SDC TrapX Support

22
casp1032
2
2
Introduction
TrapX is a Simple Network Management Protocol (SNMP) management application that receives and filters SNMP trap messages and forwards them to other management applications on other hosts and ports. With
DX NetOps Spectrum
TrapX, you can forward the traps to other management stations. 10.3.2 supports the new TrapX feature, that filters and forwards v1, v2, v3 traps to different products. The Secure Domain Connector (SDC) behaves as the TrapX, filters out v1, v2, and v3 traps, and pushes the filtered traps to the mentioned destination, converting the v2 to v1 and v3 to v1 translations.
DX NetOps Spectrum
TrapX feature simplifies trap configuration and management and lets users focus on Information Technology (IT) resources on more strategic activities. CA TrapX is especially useful in environments where multiple management applications must receive trap messages from a diverse set of SNMP-capable devices that can issue messages to only a limited number of SNMP managers. Users can leverage TrapX for the following purposes:
  • Filtering traps
  • Forwarding traps to other trap receivers
  • Forwarding traps to element managers
  • Forwarding traps through TCP connections
  • Extending fault tolerance for management software
Previously legacy TrapX did not support filtering or translating of v3 traps, but with the 10.3.2 release, the SDC TrapX supports filtering, translating and forwarding of v3 traps. This release also supports the v2 traps with 64-bit counters being translated to v1, which was a limitation with the legacy TrapX feature.
Previously, multiple v3 profiles with the same username, and unmanaged traps with that username were not processed by SpectroSERVER. With this release, multiple v3 profiles with the same username, and unmanaged v3 traps with that username are processed by SpectroSERVER, if the exact v3 local profile is present.
If SDC is installed as TrapX then it does not function as a regular SDC, and does not model any device on a particular SDC-TrapX.
Supported Operating System
The SDC TrapX supports the following operating systems:
DX NetOps Spectrum
10.4.1 has
not been validated
on Windows Server 2012. However, Broadcom supports
DX NetOps Spectrum
product issues if found. We reserve the right to have you upgrade to Windows Server 2016 if deemed necessary.
  • Microsoft Windows Server 2012 R2 Standard Edition on a 64-bit processor
  • Microsoft Windows Server 2016 Standard Edition on a 64-bit processor
  • Red Hat Enterprise Linux 7.x on a 64-bit processor
Traps Management in
DX NetOps Spectrum
SDC TrapX
The following illustration shows how the
DX NetOps Spectrum
SDC TrapX can filter and forward traps to various devices.
SDC-TRAPX
Enabling SDC Support for TrapX
To convert the SDC feature into a TrapX capability, enable the TrapX checkbox during the Secure Domain Connector installation as shown here:
image (10).png
Upgrading from SDC/TrapX which is already installed, to TrapX/SDC through silent installation fails, and returns an error message in the "InstallationError.log" file under the SDMConnector/bin folder. For more information on the workaround, refer to the KB article on the CA support site.
Expected Behavior
  • All v3 profiles created under the SDC domain during the SNMPv3 profile creation, are pushed to SDC for traps to be processed.
  • If SDC is installed as TrapX then the same SDC cannot be used for managing devices (includes polling) under the Secure Domain. It is recommended to have a dedicated VM/physical box to deploy SDC TrapX.
  • SDC profiles created under the Secure Domain Manager (SDM) are not modeled under the Model By IP, Discovery Console and the MIB Tools. For example,
    10.241.3.152
    is a SDC TrapX, listed under the 'Secure Domain Manager', as shown in the screenshot below, but
    10.241.3.152
    does not get modeled under the 'Secure Domain' list in the 'Model By IP Address' window.
    ModelByIp.png
SpectroSERVER and SDC TrapX Support on the Same Computer
Users can install SDC TrapX on a SpectroSERVER computer provided SDC TrapX and SpectroSERVER versions are the same.
In this scenario, the SNMP communication port must be changed on SpectroSERVER and SDC. Both SpectroSERVER and SDC will be listening on 162.
For SpectroSERVER, change the value of the snmp_comm_port parameter in the $SPECROOT\SS\bin.vnmrc file.
For SDC, change the value of the snmp_comm_port parameter in the /opt/CA/SDMConnector/bin/sdc.rc file.
Configure Filters
To configure filters:
  • Create the trapX.config file.
  • Add the filters in the configuration file. For filter expressions for TrapX use the following format:
filter DateTime SrcIP Agent TrapType SpecificType Enterprise Action [Option]
Filter Name/Type
Description
Filter Value
DateTime (Optional)
A regular expression indicating the date and time that the trap was received by SDC TrapX.
For example, Fri May 11 09:23:34 EDT 2001.
Note
: This value does not necessarily indicate the time that the trap was sent by the device.
SrcIP (Optional)
An IP address-based regular expression that SDC TrapX uses to match the source IP, as in the IP packet header. The IP address from which the trap was received is not always equivalent to the agent IP address in the Trap PDU. The regular expression indicates that any IP address causes a match. You can specify a host name instead of an IP address for this field.
AgentIP (Optional)
An IP address-based regular expression that SDC TrapX uses to match the IP address of the managed object that generated the trap (as in the Agent IP Address field in the Trap PDU). The IP address from which the trap was received is not always equivalent to the agent IP address in the Trap PDU. The regular expression indicates that any IP address causes a match. You can specify a host name instead of an IP address for this field.
Note
: Ensure that you add a backslash character (\) before any period (.) components that appear within the IP address. The period (.) is a special character in regular expression syntax.
TrapType (Optional)
An integer-based regular expression that SDC TrapX compares to the Trap PDU's TrapType field.
Following are the Valid SNMP TrapType values:
■ coldStart(0)
■ warmStart(1)
■ linkDown(2)
■ linkUp(3)
■ authenticationFailure(4)
■ egpNeighborloss(5)
■ enterpriseSpecific(6)
SpecificType (Optional)
An integer-based regular expression that SDC TrapX compares to the Trap PDU's SpecificType field. Any integer is a valid value for this field.
Enterprise (Optional)
An OID-based regular expression that SDC TrapX compares to the Trap PDU's enterprise field.
Note
: Ensure that you add a backslash character (\) before any period (.) components that appear within the OID. The period (.) is a special character in regular expression syntax.
Action (Optional)
Action (Optional) A keyword that indicates the action that SDC TrapX performs, they include:
  • file:
    Logs the Trap PDU to a file specified by the Option field. SDC TrapX creates the file if it does not exist. This option is applicable only for SNMPv1 traps SNMPv2 traps, when performing SNMPv2c to SNMPv1 trap translation.
  • forward:
    Forwards the Trap PDU through UDP to a host specified by the Option field. Use this option if the trap receiver does not support TCP or if the TCP connection is broken.
  • break:
    This action causes no action to be taken for a given trap. No further filter processing is done on the current Trap PDU, and does not evaluate any remaining filters for the current Trap. Any option to this action is ignored.
  • Tcp:
    Forwards traps through a TCP connection without buffering the traps. This action drops the traps if SDC TrapX cannot connect to the remote trap receiver.
  • Tcpbuff:
    Forwards traps through a TCP connection. This action saves traps until SDC TrapX is able to connect to the remote trap receiver (or until the timeout limit is reached). Number of traps that are buffered depends on the queue size that is specified in the filter.
    Note
    : If you are using the tcp or tcpbuff actions and you receive the error message, “SDC TrapX: tcp forw detected a broken socket to: [port],” the TCP connection is broken or invalid. Use the forward action (which forwards traps through UDP).
  • blind:
    Forwards traps without parsing or decoding them first. This feature is useful for forwarding malformed traps or unsupported SNMP versions. It enables filtering only on the source IP address.
  • exec:
    This action executes a program or a script. The path to the script should be an absolute path, and the entire path and arguments must be enclosed in single quotes. For example:
    exec '/path/to/script [arg1 [arg2...]] '
    exec '/tmp/trapScript.pl 0 123 4321'
    exec 'c:\temp\trapScript.pl 0 123 4321'
    To run a script, give an absolute path of executable as well, for example:
    filter * * * * * * exec 'C:\\win32app\\Spectrum\\bin\\perl.exe C:\\abc.pl'
  • nat:
    This action translates the agent-addr field in the trap to another IP address.
