15 Replies Latest reply on Aug 13, 2012 12:18 PM by dclick

    Is it possible to monitor Cisco switches for mac address flapping?

    Don Maker

      We have a situation here where our product engineers often change mac addresses on devices being developed. They do not do a decent job of managing this pool of addresses and hand them out to other engineering teams and no one keeps track and I end up with device flapping more often than I would want. Is there a way with Orion to monitor and alert on this? I was thinking something simple like just watching for the %SW_MATM-4-MACFLAP_NOTIF: message in an iOS switch log buffer and capturing that and emailing it out? We also have Arcsight in our environment if that helps.

       

      I am pretty sure I could eventually muddle my way through this, but I'd rather not spend buckets of time and if someone else has done this and is kind enough to offer some pointers, that would be great.

       

      Thanks

        • Re: Is it possible to monitor Cisco switches for mac address flapping?
          vhcato

          If you are pointing syslog messages from the switches in question to Orion, you could certainly set up a syslog rule to watch for these messages and trigger an email action.

          • Re: Is it possible to monitor Cisco switches for mac address flapping?
            jmay

            Using SYSLOG Viewer to trap and msgs with *macflap* then alert email out works ok. Need to direct syslog to orion box on network device.

              • Re: Is it possible to monitor Cisco switches for mac address flapping?
                Don Maker

                Thanks for all the responses. I have configured a couple of switches to throw syslog messages at my Orion server, but whe I go to start the Solarwinds Syslog service on the server, it's not there. I did not originally setup this server. Would this be a selectable option from the original install? Can I download it separately? Or do I need to run the original install again and select only the syslog service?

                 

                Edit: One of the engineers who originally set this up here said that if you enable the syslog service it will turn on logging for all devices that it manages. Which historically has bumped up the sql db by 100+ GB. So it was turned off. Is this true?  How does it get syslog input from a switch that does not have logging configured to send syslog to Orion in the first place?

                 

                 

                Thanks

                • Re: Is it possible to monitor Cisco switches for mac address flapping?
                  Don Maker

                  Using SYSLOG viewer ( tab) in Orion, or do you mean outisde of Orion with some other 3rd party syslog viewer?  I am looking but not really seeing any easy way to setup an email alert on the syslog tab within Orion.  I have got it so that I can see the syslog messages in the syslog tab for the switches that I wan to monitor, but I can't see anywhere to setup email alerts...

                   

                   

                  Edit: I think I may have found it. I'm fiddling with the Orion Alert Manager now..

                    • Re: Is it possible to monitor Cisco switches for mac address flapping?
                      dclick

                      The only way to setup an alert trigger with Syslog at this time is through the console based application - there is not any web-support for creating/managing alerts (YET).

                        • Re: Is it possible to monitor Cisco switches for mac address flapping?
                          Don Maker

                          Hmmm, proving a bit tougher than I thought.

                           

                          I am trying to create a new alert. I am in the Trigger Condition tab...so should it be a simple or a complex?  When browsing the network nodes breakout I don't really see anything that looks like it would allow me to scrub a syslog output for a text string. I see network nodes>node details, node status, response time, cpu and mem, cisco buffers, polling details and snmp v4. I was hoping it would be as simple as saying whenever this text string shows up for a monitored device, do the following. But I can't seem to figure out how to do the first part, the text string monitoring of a syslog output.

                           

                          Sorry, but pretty new to Solarwinds.

                            • Re: Is it possible to monitor Cisco switches for mac address flapping?
                              dclick

                              Unfortunatly, its not going to be that easy. You cannot create syslog alert from the Advanced alert editor. Solarwinds has not integrated them yet.  You will need to launch the Syslog Viewer appliation, and do everything from there.   Once you have the tool open, you should see all types of traffic flowing. click on the yellow triangle in the button bar to start setting up a rule/alert.

                               

                              Its not nearly as "clean" as the Advance alert monitor, but it does work.

                              • Re: Is it possible to monitor Cisco switches for mac address flapping?
                                Don Maker

                                So I created a Custom Node Poller Trigger condition that says Description is equal to MACFLAP ...does that sound reasonable?  Sort of stabbing in the dark here..

                                  • Re: Is it possible to monitor Cisco switches for mac address flapping?
                                    Don Maker

                                    I think I have a rule in place now that should work. Thanks for the tips.   Now I just have to wait for it to happen to see if the rule works. But I can test easily enough with simpler text strings that I can produce without giving the switch a mac addr flap headache.

                                    • Re: Is it possible to monitor Cisco switches for mac address flapping?
                                      dclick

                                      I think your in the Universal Device poller - thats not what you want.  your going to want to run the "Syslog Viewer" appliation - normally found in Start -> All Programs -> Solarwinds Orion -> Syslog and SNMP Traps -> Syslog Viewer.

                                       

                                      . lets use one of my rules as an example.  I want to get an email alert everytime someone plugs a (previously) un-registered IP phone into the network.

                                      1. I setup a rule based on the source IP of my Voice PBX, (general - "This rule applies to Syslog Messages from the following IP Address or Subnets" - you can use your Management subnet here to limit it to those switches)

                                      2. I left the "DNS Hostname" stuff alone (by default, there should be an "*" in the pattern field.)

                                      3. Message - this is where we can get really specific.  in my alert, I search for  "*%UC_JAVAAPPLICATIONS-1-CiscoLicenseApproachingLimit*"  (The * is important - but the stuff between - this is what your lookign for).

                                      4. I didnt change Severity/Facility or Time of Day - defaults work for me.

                                      5. Trigger Threshold - Here you can define how many of these messages need to be "seen" before we take action, how long we wait before do whatever action, etc.

                                      6. Define the email alert to be sent.  This can be fun too - you can use variables ( like ${DateTime}; ${Message}, etc - its all in the help files)

                                       

                                      works out pretty good for us.