Support for CISCO interface err-disabled status

cisco
Tags: #<Tag:0x00007f9335cd4478>

#1

Hello,

CISCO devices have a mechanism to automatically shut down a port when there’s a policy violation (Port Security Violation, BPDU guard, etc.)

In LibeNMS these err-disabled ports appear as “OK”, because no error on the interface-error counters are detected (which is true).

However I’d like to monitor my devices for such ports which are in “err-disabled” state (because these are exactly the ports you are interested in).

My suggestion is to create something like an "extended port"state that is “NULL” by default and "carries the “cErrDisableIfStatusCause” if this port appears in the “cErrDisableIfStatusTable” (-> http://oidref.com/1.3.6.1.4.1.9.9.548.1.3) of the device. My suggestion is that this will also cause that this port “carries the red flag”.

The way you can currently detect this kind of ports is not very reliable:
The CISCO device could throw SNMP traps, which is not supported by Libre (as traps are not reliable anyway).
The CISCO device does report such incidents via syslog (but syslog reliability, by default, suffers for the same reasons as SNMP traps) and syslog-monitoring is something that has to be set up first (and is not trivial …).

I believe that Libre is widely spread in environments which have CISCO devices. Such a feature, I believe, would be highly appreciated… what do you think?

Thank you!

Best regards,
awaum


CLOSED: CISCO interface status err-disabled not supported?
Support for Arista interface err-disabled status
#2

+1 this would be useful to have, nice to have for Arista and other platforms too.


#3

+1 this would be useful to have indeed


#4

This is something i was looking at too!
Could we lift this request? Its superb


#5

I, too, have been wanting to see this in LibreNMS. Would definitely be helpful for multiple violation modes as well. Restrict doesn’t shutdown a port (or give an interface status of err-disabled) but sends traps. According to LibreNMS docs, the only traps recorded are port up/down traps, so not even restrict modes are caught be LMNS. My org heavily utilizes Port security, so it would be handy to have an immediate notification.


#6

+1 me too ,


#7

+1 from us too :slight_smile:


#8

Should be possible as I did precisely the same for CiscoSB :slightly_smiling_face:

For the devices I have tested against CISCO-ERR-DISABLE-MIB doesn’t seem viable, perhaps we could use cpsIfPortSecurityStatus instead?