Cisco APIC-EM Lab

I finally got the Cisco APIC-EM controller running and intergrated into a GNS-3 VM:

  1. Screenshot_2018-03-10_20-56-58

The setup is quite complicated. I have a IBM x3650 M2 server with two X5570 Xeons and 64GB of ECC 10600 RAM.

On the server I run:

  1. A desktop environments
  2. gns3-server
  3. VirtualBox machine – APIC-EM

On my FreeBSD machine I run the gns3 gui and use SSH to connect to the Ubuntu server. My server and my FreeBSD machine are connected via a 1GB switch.

To create the Cisco APIC-EM VirtualBox machine:

  1. Open VirtualBox and choose create
  2. Create a machine with a minimum:
    1. 12 CPU cores
    2. 32 GB RAM
    3. 100GB Hard Drive
  3. Modify the APIC-EM Virtual machine to use a bridged network adapter (choose the one with an internet connection)
  4. Power on the machine and follow the steps
  5. After the APIC-EM has installed power off the machine – this will take up to 1.5hrs to complete

In GNS3 add a new device and select the VirtualBox machine option. After selecting the APIC-EM you created before re-enter the config and check the box that says “Alloy GNS3 to use any network card”.

Add the APIC-EM machine to the topology and connect the first ethernet port to a cloud device – this should be the local ethernet port on the computer running GNS3 that accesses your network.

Create the rest of the topology and be sure to create a DHCP server on the router connected to APIC-EM so that the interfaces on the APIC-EM can be auto-configured:

#IOU1
ip dhcp pool local
 network 10.0.0.0 255.255.255.0
 domain-name local.net
 default-router 10.0.0.100 #ip address of this router
 lease 31

If you have connectivy issues login to the APIC-EM in VirtualBox as root – use the password you configured in the setup.
Run the command to configure DHCP on the network cards:

root@grapevine-root-1:~# dhclient eth1
RTNETLINK answers: File exists
root@grapevine-root-1:~# ip addr flush dev eth1 #this will remove old address
root@grapevine-root-1:~# dhclient eth1
root@grapevine-root-1:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 08:00:27:da:a0:3f 
 inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:247 errors:0 dropped:3 overruns:0 frame:0
 TX packets:906 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:31180 (31.1 KB) TX bytes:47184 (47.1 KB)

Test connectivity. Please note that for your APIC-EM to work it needs to be able to reach the rest of the network. To do this I configured OSPF on each device.

Here is a list of the minimum config:

  1. Enable password
  2. ssh enabled
  3. routing protocol
  4. snmp configuration

Lets go through each:

1.)

muhrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
muhrouter(config)#en
muhrouter(config)#ena
muhrouter(config)#enable ?
algorithm-type Algorithm to use for hashing the plaintext ‘enable’ secret
password Assign the privileged level password (MAX of 25 characters)
secret Assign the privileged level secret (MAX of 25 characters)

muhrouter(config)#enable se
muhrouter(config)#enable secret cisco
muhrouter(config)#

2.)

muhrouter(config)#ip domain-name clinetworking.net
muhrouter(config)#crypto key generate rsa 
% You already have RSA keys defined named muhrouter.clinetworking.net.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 4096 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take
 a few minutes.

How many bits in the modulus [512]: 20
*Mar 10 11:49:25.639: %SSH-5-DISABLED: SSH 1.99 has been disabled
2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

muhrouter(config)#
*Mar 10 11:49:30.479: %SSH-5-ENABLED: SSH 1.99 has been enabled
muhrouter(config)#line vty 0 4
muhrouter(config-line)#login local
muhrouter(config-line)#transport input ssh
muhrouter(config-line)#username admin secret cisco
muhrouter(config)#^Z
muhrouter#
*Mar 10 11:49:59.410: %SYS-5-CONFIG_I: Configured from console by console
muhrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
muhrouter(config)#hostname propah
propah(config)#^Z

3.)

router ospf 1
 network 10.0.1.0 0.0.0.255 area 0
 network 10.0.2.0 0.0.0.255 area 0
 network 10.0.3.0 0.0.0.255 area 0
 network 10.0.4.0 0.0.0.255 area 0
 network 10.0.10.0 0.0.0.255 area 0
 network 10.0.100.0 0.0.0.255 area 0

propah#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.0.10.6 1 FULL/DROTHER 00:00:35 10.0.10.6 Ethernet0/2
10.0.100.1 1 FULL/DR 00:00:33 10.0.10.5 Ethernet0/2
10.0.100.1 1 FULL/DR 00:00:34 10.0.100.1 Ethernet0/2.100
10.0.2.2 1 FULL/DR 00:00:39 10.0.1.2 Ethernet0/1

After all this you should be able to login into the Cisco APIC-EM controller webpage with your preconfigured credentials:

https://192.168.0.15:14141

Ignore certificate warning.
Screenshot_2018-03-10_21-25-07

Wait for all services to start (takes about 45min):

Screenshot_2018-03-10_21-25-32

That’s it! Now you can start doing some stuff.

7.7 Describe network programmability in enterprise network architecture

7.7 Describe network programmability in enterprise network architecture

  • 7.7.a Function of a controller

A SDN controller’s function is to concentrate the control plane of the entire network and attached routers into a single device. This means that the whole network can be orchestrated and controlled from a single point.

  • 7.7.b Separation of control plane and data plane

The control plane represent policy management and the data plane represents policy implementation.

Traditionally routers and switches had a unit specific control plane and data plane which meant each device had to be hand configured. The separation of control planes and data planes means that devices can be orchestrates, automated and remotely administrated.

  • 7.7.c Northbound and southbound APIs

A northbound API is an API that is on the control plane side, this allows for general control of the entire network. A southbound APIs is something that typically communicates policy to the individual routers/switches under control of the network controller.

Cisco doesn’t believe is the complete separation of control planes and data planes and recommends a hybrid approach that they believe increases reliability.

7.6 Use Cisco IOS tools to troubleshoot and resolve problems

7.6 Use Cisco IOS tools to troubleshoot and resolve problems

7.6.a Ping and traceroute with extended option

Extended pings and traceroutes can be performed to verify the internal routing table of the device. For example you can ping from and interarea interface by simply typing “ping” only and specifying a source address

Router#ping 
Protocol [ip]: 
Target IP address: 192.168.0.1
Repeat count [5]: 
Datagram size [100]: 999
Timeout in seconds [2]: 1
Extended commands [n]: y
Source address or interface: 10.0.0.1
Type of service [0]: 3
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 999-byte ICMP Echos to 192.168.0.1, timeout is 1 seconds:
Packet sent with a source address of 10.0.0.1 
.....
Success rate is 0 percent (0/5)

In this case the ping failed due to the receiver not knowing the route to R1’s loopback.

Typing “traceroute” with no options will allow the extended option:

Router#traceroute 
Protocol [ip]: 
Target IP address: 8.8.8.8
Source address: 192.168.0.200
Numeric display [n]: 
Timeout in seconds [3]: 
Probe count [3]: 
Minimum Time to Live [1]: 
Maximum Time to Live [30]: 
Port Number [33434]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 * * * 
 2 * * * 
 3 * * *
  • 7.6.b Terminal monitor

Unless you login via the console port, terminal logging is disabled by default. To enable console messages in a SSH session enter “terminal monitor” in EXEC mode.

  • 7.6.c Log events

    Logs can be triggered by ACLs by placing “log” at the end of the acl configuration command.

  • 7.6.d Local SPAN

A switch can be configured with a monitoring session that will cause the switch to forward traffic to a specified port.

This allow the technician to use a capture packet tool such as Wireshark to troubleshoot network connectivity problems. GNS3 doens’t support SPAN so I guess I will have to skip over this lab.

7.5 Perform device maintenance

7.5 Perform device maintenance

  • 7.5.a Cisco IOS upgrades and recovery (SCP, FTP, TFTP, and MD5 verify)

To use MD5 to verify an image:

R1#verify /md5 flash0:<imagename> <md5sum>

To send an image via SCP (secure copy over SSH):

Run this command from your Linux/BSD machine:

desktop$ scp <imagename> <username>@<host>:flash0:<imagename>

To copy via FTP/TFTP:

R1#: copy ftp://username:pass@<host>/path flash

R1#: copy ftpt://<host>/path flash
  • 7.5.b Password recovery and configuration register

 

1.) Remove power

2.) Remove flash memory

3.) Turn on router

4.) Configure ROMMON

rommon 1> 0x2142

5.) Turn off router

6.) Restore flash and power

7.) Router will boot with no config:

Router> enable

Router#copy startup-config running-config

R1#configure terminal

R1(config)#enable secret password

R1(config)#config-reg 0x2102

R(config)#^Z

8.) copy new password to startup-config

R1# copy running-config startup-config

 

  • 7.5.c File system management

 

To copy files to a USB drive:

R1# copy running-config usbflash1:copy-of-run-config

7.4 Configure and verify initial device configuration

Hostname:
 en>
 R1# conf t
 R1(config)#hostname ?
 WORD This system's network name
 R1(config)#hostname router1

Enable secret:
 router1(config)#enable secret
 router1(config)#enable secret cisco

Show config:
router1#:show run

Login Banner:
router1#:conf t
router1(config)#banner !
Enter TEXT message. End with the character '!'.
Unauthorised Access Prohited.!

7.3 Configure and verify device management

7.3.a Backup and restore device configuration

Backups can be configured using multiple sources:

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#archive 
Router(config-archive)#path ?
 bootflash: Write archive on bootflash: file system
 disk0: Write archive on disk0: file system
 disk1: Write archive on disk1: file system
 flash: Write archive on flash: file system
 ftp: Write archive on ftp: file system
 http: Write archive on http: file system
 https: Write archive on https: file system
 pram: Write archive on pram: file system
 rcp: Write archive on rcp: file system
 scp: Write archive on scp: file system
 slot0: Write archive on slot0: file system
 slot1: Write archive on slot1: file system
 tftp: Write archive on tftp: file system

Router(config-archive)#path tftp://192.168.0.10/
Router(config-archive)#time-period 1440
Router(config-archive)#write-mem
Router(config-archive)#write-memory 
Router(config-archive)#^Z
Router#

Then we simple run “archive config” in enable mode to archive config.

Router#show archive
The maximum archive configurations allowed is 14.
The next archive file will be named tftp://192.168.0.10/-4
 Archive # Name
 1 :Error - no archive file was created 
 2 tftp://192.168.0.10/-1 
 3 tftp://192.168.0.10/-2 
 4 tftp://192.168.0.10/-3 <- Most Recent
 5 
 6 
 7 
 8 
 9 
 10

To restore config:

Router#configure replace tftp://192.168.0.10/-1

7.3.b Using Cisco Discovery Protocol or LLDP for device discovery

Cisco Discovery Protocol is enabled by default on Cisco devices. I created a Three Layer network using switched and enabled all necessary ports.

 

To access CDP:

Router#show cdp neighbors 
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
 S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
 D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
Router Eth 0/1 177 R B Linux Uni Eth 0/0
Router Eth 0/0 158 R B Linux Uni Eth 0/0

Total cdp entries displayed : 2

Router#show cdp neighbors detail 
-------------------------
Device ID: Router
Entry address(es): 
Platform: Linux Unix, Capabilities: Router Source-Route-Bridge 
Interface: Ethernet0/1, Port ID (outgoing port): Ethernet0/0
Holdtime : 147 sec

Version :
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(1)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sat 23-Nov-13 03:28 by prod_rel_team

advertisement version: 2
Duplex: half

-------------------------
Device ID: Router
Entry address(es): 
Platform: Linux Unix, Capabilities: Router Source-Route-Bridge 
Interface: Ethernet0/0, Port ID (outgoing port): Ethernet0/0
Holdtime : 179 sec
 
Version :
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(1)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sat 23-Nov-13 03:28 by prod_rel_team

advertisement version: 2
Duplex: half
Total cdp entries displayed : 2

To enable Link Layer Discover Protocol:

Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#lldp run
Router(config)#^Z
Router#show lldp

Global LLDP Information:
 Status: ACTIVE
 LLDP advertisements are sent every 30 seconds
 LLDP hold time advertised is 120 seconds
 LLDP interface reinitialisation delay is 2 seconds
Router#show lldp ?
 entry Information for specific neighbor entry
 errors LLDP computational errors and overflows
 interface LLDP interface status and configuration
 neighbors LLDP neighbor entries
 traffic LLDP statistics
 | Output modifiers
 <cr>
Router#show lldp neighbors 
Capability codes:
 (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
 (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID Local Intf Hold-time Capability Port ID
Router Et0/1 120 R Et0/0

Total entries displayed: 1


Router#show lldp entry Router

Capability codes:
 (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
 (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
------------------------------------------------
Chassis id: aabb.cc00.0300
Port id: Et0/0
Port Description: Ethernet0/0
System Name: Router

System Description: 
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(1)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sat 23-Nov-13 03:28 by prod_rel_tea

Time remaining: 93 seconds
System Capabilities: B,R
Enabled Capabilities: R
Management Addresses - not advertised
Auto Negotiation - not supported
Physical media capabilities - not advertised
Media Attachment Unit type - not advertised
Vlan ID: - not advertised

Total entries displayed: 1

7.3.c Licensing

7.3.d Logging

Use the show logging commands to verify system logging.

One can also use the debug command to debug certain processes inside IOS:

Router#debug cdp events 
CDP events debugging is on
Router#debug cdp ad
Router#debug cdp adjacency 
CDP neighbor info debugging is on
Router#debug cdp packets 
CDP packet info debugging is on
Router#debug cdp ip 
CDP IP info debugging is on
Router#debug cdp test
CDP Test cli debugging is on

Router#
Feb 19 06:15:12.600: CDP-PA: Packet received from Router on interface Ethernet0/1
Feb 19 06:15:12.600: **Entry found in cache**
Feb 19 06:15:12.600: CDP-EV: Packet Received from Router with capability = 5 and Platform string = Linux Unix on interface Ethernet0/1
Router#
Feb 19 06:15:16.208: In cdp_check_test_cli_configured()
Feb 19 06:15:16.208: Sending TLV for testing 
Feb 19 06:15:16.208: CDP-IP: Cannot find stub network
Feb 19 06:15:16.208: cdp_check_test_cli_configured() from insert_native
Feb 19 06:15:16.208: CDP-PA: version 2 packet sent out on Ethernet0/1
Router#
Feb 19 06:15:21.253: CDP-PA: Packet received from Router on interface Ethernet0/0
Feb 19 06:15:21.253: **Entry found in cache**
Feb 19 06:15:21.253: CDP-EV: Packet Received from Router with capability = 5 and Platform string = Linux Unix on interface Ethernet0/0
Router#
Feb 19 06:15:53.184: In cdp_check_test_cli_configured()
Feb 19 06:15:53.184: Sending TLV for testing 
Feb 19 06:15:53.184: CDP-IP: Cannot find stub network
Feb 19 06:15:53.184: cdp_check_test_cli_configured() from insert_native
Feb 19 06:15:53.184: CDP-PA: version 2 packet sent out on Ethernet0/0
Router#
Feb 19 06:16:07.496: In cdp_check_test_cli_configured()
Feb 19 06:16:07.496: Sending TLV for testing 
Feb 19 06:16:07.496: CDP-IP: Cannot find stub network
Feb 19 06:16:07.496: cdp_check_test_cli_configured() from insert_native
Feb 19 06:16:07.496: CDP-PA: version 2 packet sent out on Ethernet0/1
Router#
Feb 19 06:16:11.850: CDP-PA: Packet received from Router on interface Ethernet0/1
Feb 19 06:16:11.850: **Entry found in cache**
Feb 19 06:16:11.851: CDP-EV: Packet Received from Router with capability = 5 and Platform string = Linux Unix on interface Ethernet0/1
Router#
Feb 19 06:16:20.938: CDP-PA: Packet received from Router on interface Ethernet0/0
Feb 19 06:16:20.938: **Entry found in cache**
Feb 19 06:16:20.938: CDP-EV: Packet Received from Router with capability = 5 and Platform string = Linux Unix on interface Ethernet0/0

7.3.e Timezone

Setting the time and timezone can be done with these commands:

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#clock timezone AEST -8
Router(config)#
*Feb 18 12:40:07.908: %SYS-6-CLOCKUPDATE: System clock has been updated from 22:40:07 AEST Sun Feb 18 2018 to 04:40:07 AEST Sun Feb 18 2018, configured from console by console.
Router(config)#^Z
*Feb 18 12:40:16.772: %SYS-5-CONFIG_I: Configured from console by console
Router#clock set 22:10:00 18 February 2018
Router#
*Feb 19 06:10:00.069: %SYS-6-CLOCKUPDATE: System clock has been updated from 04:40:45 AEST Sun Feb 18 2018 to 22:10:00 AEST Sun Feb 18 2018, configured from console by console.
Router#

7.3.f Loopback

A loopback is configured to overcome errors with interfaces going down or changing IP addresses.

Router#conf t 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface loopback 0
Feb 19 06:18:24.884: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Router(config-if)#ip address 10.0.0.99 255.255.255.0
Router(config-if)#^Z

7.2 Troubleshoot network connectivity issues using ICMP echo-based IP SLA

To enable an SLA use the following commands:

Router(config)#ip sla 1
 Router(config-ip-sla)#icmp-echo 10.0.0.2 source-ip 10.0.0.1
 Router(config-ip-sla-echo)#frequency 5
 Router(config-ip-sla-echo)#threshold 300
 Router(config-ip-sla-echo)#history filter all
 Router(config-ip-sla-echo)#history buckets-kept 6
 Router(config-ip-sla-echo)#history lives-kept 1

The output of show ip sla summary can be useful in determining connection issues based on number of dropped pings.

7.1 Configure and verify device-monitoring protocols

7.1.a SNMPv2

To configure SNMP version to Community (snmpv2c):

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server community netadmin RW 50 
Router(config)#access-list 50 permit 192.168.0.10 0.0.0.255
Router(config)#access-list 50 deny any
Router(config)#^Z
Router#

I used net-snmp package on FreeBSD and a bridged adapter to allow internal access my LAN to poll the SNMP service:

Screenshot_2018-02-18_01-22-41.png

blades@ryzen:~/Desktop % snmpwalk -v 2c -c netadmin -m ALL 192.168.0.100 system
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sun 09-Sep-12 06:30 by prod_rel_team
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.222
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (96450) 0:16:04.50
SNMPv2-MIB::sysContact.0 = STRING: admin
SNMPv2-MIB::sysName.0 = STRING: Router
SNMPv2-MIB::sysLocation.0 = STRING: simlab
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

7.1.b SNMPv3

Configuring SNMPv3 is more involved requiring 3 steps:

1.) configuring groups

2.) configuring users

3.) configuring ACLS

Router(config)#snmp-server user user1 ex1 v3 
Router(config)#snmp-server user user2 ex2 v3 

Router(config)#snmp-server user user3 ex3 v3 auth sha supaSecret

Router(config)#snmp-server user user4 ex4 v3 auth sha supaSecret1 priv aes 128 privPASS
Router(config)#snmp-server group ex1 v3 noauth write v1default access 50
Router(config)#snmp-server group ex2 v3 noauth access 50
Router(config)#snmp-server group ex3 v3 auth match exact write v1default access 50
Router(config)#snmp-server group ex4 v3 priv match exact write v1default access 50

Router#show snmp
Chassis: 4279256517
Contact: admin
Location: simlab
38 SNMP packets input
 0 Bad SNMP version errors
 6 Unknown community name
 0 Illegal operation for community name supplied
 0 Encoding errors
 27 Number of requested variables
 0 Number of altered variables
 0 Get-request PDUs
 27 Get-next PDUs
 0 Set-request PDUs
 0 Input queue packet drops (Maximum queue size 1000)
32 SNMP packets output
 0 Too big errors (Maximum packet size 1500)
 0 No such name errors
 0 Bad values errors
 0 General errors
 27 Response PDUs
 0 Trap PDUs
SNMP Dispatcher:
 queue 0/75 (current/max), 0 dropped
SNMP Engine:
 queue 0/1000 (current/max), 0 dropped
 0 Unknown Security Models
 0 SNMP Invalid Messages
 0 SNMP Unknown PDU handlers
 0 Unsupported Security Level
 0 Unknown User Names
 5 Unknown EngineIDs
 0 Not In Time Windows
 0 Wrong MD5 or SHA Digests
 0 Decryption Errors
SNMP Trap Queue: 0 dropped due to resource failure.

SNMP logging: disabled
Router#show snmp user

User name: user1
Engine ID: 800000090300CA0107EA0000
storage-type: nonvolatile active
Authentication Protocol: None
Privacy Protocol: None
Group-name: ex1

User name: user2
Engine ID: 800000090300CA0107EA0000
storage-type: nonvolatile active
Authentication Protocol: None
Privacy Protocol: None
Group-name: ex2

User name: user3
Engine ID: 800000090300CA0107EA0000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: ex3

User name: user4
Engine ID: 800000090300CA0107EA0000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: ex4

Router#

7.1.c Syslog

Syslog can be configured to log to a remote host. In this example I started a Perl syslog daemon on port 514 on my FreeBSD machine and using Ethernet bridging configured the Cisco router to log to it:

logging console 7 //include debug messages 0 is highest severity
logging monitor debug
logging buffered 4 //save warning and lower to internal log
logging trap warnings // only send severty 4 and lower to syslog server
logging host 192.168.0.10 // enable remote debugging
root@ryzen:/home/blades/Workspace/src/syslog # perl syslog.pl 
192.168.0.100 60619 local7 Error Feb 18 12:04:59.535 0 %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to down192.168.0.100 60619 local7 Error Feb 18 12:06:53.695 0 %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to down
192.168.0.100 60619 local7 Error Feb 18 12:07:12.803 0 %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to down
Logging can be changed to send everything to the remote host by changing this line:
 

logging trap 7

This will send all logs to the remote host:

root@ryzen:/home/blades/Workspace/src/syslog # perl syslog.pl
192.168.0.100 60619 local7 Notice Feb 18 12:16:16.251 0 %SYS-5-CONFIG_I: Configured from console by console
192.168.0.100 60619 local7 Debug Feb 18 12:16:18.739 0 UDP: rcvd src=192.168.0.1(2190), dst=192.168.0.255(2190), length=187
192.168.0.100 60619 local7 Debug Feb 18 12:17:19.763 0 UDP: rcvd src=192.168.0.1(2190), dst=192.168.0.255(2190), length=187
192.168.0.100 60619 local7 Debug Feb 18 12:17:58.659 0 UDP: rcvd src=192.168.0.111(138), dst=255.255.255.255(138), length=209
192.168.0.100 60619 local7 Notice Feb 18 12:18:17.483 0 %SYS-5-CONFIG_I: Configured from console by console
192.168.0.100 60619 local7 Debug Feb 18 12:18:20.795 0 UDP: rcvd src=192.168.0.1(2190), dst=192.168.0.255(2190), length=187
192.168.0.100 60619 local7 Notice Feb 18 12:18:25.075 0 %SYS-5-CONFIG_I: Configured from console by console
192.168.0.100 60619 local7 Notice Feb 18 12:18:28.939 0 %SYS-5-CONFIG_I: Configured from console by console

 

The Perl syslog daemon is from here. You will need to run it as root as it needs to access a privileged port.