Using SNMP Traps To Provide Physical Visibility To Your User Base

by Karl Tatgenhorst on February 23, 2011

MAC Traps catch valuable data on your networkLast week I wrote a post about building a data center that supports network security monitoring this week I am going to talk about using SNMP traps to leverage that design. SNMP traps are unsolicited messages from an SNMP (simple network management protocol) server to provide notification for an event. In last weeks post I mentioned having a labeling convention for switches and their ports which would correspond to the labeling of rooms and network jacks. Using SNMP traps, I am going to talk you through identifying the (physical) location of network traffic.

I am going to leave the configuration of the switches and software as either an exercise for the reader, or a topic for a later post (I haven’t decided and feedback would be appreciated). This post will deal with the concepts that need to be understood for this task and the tying together of the conceptual pieces.

The first concept will be SNMP. The Simple Network Management Protocol is a standardized protocol for managing devices on a network. There are three major components in an SNMP network:

  • Managed devices
  • Agent – software running on the managed devices
  • Network Management System – software running on the manager

We will be talking about our Cisco switches as managed devices and the agent will be a component of the Cisco IOS on those devices. The network management system will be abstract and anonymous for now.

The next key concept is that of the MAC Address, the MAC Address is a layer two identifier that is hard coded into a physical device. The IP Address on the other hand is a layer three identifier. Ip addresses are resolved on remote networks to tell the internet how to get a message to the proper network, once at the proper network the IP Address is resolved to a MAC Address to determine specifically which device the message goes to. This location is accomplished by the switches remembering what port a message with that IP Address came in from in its CAM table.

Ideally we want to set up our switches to send SNMP traps for MAC Address events (a new MAC is added or deleted from the CAM table) to our network management server where we will log the event. The alert will show what switch the event came from as well as what port the address is on, this information can be databased for ease of use.

The source of traffic information to identify can be anything from a log entry to an anomalous bit of data in a netflow log. However we find that data it is going to be in IP address format, which will only help us if the information is current (or we have some historical logging). If the information is current (we are sure that no one has dropped the ip and allowed someone else to get it) and we are on a unix box, then we can ping or otherwise connect to the ip via the network. Once we have done that, our machine will have an ARP entry for that IP and we can issue the arp -a command to display our ARP tables. In the case of historical data, if the address is in the DHCP range we can look for that ip address being issued prior to the event in the DHCP logs. That will give us the MAC address of the machine and we can look in our SNMP database to determine what port (and thus what location) the device was plugged into.

About the author

Karl Tatgenhorst wrote 31 articles on this blog.

Previous post:

Next post: