Friday, 25 January 2013


 I spent a lot of time getting this working, SNMPTRAPS are hard work.

There are plenty of guides on installing and configuring SNMPTRAPS, however I seem to have run into several pit falls so thought I would put them here in case it helps someone. 

It’s more of a list of things to check..
I installed Ubuntu snmpd version: 5.4.3~dfsg-2.5ubuntu1

Commands that help to test things are working.

To display the path being searched for MIBS, this is created via the export option.
Sudo net-snmp-config --default-mibdirs

Test OID translation is working? If it is you will get sysUptime.0 as output.

Sudo snmptranslate .

Does the reverse translation work? 

Sudo snmptranslate –On SNMPv2-MIB::sysUpTime.0

Do you have any MIBS?

MIBS do not come with the install! There is another package that will fetch the MIBs for you. This is because of copyright issues apparently.

Search for anything with MIB in its name.

sudo find * / |grep MIB

Else install snmp-mibs-downloader (I installed version 1.1)

sudo aptitude install snmp-mibs-downloader
Then download the MIBS

I found I still had missing MIBs so had to Google for them and download them. Ensure if you do this that the file name does not have an extension .txt or whatever, else it will be ignored. Also check the first line of the MIB to confirm it is indeed a MIB..

sudo head nameofmib

It should have something like DEFINITIONS ::= BEGIN as its first line.

Now because I spent a lot of time and made many config changes install / reinstall to get it working I gave up trying to get multiple mibdirs working. I decided instead to move all mibs to the first search location /root/.snmp/mibs.

Config files and starting and stopping the service.

Snmptrapd is started and stopped by snmpd,
Service snmpd start / Service snmpd stop

There are two config files you will also need to visit, this is the contents of mine.

cat /etc/snmp/snmptrapd.conf

# Run trap.
# Disable authorisation, it’s on by default, though if you have time you should use this!
disableAuthorization yes
# the IP address you want the trap to run on ( will use port udp 162)
# Output to the following file.
logOption f /var/log/snmptrap.log
# You will not need the following line unless you are using JFFNMS (Just For Fun Network Monitoring System)
traphandle default /usr/share/jffnms/engine/

cat /etc/default/snmpd
# Make sure this works, some guides say to use export MIBS, some export MIBDIRS, if you have
 # more than one location, you can add a second location using a : as a separator.

# export MIBS=/root/.snmp/mibs <- did not work for me!
export MIBDIRS=/root/.snmp/mibs

# SNMP Bit.
# snmpd control (yes means start daemon).
SNMPDOPTS='-LS6d -Lf /dev/null -u snmp -I -smux -p /var/run/ -c /etc/snmp/snmpd.conf'

# snmpd control (yes means start daemon).
TRAPDOPTS='-Lsd -m ALL -p /var/run/ -c /etc/snmp/snmptrapd.conf'
# Note the –m ALL load all MIBS, if your location export works.
# See MAN page for a full list of options:   
# create symlink on Debian legacy location to official RFC path

When things don't work. 

I used nmap to confirm the trap ports were open (or not) you could of course send a trap from another device which is the point of this exercise.
nmap -sU -p 161,162
To confirm you are being sent a trap, you can use tcpdump to look for the incoming packets. 
tcpdump -i eth2 dst port 162
Or watch the log live

tail -f /var/log/snmptrap.log
You can search for the process, this is useful because you can also see the commands its running.
ps -aux |grep snmp
You can also stop the process using kill -9 (process id)

To run the trap from the cli and output to /var/log/snmptrap.log

snmptrapd -m +ALL -Lf /var/log/snmptrap.log --disableAuthorization=yes

I had a problem in that running the command from the cli meant that the OID was translated, but running it as a process meant the OID was not translated. This was fixed by changing the "export" option in /etc/default/snmpd but took me sometime to work out that was the problem. 

Happy trapping.

Friday, 4 January 2013

OSPF, NXOS v IOS, prefix-list, NOT access-list people!

Just ran into several of the differences between OSPF commands on NXOS v IOS.

I was trying to configure redistribute static routes. The eventual answer was simple, but took me some time to arrive at.

In short, when using OSPF on NXOS you use route-maps to filter for only the static routes you want to send out.  

The route-map is made up from a prefix-list, NOT an access-list, I started out using an access list, the results were unexpected. 

Basically the access list was not working, but because you have configured OSPF to use a route-map it defaults to allow all…  In my case, the static route was propagated to a neighbour on another site, ok it had a higher metric than gateway at the other site but it still made me panic briefly.

Below is a sample output that worked for me!

! Create the prefix-list.
ip prefix-list 10 seq 5 permit

! Create the route-map.
route-map OSPF-redist permit 10
  match ip address prefix-list 10

! Configure OSPF to redistribute static and filter using the new route-map.
router ospf 111
redistribute static route-map OSPF-redist

Confirm its working my looking at the OSPF database.

# show ip ospf database