    Note:
    This action only does the address conversion. No forwarding is implied by this action. Therefore, place this rule before any forwarding rules that the nat action should be in effect. For example:
    nat new-agent-addr
    or
    nat 1.2.3.4
Restart the SDC services, if you have modified the trapX.config file (for example, filters or global parameters).
The TrapX feature from SDM supports the -remoteconnect parameter and from SDC supports the -accept parameter.
Enable Translation
You can globally enable translation of SNMP v2c traps to SNMPv1 traps by adding the translate_v2c_traps option to the trapX.config file. Follow these steps:
  1. Add
    translate_v2c_traps
    in a trapX.config file.
  2. If the device sends v2c traps without the snmpTrapAddress, enable the following option: agentaddr_is_srcaddr_translated_v1
    This option makes the v2c trap agent address the same as the source address. This option is used when the v2c to v1 translation and v3 to v1 translation is enabled. If this translation is not enabled, this option cannot be used.
To enable translation of SNMPv3 traps to SNMPv1 traps add translate_v3_traps:1:test to the conf. file. For example:
filter * * * * * * forward 138.42.86.54 translate_v3_traps:1:xyz
Here option 1 is to enable transition, it coverts v3 traps to v1 with the community string if this option not provided it will it take public.
Sample Filters
This section includes sample filters that you can add to the trapX.config file. To add the filters:
Ensure that you have first created the trapX.config file. You can use these examples to help design filters suitable for your environment. In these examples, asterisks (*) indicate placeholders for fields for which you do not want to filter on a specific value.
  • Match Trap PDUs from a Local Host:
    These examples match all Trap PDUs from the local host, and effectively drop and suspend filter processing for them.
    filter * * 127\.0\.0\.1 * * * break
    filter * * ::1 * * * break
    By default, SDC trapX listens for traps on UDP port 162 and on TCP port 161 ( if listening is enabled on the TCP port). You can configure these ports by changing the "snmp_trap_port=" value in the sdc.rc file for UDP and the trapX.config file for TCP.
  • Match Authentication Failure Traps:
    This example matches all authenticationFailure (4) traps and forwards them to the system named concord at UDP port 162 (the default).
    filter * * * 4 * * forward concord
  • Match Private-Enterprise Traps:
    This example matches all private-enterprise traps of SpecificType 3 through 8 and forwards them to the system named concord at UDP port 191.
    filter * * * 6 [3-8] * forward concord:191
  • Match Traps by Enterprise OID
    : This example matches all traps that contain the enterprise OID 1.3.6.1.4.1.546.1.1 and forwards them to the system named ottoman at UDP port 162 (the default).
    filter * * * * * 1\.3\.6\.1\.4\.1\.546\.1\.1 forward ottoman
    A backslash character (\) appears before each period character (.) so that the period character is read correctly as part of the enterprise ID and not as a regular expression wildcard operation.
  • Match Traps by Date:
    This example matches all traps that SDC TrapX received on Friday and forwards them to the system named ottoman.
    filter "Fri" * * * * * forward ottoman
  • Match Traps by Source IP Address:
    These examples match all traps that originated from the source IPv4 address 199.250.183.215 and forwards them to the system named ottoman.
    filter * 199\.250\.183\.215 * * * * forward ottoman
    filter * fe80::a00:20ff:fe8c:af7e * * * * forward ottoman
  • Match Traps by Agent IP Address:
    These examples match all traps that were sent by a managed object with an IPv4 address of 199.250.183.215 and forwards them to the system named ottoman.
    filter * * 199\.250\.183\.215 * * * forward ottoman
    filter * * fe80::a00:20ff:fe8c:af7e * * * forward ottoman
  • agentaddr_is_srcaddr_translated_v1:
    This command works with translate_v2c_traps and translate_v3_traps, when translate_v2c_traps or translate_v3_traps are turned on, this makes the v2c trap or v3 trap agent address as the source address. By default it is commented out.
