DX NetOps

​Hi All,
We are finally making the move to SNMPv3 on our network equipment.  We have modeled devices in Spectrum  with the V3 profiles just fine, but I have concerns about receiving and forwarding of  v3 traps.  We have the eHealth Trapexploder and have been forwarding v1,v2 traps to our Distributed Spectrum environment for years successfully.  Can someone tell me what the best way to configure our current trapexploder to Spectrum integration so we continue to utilize this configuration successfully.

TIA

Hi Patrick,

We no longer support eHealth as its been End of Life'd since last year. However, what was once called TrapExploder in eHealth has been migrated to Spectrum and runs as part of the Spectrum Domain Controller (SDC). Best place to start is at the relevant docops page in the Spectrum documentation:

https://docops.ca.com/ca-spectrum/10-3-2/en/managing-network/secure-domain-manager-sdm/installing-and-configuring-secure-domain-manager-processes/install-the-sdconnector-process/configure-multiple-sdc-secure-domain-connector-processes-on-a-single-server/sdc-trapx-support
Original Message:
Sent: 08-19-2019 06:07 PM
From: Patrick Murtey
Subject: Trap Exploder and Spectrum receiving v3 traps

​Hi All,
We are finally making the move to SNMPv3 on our network equipment.  We have modeled devices in Spectrum  with the V3 profiles just fine, but I have concerns about receiving and forwarding of  v3 traps.  We have the eHealth Trapexploder and have been forwarding v1,v2 traps to our Distributed Spectrum environment for years successfully.  Can someone tell me what the best way to configure our current trapexploder to Spectrum integration so we continue to utilize this configuration successfully.

TIA

I read the doc, but where do I get the installer that sets up the gui where you check off the box?​
Original Message:
Sent: 08-20-2019 01:41 AM
From: Mohammed Alfakhrany
Subject: Trap Exploder and Spectrum receiving v3 traps

Hi Patrick,

We no longer support eHealth as its been End of Life'd since last year. However, what was once called TrapExploder in eHealth has been migrated to Spectrum and runs as part of the Spectrum Domain Controller (SDC). Best place to start is at the relevant docops page in the Spectrum documentation:

https://docops.ca.com/ca-spectrum/10-3-2/en/managing-network/secure-domain-manager-sdm/installing-and-configuring-secure-domain-manager-processes/install-the-sdconnector-process/configure-multiple-sdc-secure-domain-connector-processes-on-a-single-server/sdc-trapx-support
Original Message:
Sent: 08-19-2019 06:07 PM
From: Patrick Murtey
Subject: Trap Exploder and Spectrum receiving v3 traps

​Hi All,
We are finally making the move to SNMPv3 on our network equipment.  We have modeled devices in Spectrum  with the V3 profiles just fine, but I have concerns about receiving and forwarding of  v3 traps.  We have the eHealth Trapexploder and have been forwarding v1,v2 traps to our Distributed Spectrum environment for years successfully.  Can someone tell me what the best way to configure our current trapexploder to Spectrum integration so we continue to utilize this configuration successfully.

TIA

Hi Patrick,

Its part of the Spectrum installer that you used to install the SpectroSERVER. See the following:

https://docops.ca.com/ca-spectrum/10-3-2/en/managing-network/secure-domain-manager-sdm/installing-and-configuring-secure-domain-manager-processes/install-the-sdconnector-process
Original Message:
Sent: 08-20-2019 12:10 PM
From: Patrick Murtey
Subject: Trap Exploder and Spectrum receiving v3 traps

I read the doc, but where do I get the installer that sets up the gui where you check off the box?​
Original Message:
Sent: 08-20-2019 01:41 AM
From: Mohammed Alfakhrany
Subject: Trap Exploder and Spectrum receiving v3 traps

Hi Patrick,

We no longer support eHealth as its been End of Life'd since last year. However, what was once called TrapExploder in eHealth has been migrated to Spectrum and runs as part of the Spectrum Domain Controller (SDC). Best place to start is at the relevant docops page in the Spectrum documentation:

https://docops.ca.com/ca-spectrum/10-3-2/en/managing-network/secure-domain-manager-sdm/installing-and-configuring-secure-domain-manager-processes/install-the-sdconnector-process/configure-multiple-sdc-secure-domain-connector-processes-on-a-single-server/sdc-trapx-support
Original Message:
Sent: 08-19-2019 06:07 PM
From: Patrick Murtey
Subject: Trap Exploder and Spectrum receiving v3 traps

