' < operation > < VLAN > < MAC > < dot1dBasePort > ' where < operation > is of size 1 octet and supports the following values 0 - End of MIB object. 1 - MAC learnt. 2 - MAC removed. < VLAN > is vlan number of the VLAN which the MAC address is belonged to and has size of 2 octet. < MAC > is the Layer2 Mac Address and has size of 6 octets. < dot1dBasePort > is the value of dot1dBasePort for the interface from which the MAC address is learnt and has size of 2 octets." ::= { cmnHistoryEntry 2 }
Does anyone have additional information on decoding the string?
Cisco must have the response. If one of you could contact his Cisco Support, that could help all of us.
Thanks,
I have opened a case with the Cisco NMS Team. They suggested I do a packet capture of the trap.
The packet does contain the information as outlined in the mib. See BOLD info below.
This example was an ADD [01] on VLAN 1 [00 01] with the PC MAC [00 15 C5 1D DD 97] and port index of 8 [00 08].
It appears that the conversion is taking place within Orion.
Simple Network Management Protocol version: v2c (1) community: REMOVED data: sNMPv2-Trap (7) sNMPv2-Trap request-id: 449095 error-status: noError (0) error-index: 0 variable-bindings: 4 items SNMPv2-MIB::sysUpTime.0 (1.3.6.1.2.1.1.3.0): 466178427 Object Name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0) Scalar Instance Index: 0 SNMPv2-MIB::sysUpTime: 466178427 SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.215.2.0.1 (SNMPv2-SMI::enterprises.9.9.215.2.0.1) Object Name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0) Scalar Instance Index: 0 SNMPv2-MIB::snmpTrapOID: 1.3.6.1.4.1.9.9.215.2.0.1 (SNMPv2-SMI::enterprises.9.9.215.2.0.1) SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.30 (1.3.6.1.4.1.9.9.215.1.1.8.1.2.30): 0100010015C51DDD97000800 Object Name: 1.3.6.1.4.1.9.9.215.1.1.8.1.2.30 (SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.30) Value (OctetString): 0100010015C51DDD97000800 SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.3.30 (1.3.6.1.4.1.9.9.215.1.1.8.1.3.30): 466178427 Object Name: 1.3.6.1.4.1.9.9.215.1.1.8.1.3.30 (SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.3.30) Value (Integer32): 466178427
I am experiencing the same problem. Has anyone found the solution for decoding Cisco mac-notification traps in Orion yet?
How do you get the switch to send these snmp traps? Is it one of the default ones, or do you need to enable it?
snmp-server enable traps mac-notification changemac-address-table notification changeint range fast 0/1 - 48snmp trap mac-notification change added