Varbind Filtering
The 10.4.1 release supports the SDC TrapX varbind filtering. This filtering supports the following operations that you can use with a combination of
AND
and
OR
statements:
  • Equals
  • NotEquals
  • StartsWith
  • EndsWith
  • Contains
  • NotContains
Some examples are as follows:
  • AND example:
    In the following example, if all the operations are mentioned inside AND[] and if they are matched, then traps get processed:
    filter * * * * * 1.3.6.1.6.3.1.1.5 forward 10.241.3.151 translate_v3_traps:0:public
    "AND[1.3.6.1.2.1.2.2.1.2.1:Equals:FastEthernet0/0,1.3.6.1.4.1.9.2.2.1.1.20.1:EndsWith:p,1.3.6.1.2.1.2.2.1.3.1:StartsWith:6,1.3.6.1.6.3.1.1.4.1.0:Contains:6.3.1,1.3.6.1.2.1.2.2.1.2.1:NotContains:Ernet0/0,1.3.6.1.2.1.2.2.1.3.1:NotEquals:7]"
  • OR example:
    In the following example, if either one of the operations is inside OR[] and if it matches, then traps get processed:
    filter * * * * * 1.3.6.1.6.3.1.1.5 forward 10.241.3.151 translate_v3_traps:0:public
    "OR[1.3.6.1.2.1.2.2.1.2.1:Equals:FastEthernet0/0,1.3.6.1.4.1.9.2.2.1.1.20.1:EndsWith:p,1.3.6.1.2.1.2.2.1.3.1:StartsWith:6,1.3.6.1.6.3.1.1.4.1.0:Contains:6.3.1,1.3.6.1.2.1.2.2.1.2.1:NotContains:Ernet0/0,1.3.6.1.2.1.2.2.1.3.1:NotEquals:7]"
  • file example:
    The following is a file example:
    filter * * * * * 1.3.6.1.6.3.1.1.5 file /opt/CA/SDMConnector/bin/trapX.txt "AND[1.3.6.1.4.1.9.2.2.1.1.20.1:Equals:Link Down Trap]" 10
    filter * * * * * * file /opt/CA/SDMConnector/bin/trapX1.txt * 10
    (10 represent file size; it is optional.)
  • break statement:
    If you want to forward all the traps without filtering except a few traps with varbind filters, then you can review the following example. In this example, all the traps are forwarded to the destination 10.241.3.151 except traps 1.3.6.1.6.3.1.1.5 and 1.3.6.1.4.1.9.9.187.
    1.3.6.1.6.3.1.1.5 traps are forwarded to the destination 10.241.3.151 when the varbind filter criteria matches and then the break statement does not execute further filters. This ensures that traps of these types are not forwarded to the destination again if the varbind filter criteria is a success or failure.
    1.3.6.1.4.1.9.9.187 traps are forwarded to the destination 10.241.3.151 when the varbind filter criteria matches and then the break statement does not execute further filters. This ensures that traps of these types are not forwarded to the destination again if the varbind filter criteria is a success or failure.
