LibreNMS alert when NO mac addresses are in the FDB table of a vlan with specific ID [SOLVED]

limes-github · 3 December 2019 08:04

Hello,

I am using LibreNMS for some time (we are very satisfied) but I’ve come across an issue to solve.
Our client has a L2 transmission over our core network. In normal conditions there are about 200-300 mac addresses within his specified vlan (let’s say its VID is 3333).

Did anyone try to issue an alert when mac addresses drop from vlan due to some outage?

Thanks in advance for any help.

alanbboyd · 3 December 2019 13:45

I don’t think you’ll be able to monitor for a change in the number of MAC addresses in a particular VLAN, but if you are looking specifically for a condition where VLAN 3333 has a MAC address count of zero the following DB query will give you what you want:

select vlans.vlan_vlan, 
     count(ports_fdb.mac_address) 
from ports_fdb join vlans 
     on ports_fdb.vlan_id = vlans.vlan_id 
where vlans.vlan_vlan = 3333;

Converting that to something you can use in the SQL override alert field should do the job (I’ll try and do something with that when I have time later).

HTH

limes-github · 3 December 2019 13:51

That’s what I thought. Thank you very much for your suggestion - I suppose I can fit it in solution we are looking for. I suppose thread can be mark solved.

Thanks!

limes-github · 3 December 2019 14:52

Being honest - if you can try to take a look into this later I will be grateful

limes-github · 3 December 2019 15:23

I solved this like this:

SQL Override checked.
Query: select count(ports_fdb.mac_address) from ports_fdb join vlans on ports_fdb.vlan_id = vlans.vlan_id where vlans.vlan_vlan = 3333 HAVING count(ports_fdb.mac_address) > 10;

At “Main” tab I selected “macros.devices_up = Yes” only.
Max alerts: 1, Delay 7m, Interval 10h.

Working
Thank you!

limes-github · 4 December 2019 08:01

I’d like to ask question here.

For example - in vlan 3333 I have 3 macs. I started flooding arp tables with macof utility (100 packets).
Now sql query shows - 103 entries. All fine - I get an alert. But it is repeated, because SQL holds the FDB tables. Firstly - I’d like to monitor such situations, but on the other hand - I’d like to have the FDB table “history” available - “just in case”.

Here is my question:

How long arp entries are kept in database for an interface/vlan?
How to solve alerting about too many/too less MAC addresses in specified vlan/interface? If my customer has an L2 service from me (with for example 50 MACs in it) and SFP module fails I get for example - drop in MAC amount to 10-20. Has anyone tried to monitor such service in this way (monitoring port down on a device does not solve issue for me here).

I hope I described the problem clearly and logically

alanbboyd · 4 December 2019 12:52

Nice job , and you’re very welcome. I did have a stab at it but you beat me to it

limes-github · 5 December 2019 11:14

I’d like to add an update here.

Add starting ./discovery.php -h all -m fdb-table (if you want to read all FDB from all devices) to run for example every 5-10 minutes.

*/5 * * * * librenms /opt/librenms/discovery.php -h all -m fdb-table >> /dev/null 2>&1

Then change the query to (in this example we check MACs in vlan 3333):

select UNIX_TIMESTAMP(ports_fdb.updated_at), ports_fdb.mac_address from ports_fdb join vlans on ports_fdb.vlan_id = vlans.vlan_id where vlans.vlan_vlan = 3333 AND UNIX_TIMESTAMP(ports_fdb.updated_at) >= UNIX_TIMESTAMP(NOW() - INTERVAL 15 MINUTE) HAVING count(ports_fdb.mac_address) > 10;

I flooded the FDB table with 200 fake MACs. After 5 minutes I got an alert that amount of MACs was exceeded. When I flushed the fdb table on switch I got an recovery after another 5 minutes.

All works fine. I hope it will be useful to the community.