Pages

Saturday, November 16, 2013

How to configure SNMP cisco and basic commands for Snmpwalk

This article will guide your through the steps to enable SNMP in Cisco Routers and Switches including how to apply security as the configuration of the underlying devices. This is to make the devices more secure same as international companies worldwide practice.

Cisco SNMP Agent
 
Here's an example:
  1. Telnet to the switch/router
    C:\Users\LAX>telnet THHQCE7-3845
  2. Enter the Enable mode
    THHQCE7-3845> enable
    Password:
    THHQCE7-3845#
  3. Enter Config Mode
    THHQCE7-3845# configure terminal
  4. Use the command below to add a Read-Only an Read write community string
    THHQCE7-3845(config)# snmp-server community 14all3$$ RO
    THHQCE7-3845(config)# snmp-server community gds4chv1 RW
Configuration Examples for snmp-server setting:
   snmp-server community 14all3$$ RO 30
   snmp-server community gds4chv1 RW 10
   snmp-server community mrtg RO 1300
   snmp-server community VBCCrep0rting RO 1333
   snmp-server ifindex persist
   snmp-server trap-source Loopback0
   snmp-server location THHQCE7-3845: Facility-Code THHQ, Offshore (Thailand) Ltd, Bangkok7th floor, Building BB, 123 Vibhavadi Road, Jatujak, Bangkok 10900
   snmp-server contact network operations 66-6428 xxxx
   snmp-server enable traps tty
   snmp-server enable traps config
   snmp-server host 172.20.71.201 Voyence  config
   snmp-server host 172.20.3.35 Voyence  config
   snmp-server host 172.20.71.201 config
   snmp-server host 172.20.9.201 config

Next, I highly recommend to configure SNMP in order to make it secure. If you want to secure the communication between network monitoring tool (WhatsUp, Solarwinds, Nagios) and the switches/routers you'll have to use SNMPv3.

ACL SNMP setting example;
   !<----- ACL 10 for Read Write, ACL 30 for Read Only
   !
   ! ACL 10 – SNMP READ WRITE
   !
   no access-list 10
   access-list 10 permit 172.27.124.18 log
   access-list 10 permit 136.171.124.18 log
   access-list 10 permit 172.20.71.200 log
   access-list 10 permit 172.20.9.200 log
   access-list 10 permit 172.20.50.21 log
   access-list 10 permit 172.20.46.70 log
   access-list 10 deny any log
   !
   !
   ! ACL 30 – SNMP READ ONLY
   !
   no access-list 30
   access-list 30 permit 172.20.46.89 log
   access-list 30 permit 172.20.46.114 log
   access-list 30 permit 172.20.50.22 log
   access-list 30 permit 172.20.32.5 log
   access-list 30 permit 172.20.46.5 log
   access-list 30 permit 172.20.46.6 log
   access-list 30 permit 172.20.46.8  log
   access-list 30 deny any log
   !


Testing:
   To test the new configuration use snmpwalk on your linux server running your network monitoring tools

   [root@ARNAG libexec]#snmpwalk -v 2c -c COMMUNITYSTRING IPADDRESS
   [root@ARNAG libexec]# snmpwalk -v2c -c Savvi148 172.20.1.35
   SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C2960S Software (C2960S-         UNIVERSALK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
   Technical Support: http://www.cisco.com/techsupport
   Copyright (c) 1986-2013 by Cisco Systems, Inc.
   Compiled Mon 28-Jan-13 10:28 by prod_rel_team
   SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.1208
   DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (209528058) 24 days, 6:01:20.58
   SNMPv2-MIB::sysContact.0 = STRING:
   SNMPv2-MIB::sysName.0 = STRING: THHQSL2-2960S
   SNMPv2-MIB::sysLocation.0 = STRING:
   SNMPv2-MIB::sysServices.0 = INTEGER: 6
   SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
   SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::enterprises.9.7.129
   SNMPv2-MIB::sysORID.2 = OID: SNMPv2-SMI::enterprises.9.7.115
   SNMPv2-MIB::sysORID.3 = OID: SNMPv2-SMI::enterprises.9.7.265
   SNMPv2-MIB::sysORID.4 = OID: SNMPv2-SMI::enterprises.9.7.112
   SNMPv2-MIB::sysORID.5 = OID: SNMPv2-SMI::enterprises.9.7.106
   SNMPv2-MIB::sysORID.6 = OID: SNMPv2-SMI::enterprises.9.7.47
   SNMPv2-MIB::sysORID.7 = OID: SNMPv2-SMI::enterprises.9.7.122
   SNMPv2-MIB::sysORID.8 = OID: SNMPv2-SMI::enterprises.9.7.135
   SNMPv2-MIB::sysORID.9 = OID: SNMPv2-SMI::enterprises.9.7.43
   SNMPv2-MIB::sysORID.10 = OID: SNMPv2-SMI::enterprises.9.7.37

These are the command to check Input/Output Discard and Input/Outpu Errors :
   [root@ARNAG libexec]#snmpwalk -Ofn -v 1 -c Savvi148 172.30.1.20 1.3.6.1.2.1.2.2.1.19
         "ifOutDiscards"  "1.3.6.1.2.1.2.2.1.19"
   [root@ARNAG libexec]#snmpwalk -Ofn -v 1 -c Savvi148 172.30.1.20 1.3.6.1.2.1.2.2.1.13
         "ifInDiscards"  "1.3.6.1.2.1.2.2.1.13"
   [root@ARNAG libexec]#snmpwalk -v2c -c Savvi148 172.20.1.20 .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry
            1 . 3  .  6  .    1      .   2    .   1     .     2        .      2    .    1     . 13
         .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInDiscards
         .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifInErrors
         .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutDiscards
         .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOutErrors

Cisco SNMP

at

1 comment:

  1. CiscoPronotJanuary 7, 2014 at 1:37 AM

    This was a nice little intro to get things up and running. Appreciated!!

    ReplyDelete