DX Unified Infrastructure Management

Ok everybody, I'm looking for recommendations around what type of traps are useful to send to an NMS like eHealth/NetVoyant/Polaris. Here are the trap types:
[list]

[*]aaa-server—Sends AAA notifications.
[*]bgp—Sends Border Gateway Protocol (BGP) state change notifications.
[*]bstun—Sends Block Serial Tunneling (BSTUN) notifications.
[*]calltracker—Sends CallTracker notifications.
[*]config—Sends configuration notifications.
[*]dlsw—Sends data-link switching (DLSw) notifications.
[*]ds0-busyout—Sends ds0-busyout notifications.
[*]ds1-loopback—Sends ds1-loopback notifications.
[*]dspu—Sends downstream physical unit (DSPU) notifications.
[*]dsp—Sends digital signal processing (DSP) notifications.
[*]entity—Sends Entity Management Information Base (MIB) modification notifications.
[*]envmon—Sends Cisco enterprise-specific environmental monitor notifications when an environmental threshold is exceeded.
[*]frame-relay—Sends Frame Relay notifications.
[*]hsrp—Sends Hot Standby Router Protocol (HSRP) notifications.
[*]isdn—Sends Integrated Services Digital Network (ISDN) notifications.
[*]msdp—Sends Multicast Source Discovery Protocol (MSDP) notifications.
[*]llc2—Sends Logical Link Control, type 2 (LLC2) notifications.
[*]repeater—Sends standard repeater (hub) notifications.
[*]rsrb—Sends remote source-route bridging (RSRB) notifications.
[*]rsvp—Sends Resource Reservation Protocol (RSVP) notifications.
[*]rtr—Sends SA Agent (RTR) notifications.
[*]sdlc—Sends Synchronous Data Link Control (SDLC) notifications.
[*]snmp—Sends Simple Network Management Protocol (SNMP) notifications (as defined in RFC 1157).
[*]stun—Sends serial tunnel (STUN) notifications.
[*]syslog—Sends error message notifications (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command.
[*]tty—Sends Cisco enterprise-specific notifications when a Transmission Control Protocol (TCP) connection closes.
[*]voice—Sends voice notifications.
[*]x25—Sends X.25 event notifications.
[*]xgcp—Sends External Media Gateway Control Protocol (XGCP) notifications.
[list]

What trap types would you include and why are they valuable?

I'm very interested in this as well. I'm trying to come up with a baseline SNMP config per topology layer / device role (core, distribution, access, edge router, etc).

I'd also be really interested to hear any one else's take on sending syslog over snmp (snmp-server enable traps syslog). My sense is we get too many traps as it is, and we have a syslog server specifically for this. However the CA Spectrum document titled, “Cisco Device Management Guide” suggest that Cisco syslog messages can be mapped to Spectrum events (page 20), but out of the box it appears they are just generic events with severity specified by the sending device. I do not know how this feeds into fault isolation and root cause analysis. I remember asking support about syslog support a few years back (r8.1), and the response was that Spectrum was not designed to handle syslog, and it since syslog is unstructured, the messages could not be parsed for alarming or root cause. Perhaps this is a new feature? I’m still not convinced I want syslog sent to Spectrum, though. You can set the logging level, but even so, syslog can be very chatty, and we have a Splunk server for it. I believe the configuration which includes syslog as an snmp trap predates our implementation of Spectrum and Splunk.

As far as the rest of the traps listed, my two cents would be it depends on the role and environment what traps you need to see. What features are enabled? What are the critical functions of the device? As I understand it, if you enable traps for features / capabilities that are not present or in use, the only added overhead is in the size and complexity of the config; the traps do nothing. However I am inclined to prefer the simplest config which will provide adequate alerting and notification. The first sentence of the section titled “Requirements” in Cisco’s Document ID 13506 “Cisco IOS SNMP Traps Supported and How to Configure Them” states, “You do not want a Cisco device to send all of the SNMP traps that the device knows how to send.” If you merely issue the snmp-server [host] global command without specifying traps, all traps are sent. If you only issue one snmp-server enable traps command for say, envmon, ONLY envmon traps will be sent. So if you specify any trap types you want, you must specify all trap types that you want.

For my network, I'm probably most concerned with SNMP, envmon, and config, though I'm not sure about authentication traps. The reason is that auth failures don't indicate a network fault, and even if an attack is seen as a potential fault (as it could lead to a loss of data or outage), Spectrum does not provide rate / threshold alarming.

jeffreyhall wrote:

any one else's take on sending syslog over snmp (snmp-server enable traps syslog)

Regarding syslog, if you plan to use NCM and want to see which users changed the configuration, you will need to enable the syslog bit. Apparently it uses syslog to find the 'user *** logged in via vtyX' so it can populate it's tables.

As for SNMP best practices, I would imagine these would be driven by the people using the tools. I agree using the generic 'send all traps' is definately a no-go in a large production environment - so set up only the SNMP features you need (and aim to monitor for that matter).

Other things you might want to do is set up views that restrict doing mass-snmp routing table walks, or any other 'cpu-killers' :) Alternatively you can change the spectrum ui to not show certain views.

If no-one will use something disable it and only add something if ppl really need it.