Friday, February 24, 2012

SNMP & RMON

SNMP & RMON


SNMP

  • runs over udp ports 161/162 - non reliable
  • Mangement information base- used to read/write variables in device config
  • Network Management station (NMS) asks managed device the status of the MIB. This is called SNMP Polling
  • Managed device may also report unsolicted events called SNMP Traps or informs - difference been informs require ack

SNMP VERSIONS

3 main versions
v1- supports only community authentication
v2c- supports community authentication and views
v3- support users/groups - encryption and secure authentication

SNMPv1/2c

Configured as snmp-server community {string} {ro|rw} {acl}
community string
   - clear text passwords for NMS to poll device
2 types of community strings
   - read only
   - read write
ACL defines who can poll device

SNMP Traps

Device reports unsolicted events to NMS
Reports could be
   - unreliable- traps
   - reliable- informs
   - both are sent using UDP to port 162
SNMP V1/V2
-----------
Define events to trap
All traps
snmp-server enable traps
specfic
snmp-server enable traps {notification-type}
Define a host to send the traps to

all Enabled traps
  snmp-server host "host addr community-string"
subset of enabled traps
snmp-server host " host add community-sting {notification type}

A common mistake is to define the hosts but not actual enable the traps globally i.e skipping
step 1

sh snmp ifmib ifindex - this is a good command to look at what assigned index was givn to a  
                      particular interface. IFindex can change when new interfaces come on
                        line new interface include sub interface and loopback in order to
                        keep persistent values for assigned interfaces we can use the command
snmp=server ifindex persist
sh snmp mib- will give you a list of all possible mibs some are hard to decipher what they do
             from the name there is snmp mib translator on the net to assist

SNMP V3
--------
3 main entites
Users- operators accessing the routers
Groups - group users access privilges is then asssigned to groups
Views - define subset of mib visible to groups
so it sort similar to windows group you put a user in a group and group then is assigned
access to the view


SNMPV3 Security
----------------
Access to mib is either
    - unauthenticated/unencrypted - No AuthNoPRiv
    - authenticated only - AuthnoPriv
    - authenticated and encrypted - AuthPriv
SNMPv3 Traps
------------
Support traps/informs
AUthentication model is different
Traps need to have a user associated
User credentials are used to authenticate
The nms need to implement authentication


RMON
-----
Remote Monitoring
  - used to monitor MIB variables
Monitoring has two components
   - alarm
      condition to trigger events
   -event
      action to associate to alarm
      normally a syslog/snmp trap


RMON ALarm
-----------
Rmon alarm defines how mib is sampled
you have 2 types

1) DELTA sampling- used for variables that accumalted like packet counter,crc errror these
vairiable never go down always up. Having just a value for these is not much use as it is
hard to decipher the time period the value was obtained. WHat delta gives you is the
difference in each time period so like if you get syslog saying you have had 6 crc errrors on
interface in the last 10 minutes is alot easier to act on then just getting you had 6 crc
ever.
_ difference between MIB value at time index a compared to time index B
- Used for values that only increase/accumalate
- Tracks rate of change for variable
-Sampling intervals define the time period
2) ABosulute sammpling- Is for exact match of the MIB at time of index A
  You use this for values that are going go up and down and for variables that just given the
value at that specfic is going be useful for example
CPU Utilization memory utilization error % on interfaces size of routing table
Used for values that increase and decrease

The parser will not guide you to say you should use this variable with delta so you neeed to
look at it and think about it in general if it variable that just goes up - delta if it
variable that goes up and down- abosulute
 
LAB
----
FOR SNMPV1/V2

First we will define our polling
we will define a subnet that has access
r4(config)#ip access-list standard EIGRP-SNMP
r4(config-std-nacl)#permit 192.168.1.0 0.0.0.255
r4(config-std-nacl)#

r4(config)#snmp-server community EIGRP-SNMP-COM ro EIGRP-SNMP


Next in global config we need to enable our traps

r4(config)#snmp-server enable traps ?
  atm                Enable SNMP atm traps
  authenticate-fail  Enable SNMP 802.11 Authentication Fail Trap
  bgp                Enable BGP traps
  bstun              Enable SNMP BSTUN traps
  bulkstat           Enable Data-Collection-MIB Collection notifications
  cnpd               Enable NBAR Protocol Discovery traps
  config             Enable SNMP config traps
  config-copy        Enable SNMP config-copy traps
  cpu                Allow cpu related traps
  deauthenticate     Enable SNMP 802.11 Deauthentication Trap
  disassociate       Enable SNMP 802.11 Disassociation Trap
  dlsw               Enable SNMP dlsw traps
  dot11-qos          Enable SNMP 802.11 QoS Change Trap
  ds0-busyout        Enable ds0-busyout traps
  ds1                Enable SNMP DS1 traps
  ds1-loopback       Enable ds1-loopback traps
  dsp                Enable SNMP dsp traps
  eigrp              Enable SNMP EIGRP traps
  entity             Enable SNMP entity traps
  envmon             Enable SNMP environmental monitor traps
  event-manager      Enable SNMP Embedded Event Manager traps
  firewall           Enable SNMP Firewall tra
this is partial list we can enable traps based on specfic technologies etc rather than all
traps
this would be for eigrp info
r4(config)#snmp-server enable traps eigrp

if i wanted all trap i would use the below
r4(config)#snmp-server enable traps

next we define the host to send traps to

r4(config)#snmp-server host 192.168.2.1 EIGRP-SNMP-COM eigrp

so this server would be sent the traps for eigrp

sh snmp mib will show you all the preconfigured mibs availible to use
if we are looking at interfaces
r4#sh snmp mib ifmib ifindex
FastEthernet0/0: Ifindex = 1
Loopback0: Ifindex = 8
Null0: Ifindex = 5
Serial0/0/0: Ifindex = 3
Async2: Ifindex = 6
FastEthernet0/1: Ifindex = 2
Serial0/1/0: Ifindex = 4
Async18: Ifindex = 7
r4#
and we want to keep the index persistent for our logging of particular interfaces

r4(config)#snmp-server ifindex pers

SNMP V3
-------

FIrst we create our view
r4(config)#snmp-server view MYVIEW cisco included
create the group
r4(config)#snmp-server group MYGOUP v3 priv read MYVIEW

Create the user
snmp-server user MYUSER MYGROUP v3 auth md5 PASSWORD priv 3des SECRETKEY
so we have created a user who will be in the group MTGROUP with md5 authentication and
encyption of 3des


define a trap
r4(config)#snmp-server host 192.168.2.1 trap version 3 auth MYUSER eigrp

RMON
-----
OK i will do rmon on interface f0/1 for an alarm for if we get 1000 packets in  60 seconds

r4#sh snmp mib ifmib ifindex
FastEthernet0/0: Ifindex = 1
Loopback0: Ifindex = 8
Null0: Ifindex = 5
Serial0/0/0: Ifindex = 3
Async2: Ifindex = 6
FastEthernet0/1: Ifindex = 2
Serial0/1/0: Ifindex = 4
Async18: Ifindex = 7
r4#

r4#sh run
*Feb 24 13:11:08.895: %SYS-5-CONFIG_I: Configured from console by console| inc rmon
rmon alarm 1 ifOutUcastPkts.2 60 delta rising-threshold 1000 2 falling-threshold 1 3 owner
config
r4#

ok so this command is saying the first rmon alarm we will check interface output unicast
packets it is for the ifindex 2 so that is fa0/1 delta rising value is 100 packets so this
trigger it if this happens we will use alarm 2 the falling-treeshold is 1 packet and will
trigger alarm 3

we now need to define the event
r4(config)#rmon event 2 log description interface-fa0/1-over-100ppm
so for event 2 we will get a log saying interface-fa0/1-over-100ppm

for alarm 3

r4(config)#rmon event 3 log description interface-fa0/1-is-not-transmitting

r4#sh rmon alarms
Alarm 1 is active, owned by config
 Monitors ifOutUcastPkts.2 every 60 second(s)
 Taking delta samples, last value was 6
 Rising threshold is 1000, assigned to event 2
 Falling threshold is 1, assigned to event 3
 On startup enable rising or falling alarm
r4#

r4#
*Feb 24 13:23:01.855: %RMON-5-RISINGTRAP: Rising trap is generated because the value of
ifOutUcastPkts.2 exceeded the rising-threshold value 1000

r4#sh rmon alarms
Alarm 1 is active, owned by config
 Monitors ifOutUcastPkts.2 every 60 second(s)
 Taking delta samples, last value was 1106
 Rising threshold is 1000, assigned to event 2
 Falling threshold is 1, assigned to event 3
 On startup enable rising or falling alarm
r4#
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)