cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Cisco mac-notification

Jump to solution

Is there a way to get NPM trap viewer to decode Cisco mac-notification SNMP traps?

0 Kudos
1 Solution

SolarWinds has solved the problem in NPM 10.1.2

The OIDValue has now the form:

0100.5E00.237D.4A64.3D00.2E00

where 005E is the VLAN in hex (-> 94 dec), 00.237D.4A64.3D is the MAC and 002E is the interface number in hex (-> 46 dec)

The following SQL statement lists the entries from the NetPerfMon database:

SELECT TOP 10 Traps.TrapID, Traps.[DateTime], Traps.[NodeID], Nodes.Caption AS Node,
           substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2) AS VLAN_hex,
           dbo.hex2int(substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2)) AS VLAN,
           substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2) AS Port_hex,
           dbo.hex2int(substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2)) AS Port,
           substring(TrapVarbinds.OIDValue, 8, 15) AS MAC
    FROM [NetPerfMon].[dbo].[TrapVarbinds] INNER JOIN [NetPerfMon].[dbo].[Traps]
                                           ON [NetPerfMon].[dbo].[Traps].TrapID = [NetPerfMon].[dbo].[TrapVarbinds].TrapID
                                           INNER JOIN [NetPerfMon].[dbo].[Nodes]
                                           ON [NetPerfMon].[dbo].[Traps].NodeID = [NetPerfMon].[dbo].[Nodes].NodeID
    WHERE TrapVarbinds.OIDName = 'cmnHistMacChangedMsg.1'
    ORDER BY Traps.[DateTime] DESC

 

Where hex2int is:

CREATE function [dbo].[hex2int](@s varchar(16)) --Convert hex to bigint
RETURNS bigint -- e.g. select dbo.hex2int('7ff2a5')
AS
BEGIN
    SET @s=upper(@s)
    DECLARE @i int, @len int, @c char(1), @result bigint
    SET @len = len(@s)
    SET @i = @len
    SET @result = CASE WHEN @len>0 THEN 0 END
    WHILE (@i>0)
    BEGIN
        SET @c = substring(@s, @i, 1)
        SET @result = @result + (ASCII(@c) - (CASE WHEN @c between 'A' and 'F' THEN 55
                                                    ELSE CASE WHEN @c between '0' and '9' THEN 48
                                                    END
                                               END)) * power(16., @len-@i)
        SET @i = @i-1
    END -- while
    RETURN @result
END -- function

 

Thomas

View solution in original post

0 Kudos
13 Replies
Level 15

Could you post a the details of one of the traps the way you see it in the Trap Viewer?

The latest Orion MIB db contains the CISCO-MAC-NOTIFICATION-MIB  mib.
 

Yann 

0 Kudos

snmpTrapEnterprise = CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotificationPrefix 
experimental.1057.1 = <ip address of switch deleted> 
cmnHistMacChangedMsg.27 = AQAyABX5YFBwAAcA 
snmpTrapOID = CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotifications.1 
sysUpTime = 3178811706 


I think the data I'm looking for (MAC address, port number, etc...) is in the third line (cmnHistMacChangedMsg).  But I don't know how to get those values from that string.

0 Kudos

Yust a me too message! Would be great to have these decoded to mac / port=InterfaceIndex.


snmpTrapOID=CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotifications.1


cmnHistMacChangedMsg=AQFNABVYhArWAAkBAU0AGk1WB24AGAEBTQAaoJN7SAACAQFNABqgk4D6ABMBAU0AoMWI+sUACgECZQAwGgGv9QACAQKaABadJ9jAABMBApoAGVXdtgAAAgEO2QACmxhyYQAFAQ7ZAAgC17vJAAIBAmUAMBoBr/UAAgECZQAwGgGv9QACAQJlADAaAa/1AAIBARYADM7xpxEAAwEMsAAdoe8bHgABAQABABadEPsIAAUBAAEAGVXdtgEAAgEARAAKzQsgAgAFAQBEAAwpv1icAAUBARYABV43iN8AEwEBFgAFXnzZbAATAQEWAAzO8acRAAMBARYAMJTCYysADgA=


experimental.1057.1=<IP Removed>


snmpTrapEnterprise=CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotificationPrefix

0 Kudos

 I do not know yet how to decode that string but here is what it means as per the Cisco SNMP Object Locator:

cmnHistMacChangedMsg OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..254))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object contains the information of a MAC change
notification event. It consists of several tuples packed
together in the format of ' < tuple1 > < tuple2 >...'.

Each tuple consist of 11 octets in the format of
' < operation > < VLAN > < MAC > < dot1dBasePort > ' where

< operation > is of size 1 octet and supports the following values
0 - End of MIB object.
1 - MAC learnt.
2 - MAC removed.

< VLAN > is vlan number of the VLAN which the MAC address is
belonged to and has size of 2 octet.

< MAC > is the Layer2 Mac Address and has size of 6 octets.

< dot1dBasePort > is the value of dot1dBasePort for the
interface from which the MAC address is learnt and has size
of 2 octets."
::= { cmnHistoryEntry 2 }
0 Kudos

Does anyone have additional information on decoding the string?