​Hi All,
We are finally making the move to SNMPv3 on our network equipment.  We have modeled devices in Spectrum  with the V3 profiles just fine, but I have concerns about receiving and forwarding of  v3 traps.  We have the eHealth Trapexploder and have been forwarding v1,v2 traps to our Distributed Spectrum environment for years successfully.  Can someone tell me what the best way to configure our current trapexploder to Spectrum integration so we continue to utilize this configuration successfully.

TIA

We went through a long exercise a couple of years ago to analyse what TrapEXPLODER did with v1, v2c and v3 traps.  We never managed to get TX to forward SNMPv3 traps correctly.  There's some CA documentation which talks about "blind forwarding" - this is all it can do because TX is not able to decrypt the SNMPv3 traps and read the contents.  However this resulted in the resulting alarm in Spectrum being posted against the server running TX and not the device sending the trap.

To get around this limitation we have had to configure managed devices to send traps directly to Spectrum directly, bypassing TX.  In our environment we have TX listening on UDP/162 on each SpectroSERVER and Spectrum listening on UDP/1692.  So any SNMPv3 devices are configured to send traps to UDP/1692.  This isn't ideal as we then require customer firewalls/ACLs to be changed to allow traffic through on this non-standard port.

Another discovery we made was that SNMPv3 informs would not processed correctly either.  We never got to the root cause of this so we always insist on devices being configured for SNMPv3 traps.

------------------------------
Solution Designer
KCOM Group PLC
------------------------------

Original Message:
Sent: 08-19-2019 06:07 PM
From: Patrick Murtey
Subject: Trap Exploder and Spectrum receiving v3 traps

​Hi All,
We are finally making the move to SNMPv3 on our network equipment.  We have modeled devices in Spectrum  with the V3 profiles just fine, but I have concerns about receiving and forwarding of  v3 traps.  We have the eHealth Trapexploder and have been forwarding v1,v2 traps to our Distributed Spectrum environment for years successfully.  Can someone tell me what the best way to configure our current trapexploder to Spectrum integration so we continue to utilize this configuration successfully.

TIA

Hi Neville,
When you configured your SNMPv3 on the TX system, did you utilize the v3 config file that was in the /config folder and control it with the xtrapmon  utility as detailed on page 61 of the Trapexploder User guide?
Original Message:
Sent: 08-20-2019 05:10 AM
From: Neville Styles
Subject: Trap Exploder and Spectrum receiving v3 traps

We went through a long exercise a couple of years ago to analyse what TrapEXPLODER did with v1, v2c and v3 traps.  We never managed to get TX to forward SNMPv3 traps correctly.  There's some CA documentation which talks about "blind forwarding" - this is all it can do because TX is not able to decrypt the SNMPv3 traps and read the contents.  However this resulted in the resulting alarm in Spectrum being posted against the server running TX and not the device sending the trap.

To get around this limitation we have had to configure managed devices to send traps directly to Spectrum directly, bypassing TX.  In our environment we have TX listening on UDP/162 on each SpectroSERVER and Spectrum listening on UDP/1692.  So any SNMPv3 devices are configured to send traps to UDP/1692.  This isn't ideal as we then require customer firewalls/ACLs to be changed to allow traffic through on this non-standard port.

Another discovery we made was that SNMPv3 informs would not processed correctly either.  We never got to the root cause of this so we always insist on devices being configured for SNMPv3 traps.

------------------------------
Solution Designer
KCOM Group PLC

Original Message:
Sent: 08-19-2019 06:07 PM
From: Patrick Murtey
Subject: Trap Exploder and Spectrum receiving v3 traps

​Hi All,
We are finally making the move to SNMPv3 on our network equipment.  We have modeled devices in Spectrum  with the V3 profiles just fine, but I have concerns about receiving and forwarding of  v3 traps.  We have the eHealth Trapexploder and have been forwarding v1,v2 traps to our Distributed Spectrum environment for years successfully.  Can someone tell me what the best way to configure our current trapexploder to Spectrum integration so we continue to utilize this configuration successfully.

TIA