On the FOS 7.2 switches we have MAPS with active policy that have many rules with action SNMP. For the moment we don't want to receive any SNMP traps, therefore we have configured only RASlog action allowed on the switch level:
> mapsconfig --show
Configured Notifications: RASLOG
Mail Recipient: XXXXXXXXXXXXXXXXXXXXXX
Paused members :
Surprisingly, SNMP traps for MAPS events keep arriving at SNMP server.
Would anyone have any idea why this works in such way?
the answer is in the question.
Since you have configured MAPS for Raslog only, you need just to work with the command's "snmpconfig" and/or "snmptraps" and disable the rule.
the situation is actually more complex. In our environment we don't want to have MAPS SNMP traps not used at all. We only want to be able to use what the MAPS Admin Guide "promised", i.e. to be able to decide for which rule SNMP traps are sent and for which not. Also, to be able to disable MAPS SNMP traps for the whole switch (disable SNMP on global actions level) temporarily when needed .
I did some testing with CPU > 80 % rule.
1.) When the Raslog action was turned ON and SNMP action was turned ON on the rule level for CPU > 80%, then the incoming SNMP traps were of type: mapsTrapAMfor example:id 26020601logtime 2015-02-25 13:29:27fetchtime 2015-02-25 13:29:23eventtime Wed Feb 25 13:29:22 2015hostip 172.23.148.145hostname 76802c1source SNMPTRAPseverity CRITICALcategory Status Eventsmessage Trap to be send for MAPS threshold events. defCHASSISCPU_80 12 1 2 1 CPU,3,80.00 3 CHASSIS(CPU>=80.00) 19 17 Switch Resourcemsglong Trap to be send for MAPS threshold events. defCHASSISCPU_80 12 1 2 1 CPU,3,80.00 3 CHASSIS(CPU>=80.00) 19 17 Switch Resourcemsgcomment msgread 0snmp_eventname mapsTrapAMsnmp_eventid .18.104.22.168.4.1.1522.214.171.124.0.1snmp_trapoid .126.96.36.199.4.1.15188.8.131.52.0.1snmp_enterprise .184.108.40.206.4.1.15220.127.116.11snmp_community XXXXXsnmp_uptime 44:23:22:52.00snmp_formatline Trap to be send for MAPS threshold events. defCHASSISCPU_80 12 1 2 1 CPU,3,80.00 3 CHASSIS(CPU>=80.00) 19 17 Switch Resource2.) After the SNMP action was turned OFF (Raslog still ON) on the rule level for CPU > 80%, the incoming traps type changed to: swEventTrapfor example:id 72552245logtime 2015-05-04 22:23:19fetchtime 2015-05-04 22:23:15eventtime Mon May 4 22:23:14 2015hostip 172.23.148.145hostname 76802c1source SNMPTRAPseverity WARNINGcategory Status Eventsmessage A firmware event has been logged: Event Index 29: 2015/05/04-22:23:14 (severity level 3) - MAPS-1003 Chassis, Condition=CHASSIS(CPU>=80.00), Current Value:[CPU,90.00 %], RuleName=CHASSISCPU_USAGE_80, Dashboard Category=Switch Resource . SSN is #17msglong A firmware event has been logged: Event Index 29: 2015/05/04-22:23:14 (severity level 3) - MAPS-1003 Chassis, Condition=CHASSIS(CPU>=80.00), Current Value:[CPU,90.00 %], RuleName=CHASSISCPU_USAGE_80, Dashboard Category=Switch Resource . SSN is #17msgcommentmsgread 0snmp_eventname swEventTrapsnmp_eventid .18.104.22.168.4.1.1522.214.171.124.1.0.4snmp_trapoid .126.96.36.199.4.1.15188.8.131.52.1.0.4snmp_enterprise .184.108.40.206.4.1.15220.127.116.11.1snmp_community XXXXXXsnmp_uptime 113:7:14:20.00snmp_formatline A firmware event has been logged: Event Index 29: 2015/05/04-22:23:14 (severity level 3) - MAPS-1003 Chassis, Condition=CHASSIS(CPU>=80.00), Current Value:[CPU,90.00 %], RuleName=CHASSISCPU_USAGE_80, Dashboard Categ
As I understand, the mechanism of swEventTrap "ignores" that I don't want SNMP being sent for some MAPS rules and it makes SNMP traps from the entries that MAPS wrote to the Raslog.
Do you know if there's a way to exclude MAPS raslog messages from being converted to swEventTrap SNMP traps?
MAPS merily makes use of SNMP and is not the driving force behind it. If you don;t have any MAPS rules enabled SNMP will still send out traps based on events ciriticality. You can set these with the "snmpconfig --set mibcapability" command.
To turn off MAPS traps you can use "snmpconfig --disable mibcapabiltity -mib_name BROCADE-MAPS-MIB"
Or if you want to go via the menu driven route use "snmpconfig --set mibcapability" and the command takes you thru the list of traps you may want to enable or disable.
Hope this helps.
PS. you can also adjust the swEventTrap severity level if you want to but I've found the default to be working well.
Thank you Erwin,
I would not like to turn off MAPS traps altogether.
I would just like to be able to decide (using mapsrule --config) for which rules there will be Raslog + SNMP actions, and for which only Raslog entry will be created.
Is this what I can achieve using "snmpconfig --disable mibcapabiltity -mib_name BROCADE-MAPS-MIB" ?
That last command removes all SNMP OID from the MIB trap database ie it will not send out any MAPS related SNMP trap.
Be aware that events themselves maybe trapped by snmp but unless they trigger a MAPS rule you will not see a MAPS trap.
We have a similar, if not the same, issue. We have MAPS enabled and have some rules that write to the RASLOG and send SNMP traps, while other rules are configured to only write to the RASLOG. However we have found that because in the SNMP config it has a severity level of 3 set, any warning messages sent to the RASLOG also have SNMP traps sent from swEvent.What we would like is just to have SNMP traps from MAPS rules that are configured as such and not just for all entries written to teh RASLOG with a warning status or above.So at present it is clear that due to the snmponfig setting we are getting traps for any raslog entry with a severity of warning or above, but it is not clear if I change the severity level in the snmpconfig to 0 or 1. will that also prevent any traps including from MAPS being sent if they have a warning severity.There are also alerts from other areas not covered by MAPS, such as bottleneckmon that we dont want to lose.Is anyone able to assist please?