9 Replies Latest reply on Jan 27, 2012 7:33 AM by irishjd

    Port Security Locked Ports Report/Alert

    irishjd

      Does anyone know of a way to create both an alert and a report for ports that are locked out due to port security violations?

      TIA,

      Jon

        • Re: Port Security Locked Ports Report/Alert
          fcaron

          what vendor and what MIB? If we had a MIB walk showing us what a locked-out port (security violation) looks like from a SNMP perspective, this would help.

          In particular:

          - what is theis status in the SNMP MIB?

          - does the device sends TRAPs when this happens?

          • Re: Port Security Locked Ports Report/Alert
            d09h

            I created a web page to show this Report.  I email that web page in response to a portsec violation.

             

            I was also doing this via syslog, but that would show last XX syslogs rather than a line per occurrence.

              • Re: Port Security Locked Ports Report/Alert
                irishjd

                Any chance that you can export all of this and send it to me, or post it in the Content Exchange?

                Jon

                • Re: Port Security Locked Ports Report/Alert
                  d09h

                  As simple as this report is, I believe showing how to get this information has more value than sharing the report itself.  Teaching to fish versus giving a fish.

                  Creating a report from scratch will help one realize the power of ReportWriter.

                  Having said that, it's a little surprising that this functionality is not native to Orion.  We're not talking about some obscure MIB on some obscure piece of hardware.   This is the port security MIB on Cisco switches.

                  I'd much rather see what I created exist natively in Orion.  Feature request?

                  Most importantly, I just realized that since I upgraded to 10.2.1 I lost the ability to search syslogs as well as the ability to launch the Universal Device Poller.  I could not screen-shot the portsec MIB polling if I wanted to.  I have to open another case or piggy back on the case I already have for the syslog issue (Case # 306680).

                    • Re: Port Security Locked Ports Report/Alert
                      DanielleH

                      Hi d09h-

                      Thanks for the in depth feedback.  I'll make sure the PM sees it.

                      Thanks again,
                      DH

                      • Re: Port Security Locked Ports Report/Alert
                        irishjd

                        Can you verify the OID that you are using for your polling? I understand that you can't get UDP to open right now, but I was hoping you might have it in your notes. After walking the MIB Tree, I am thinking that it might be: CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus OID: 1.3.6.1.4.1.9.9.315.1.2.1.1.2

                          • Re: Port Security Locked Ports Report/Alert
                            d09h

                            That's the correct OID.  The report would need to show the universal device poller status of the interface  OID 1.3.6.1.4.1.9.9.315.1.2.1.1.2 or the MIB CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus.

                             

                            When you have a report showing that, you can have an alert send the page that shows that report.

                            You may also notice that in your MIB walk, you can see the interface caption (description in IOS).  That's good information to have, as hopefully you have been putting descriptions on interfaces to tell location and/or person.  Can't imagine monitoring and alerting on portsec without that.  Also the offending MAC can be seen in the MIB walk and included.  And when it happened.  Man, I guess I should post that up.  I'll try to remember first thing tomorrow.

                          • Re: Port Security Locked Ports Report/Alert
                            irishjd

                            I would definitely like to see this as a native feature as well. Also, we are moving toward 802.1x authentication, so having that built-in would be very helpful too!

                            Jon