[c-nsp] IP Source Guard and Smartlog on 3750s

Martin Clifton Martin.Clifton at vu.edu.au
Thu Apr 19 03:31:44 EDT 2012 

Hi,

I'm looking at implementing IPSG on our 3750s.   This is a test which stops a host using a port unless its mac-address/host-address match the ip dhcp snooping table.

This works fine.   IOS is 15.0(1)SE2.   The specific hardware is Catalyst 3750G-24PS.

My problem is that I want to be alerted when there is a violation.   You can't configure traps for IPSG, and there is no syslog entry (from which I could use EEM to generate a trap).   The only method offered by the IOS is to use 'smartlog' which sends specially-formatted netflow-v9 messages to a specified collector.   It is not possible to manually configure 'flexible netflow' on the 3750 – but I don't know if that would help anyway – except that I would be able to see the records on the switch without sending them to a collector.

I've tried a few different collectors – the only one I've found that understands the records is 'Scrutinizer'.   It sees the record as an IPSG violation but provides nothing else except the vlan number.   (What I would like is the interface and the offending ip/mac).

Looking at the raw netflow data via nfcapd/nfdump confirm that the vlan is the only useful field that is sent.

I can't find any Cisco documentation on how to interpret the netflow records generated by SmartLog – what the format is; what collectors understand them etc.   But if the record only contains the vlan then they are not much use anyway.

Any thoughts ?

Regards, Martin



This email, including any attachment, is intended solely for the use of the intended recipient. It is confidential and may contain personal information or be subject to legal professional privilege. If you are not the intended recipient any use, disclosure, reproduction or storage of it is unauthorised. If you have received this email in error, please advise the sender via return email and delete it from your system immediately. Victoria University does not warrant that this email is free from viruses or defects and accepts no liability for any damage caused by such viruses or defects.

More information about the cisco-nsp mailing list