0 Kudos

Cisco must have the response. If one of you could contact his Cisco Support, that could help all of us.

Thanks,

Yann

0 Kudos

I have opened a case with the Cisco NMS Team.  They suggested I do a packet capture of the trap.

The packet does contain the information as outlined in the mib.  See BOLD info below.

This example was an ADD [01] on VLAN 1 [00 01] with the PC MAC [00 15 C5 1D DD 97] and port index of 8 [00 08].

It appears that the conversion is taking place within Orion.

Simple Network Management Protocol
    version: v2c (1)
    community: REMOVED
    data: sNMPv2-Trap (7)
        sNMPv2-Trap
            request-id: 449095
            error-status: noError (0)
            error-index: 0
            variable-bindings: 4 items
                SNMPv2-MIB::sysUpTime.0 (1.3.6.1.2.1.1.3.0): 466178427
                    Object Name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
                        Scalar Instance Index: 0
                    SNMPv2-MIB::sysUpTime: 466178427
                SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.215.2.0.1 (SNMPv2-SMI::enterprises.9.9.215.2.0.1)
                    Object Name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
                        Scalar Instance Index: 0
                    SNMPv2-MIB::snmpTrapOID: 1.3.6.1.4.1.9.9.215.2.0.1 (SNMPv2-SMI::enterprises.9.9.215.2.0.1)
                SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.30 (1.3.6.1.4.1.9.9.215.1.1.8.1.2.30): 0100010015C51DDD97000800
                    Object Name: 1.3.6.1.4.1.9.9.215.1.1.8.1.2.30 (SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.30)
                    Value (OctetString): 0100010015C51DDD97000800
                SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.3.30 (1.3.6.1.4.1.9.9.215.1.1.8.1.3.30): 466178427
                    Object Name: 1.3.6.1.4.1.9.9.215.1.1.8.1.3.30 (SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.3.30)
                    Value (Integer32): 466178427

0 Kudos

I am experiencing the same problem. Has anyone found the solution for decoding Cisco mac-notification traps in Orion yet?

0 Kudos

SolarWinds has solved the problem in NPM 10.1.2

The OIDValue has now the form:

0100.5E00.237D.4A64.3D00.2E00

where 005E is the VLAN in hex (-> 94 dec), 00.237D.4A64.3D is the MAC and 002E is the interface number in hex (-> 46 dec)

The following SQL statement lists the entries from the NetPerfMon database:

SELECT TOP 10 Traps.TrapID, Traps.[DateTime], Traps.[NodeID], Nodes.Caption AS Node,
           substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2) AS VLAN_hex,
           dbo.hex2int(substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2)) AS VLAN,
           substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2) AS Port_hex,
           dbo.hex2int(substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2)) AS Port,
           substring(TrapVarbinds.OIDValue, 8, 15) AS MAC
    FROM [NetPerfMon].[dbo].[TrapVarbinds] INNER JOIN [NetPerfMon].[dbo].[Traps]
                                           ON [NetPerfMon].[dbo].[Traps].TrapID = [NetPerfMon].[dbo].[TrapVarbinds].TrapID
                                           INNER JOIN [NetPerfMon].[dbo].[Nodes]
                                           ON [NetPerfMon].[dbo].[Traps].NodeID = [NetPerfMon].[dbo].[Nodes].NodeID
    WHERE TrapVarbinds.OIDName = 'cmnHistMacChangedMsg.1'
    ORDER BY Traps.[DateTime] DESC

 

Where hex2int is:

CREATE function [dbo].[hex2int](@s varchar(16)) --Convert hex to bigint
RETURNS bigint -- e.g. select dbo.hex2int('7ff2a5')
AS
BEGIN
    SET @s=upper(@s)
    DECLARE @i int, @len int, @c char(1), @result bigint
    SET @len = len(@s)
    SET @i = @len
    SET @result = CASE WHEN @len>0 THEN 0 END
    WHILE (@i>0)
    BEGIN
        SET @c = substring(@s, @i, 1)
        SET @result = @result + (ASCII(@c) - (CASE WHEN @c between 'A' and 'F' THEN 55
                                                    ELSE CASE WHEN @c between '0' and '9' THEN 48
                                                    END
                                               END)) * power(16., @len-@i)
        SET @i = @i-1
    END -- while
    RETURN @result
END -- function

 

Thomas

View solution in original post

0 Kudos

I found, that switches can transfer multiple mac addresses in one trap. So we have to parse OIDValue.

I built a small database application that extracts the MAC addresses from Orion database and store it in a table. There is also a web interface (ASP.Net) to access this data (search for MAC, track MAC, list unknown MACs [compared to a list of known MACs]).

If you are interested I can share the code.

Thomas

0 Kudos

Wow, zombie thread comes alive.  Thanks much for the code.  Too bad It's 2 and a half years later.

 

+10 rep to gut for that SQL query though.

0 Kudos

How do you get the switch to send these snmp traps?  Is it one of the default ones, or do you need to enable it?

0 Kudos


How do you get the switch to send these snmp traps?  Is it one of the default ones, or do you need to enable it?



snmp-server enable traps mac-notification change
mac-address-table notification change

int range fast 0/1 - 48
snmp trap mac-notification change added

0 Kudos