Cisco – Enable SNMP traps for ACLs using Cisco IOS

ciscocisco-iossnmp

Does anyone know if it's possible to enable SNMP traps to be sent from a Cisco IOS device when an ACL blocks traffic? I'd like to send a trap whenever a deny statement gets a hit.

I've only been able to find information about sending ACL logs to a remote syslog server.

Thanks!

Best Answer

So long as the IOS version supports it, you can use extended ACLs to allow the traffic.

Assuming the management IP of the Cisco device is 10.10.10.10 and the trap destination is 20.20.20.20...

Configure SNMP: [Reference]

snmp-server host 20.20.20.20 traps version *version* *community-string*
snmp-server enable traps global configuration

Allow traps through ACL: [Reference]

access-list *access-list-number*
  permit udp 10.10.10.10 255.255.255.255 20.20.20.20 255.255.255.255 162

Then assign that access list to the management interface:

interface *interface*
  ip access-group *access-list-number* in

Related Solutions

Cisco – Syslog message for CDP interface down

The "event neighbor discovery" command will generate syslog messages based on CDP events. It has to be used in conjunction with EEM, but it's pretty simple to set up.

http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_06.html#wp1181238

However, I don't think that these events occur as quickly as you are hoping they will. CDP is not a protocol designed for keepalives, it's for neighbor discovery. You'd probably be better off logging against link status changes (up/down) or setting up IP SLA probes to monitor the presence of a device.

Cisco – Enable traps on FIB (Forwarding Table) changes

CEF-MIB wasn't added to the cisco MIB until iOS relase 12.2(31)SB so you will need that version or higher before you can alert on CEF.

However it doesn't look like CEF-MIB ever made it to the 2600 series platform, at least as of 12.3(6f). I also looked through various iOS images for the 2600 series and could not find CEF-MIB. Needless to say without the needed OIDs present, you will not be able to alert specifically for CEF.

MIB Instance Identifiers for CEF:

cefResourceFailureNotifEnable.0 -i 1
cefPeerStateChangeNotifEnable.0 -i 1
cefPeerFIBStateChangeNotifEnable.0 -i 1
cefInconsistencyNotifEnable.0 -i 1

You can check for CEF instance identifiers with the following command:

Router# show snmp mib | inc cef

Sources:

http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbcefmib.html#wp1072297

To find specific MIB information on your device and available images, you can use Cisco's MIB Locator tool to see if CEF-MIB is available.

http://tools.cisco.com/ITDIT/MIBS/servlet/index

Best Answer

Related Solutions

Cisco – Syslog message for CDP interface down

Cisco – Enable traps on FIB (Forwarding Table) changes

Related Topic