    filter * * * * * 1.3.6.1.6.3.1.1.5 forward 10.241.3.151 translate_v3_traps:0:public "AND[1.3.6.1.6.3.1.1.4.1.0:Equals:1.3.6.1.6.3.1.1.5.3]"
    filter * * * * * 1.3.6.1.6.3.1.1.5 break
    filter * * * * * 1.3.6.1.4.1.9.9.187 forward 10.241.3.151 translate_v3_traps:1:public "AND[1.3.6.1.6.3.1.1.4.1.0:Equals:1.3.6.1.4.1.9.9.187.0.2]"
    filter * * * * * 1.3.6.1.4.1.9.9.187 break
  • tcp buff:
    The following is a tcp buff example:
    filter * * * * * 1.3.6.1.4.1.9.9.276.0.1.0.1 tcpbuff 10.241.3.151:5058 translate_v3_traps:0:public 60 300 AND["1.3.6.1.2.1.2.2.1.7.436240384:equals:1"]
  • tcp forward:
    The following is a tcp forward example:
    filter * * * * * 1.3.6.1.4 tcp 138.42.246.37:1771 translate_v3_traps:0:public 300 AND["1.3.6.1.2.1.2.2.1.1:Contains:10]"
Forward Traps through TCP Connections
TrapX can forward traps through TCP connections when you specify the host name (or IP address), port, and a connection timeout value. TrapX provides two actions for forwarding traps through TCP: tcp and tcpbuff. When you specify the tcp action for trap filtering in the TrapX file, TrapX does not buffer the traps. In that case, if the trap receiver is unavailable, TrapX drops the traps. When you specify the tcpbuff action, TrapX can queue the traps and then send them when the trap receiver restarts, providing better management of TCP connections than the tcp action provides. You can forward traps through TCP with or without buffering. To buffer the traps (save them if the trap receiver is unavailable), use the tcpbuff action. To filter traps without buffering them, use the tcp action. For example:
Forwarding traps through TCP does not provide security, privacy, or authentication. It simply enhances the reliability of the trap reception. Listen_for_tcp_traps on 1771 and forward the traps on the TCP port in trapX.config file. For example, filter * * * * * * tcp  10.241.3.151:1771 translate_v3_traps 300
  • Filter Traps through TCP with buffering
    : This example forwards traps through a TCP connection to a system with a hostname of violet on port 5058 with a buffer size equivalent to 60 traps and a timeout value of 300 seconds.
    filter * * * * * * tcpbuff violet:5058 translate_v3_traps 60 300
    CA SDC TrapX buffer traps in a buffer that can hold a maximum of 60 traps for 300 seconds before dropping them.
  • Filter Traps through TCP without buffering
    : This example forwards traps without buffering through a TCP connection to a system with a hostname of electrode on port 162 with a timeout value of 30 seconds.
    filter * * * * * * tcp electrode:162 30
  • Forward Traps through UDP Connections:
    This example forwards traps through a UDP connection to a system with a hostname of orange on port 5058. You can forward traps through UDP when the trap receiver does not support TCP.
    filter * * * * * * forward orange:5058
  • Forward Traps Blindly
    This example forwards traps to a system with a hostname of lemon on port 5058 without parsing or decoding. You can blindly forward traps without parsing or decoding.
    filter * * * * * * blind lemon:5058
SDC TrapX Limitations
The limitations with this feature include:
  • The multi-nic and SDC TrapX High Availability (HA) is not supported with this release.
  • Installing SDC Trapx on an SDC computer is not supported.
  • The filters that are not supported with this release are listed as follows:
    Filter Name
    Value
    Description
    overloaded_header
    overloaded_header
    This flag overloads 16-byte agent IP address into SNMPv1 trap PDU, while translating v2c traps to v1. This flag is effective only when the translate_v2c_traps flag is on.
    so_rcvbuf <buffer-size-in-bytes>
    so_rcvbuf 128000
    This command sets the size of the socket receive buffer. This applies to both the UDP and TCP listening sockets. The default is 128000 bytes.
    tcp_receive_timeout <timeout-in-seconds>
    tcp_receive_timeout 5
    This command defines the timeout for recv() operations on the TCP listen socket, in seconds. Essentially, this keeps TrapEXPLODER from being indefinitely blocked by a rogue TCP connection. A value of 0 disables the timeout, allowing TCP recv() operations to block indefinitely. This option only has an effect if listen_for_tcp_traps is set to 'on'. The default is 5 seconds.
    'aview' action
    aview /opt/aview/var/traps
    aview c:\aview\var\traps
    This action writes out traps in the aview format. This action does not work, if the Trap Exploder is running on an eHealth® machine with a Fault Manager license present.
    'eh' action
    eh 1.2.3.4:666 666 30
    This action is used with CA eHealth® 5.0 to forward traps to the eHealth trap receiver. This action is deprecated with CA eHealth® 5.5 and higher.