7.1 Configure and verify device-monitoring protocols

7.1.a SNMPv2

To configure SNMP version to Community (snmpv2c):

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server community netadmin RW 50 
Router(config)#access-list 50 permit 192.168.0.10 0.0.0.255
Router(config)#access-list 50 deny any
Router(config)#^Z
Router#

I used net-snmp package on FreeBSD and a bridged adapter to allow internal access my LAN to poll the SNMP service:

Screenshot_2018-02-18_01-22-41.png

blades@ryzen:~/Desktop % snmpwalk -v 2c -c netadmin -m ALL 192.168.0.100 system
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sun 09-Sep-12 06:30 by prod_rel_team
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.222
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (96450) 0:16:04.50
SNMPv2-MIB::sysContact.0 = STRING: admin
SNMPv2-MIB::sysName.0 = STRING: Router
SNMPv2-MIB::sysLocation.0 = STRING: simlab
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

7.1.b SNMPv3

Configuring SNMPv3 is more involved requiring 3 steps:

1.) configuring groups

2.) configuring users

3.) configuring ACLS

Router(config)#snmp-server user user1 ex1 v3 
Router(config)#snmp-server user user2 ex2 v3 

Router(config)#snmp-server user user3 ex3 v3 auth sha supaSecret

Router(config)#snmp-server user user4 ex4 v3 auth sha supaSecret1 priv aes 128 privPASS
Router(config)#snmp-server group ex1 v3 noauth write v1default access 50
Router(config)#snmp-server group ex2 v3 noauth access 50
Router(config)#snmp-server group ex3 v3 auth match exact write v1default access 50
Router(config)#snmp-server group ex4 v3 priv match exact write v1default access 50

Router#show snmp
Chassis: 4279256517
Contact: admin
Location: simlab
38 SNMP packets input
 0 Bad SNMP version errors
 6 Unknown community name
 0 Illegal operation for community name supplied
 0 Encoding errors
 27 Number of requested variables
 0 Number of altered variables
 0 Get-request PDUs
 27 Get-next PDUs
 0 Set-request PDUs
 0 Input queue packet drops (Maximum queue size 1000)
32 SNMP packets output
 0 Too big errors (Maximum packet size 1500)
 0 No such name errors
 0 Bad values errors
 0 General errors
 27 Response PDUs
 0 Trap PDUs
SNMP Dispatcher:
 queue 0/75 (current/max), 0 dropped
SNMP Engine:
 queue 0/1000 (current/max), 0 dropped
 0 Unknown Security Models
 0 SNMP Invalid Messages
 0 SNMP Unknown PDU handlers
 0 Unsupported Security Level
 0 Unknown User Names
 5 Unknown EngineIDs
 0 Not In Time Windows
 0 Wrong MD5 or SHA Digests
 0 Decryption Errors
SNMP Trap Queue: 0 dropped due to resource failure.

SNMP logging: disabled
Router#show snmp user

User name: user1
Engine ID: 800000090300CA0107EA0000
storage-type: nonvolatile active
Authentication Protocol: None
Privacy Protocol: None
Group-name: ex1

User name: user2
Engine ID: 800000090300CA0107EA0000
storage-type: nonvolatile active
Authentication Protocol: None
Privacy Protocol: None
Group-name: ex2

User name: user3
Engine ID: 800000090300CA0107EA0000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: ex3

User name: user4
Engine ID: 800000090300CA0107EA0000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: ex4

Router#

7.1.c Syslog

Syslog can be configured to log to a remote host. In this example I started a Perl syslog daemon on port 514 on my FreeBSD machine and using Ethernet bridging configured the Cisco router to log to it:

logging console 7 //include debug messages 0 is highest severity
logging monitor debug
logging buffered 4 //save warning and lower to internal log
logging trap warnings // only send severty 4 and lower to syslog server
logging host 192.168.0.10 // enable remote debugging
root@ryzen:/home/blades/Workspace/src/syslog # perl syslog.pl 
192.168.0.100 60619 local7 Error Feb 18 12:04:59.535 0 %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to down192.168.0.100 60619 local7 Error Feb 18 12:06:53.695 0 %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to down
192.168.0.100 60619 local7 Error Feb 18 12:07:12.803 0 %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to down
Logging can be changed to send everything to the remote host by changing this line:
 

logging trap 7

This will send all logs to the remote host:

root@ryzen:/home/blades/Workspace/src/syslog # perl syslog.pl
192.168.0.100 60619 local7 Notice Feb 18 12:16:16.251 0 %SYS-5-CONFIG_I: Configured from console by console
192.168.0.100 60619 local7 Debug Feb 18 12:16:18.739 0 UDP: rcvd src=192.168.0.1(2190), dst=192.168.0.255(2190), length=187
192.168.0.100 60619 local7 Debug Feb 18 12:17:19.763 0 UDP: rcvd src=192.168.0.1(2190), dst=192.168.0.255(2190), length=187
192.168.0.100 60619 local7 Debug Feb 18 12:17:58.659 0 UDP: rcvd src=192.168.0.111(138), dst=255.255.255.255(138), length=209
192.168.0.100 60619 local7 Notice Feb 18 12:18:17.483 0 %SYS-5-CONFIG_I: Configured from console by console
192.168.0.100 60619 local7 Debug Feb 18 12:18:20.795 0 UDP: rcvd src=192.168.0.1(2190), dst=192.168.0.255(2190), length=187
192.168.0.100 60619 local7 Notice Feb 18 12:18:25.075 0 %SYS-5-CONFIG_I: Configured from console by console
192.168.0.100 60619 local7 Notice Feb 18 12:18:28.939 0 %SYS-5-CONFIG_I: Configured from console by console

 

The Perl syslog daemon is from here. You will need to run it as root as it needs to access a privileged port.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s