1-6 System Monitoring

• Simple Network Management Protocol (SNMP) allows you to monitor information about and manage a network device.

• A Management Information Base (MIB) is a collection of variables stored on a network device. The variables can be updated by the device or queried from an external source.

• MIBs are structured according to the SNMP MIB module language, which is based on the Abstract Syntax Notation 1 (ASN.1) language.

• An SNMP agent runs on a network device and maintains the various MIB variables. Any update or query of the variables must be handled through the agent.

• An SNMP agent can also send unsolicited messages, or traps, to an SNMP manager. Traps are used to alert the manager to changing conditions on the network device.

• An SNMP manager is usually a network management system that queries MIB variables, can set MIB variables, and receives traps from a collection of network devices.

• SNMP agents can send either traps or inform requests . Traps are sent in one direction and are unreliable. Inform requests are reliable in the sense that they must be acknowledged or be resent .

• SNMP version 1 (SNMPv1) is the original version. It is based on RFC 1157 and has only basic cleartext community strings for security. Access can be limited to the IP address of the SNMP manager.

• SNMP Version 2 (SNMPv2c) is an enhanced version based on RFCs 1901, 1905, and 1906. It improves on bulk information retrieval and error reporting but uses the cleartext community strings and IP addresses to provide security.

• SNMP Version 3 (SNMPv3) is based on RFCs 2273 to 2275 and offers robust security. Data integrity and authentication can be provided through usernames, MD5, and SHA algorithms. Encryption can be provided through DES.

• Remote Monitoring (RMON) provides a view of traffic flowing through a router. By default, IOS can provide RMON alarms and events. An IOS with full RMON support provides nine management groupsstatistics, history, alarms, hosts , hostTopN, matrix, filter, capture, and event.

• Full RMON also allows packet capture, although only packet headers are captured. This minimizes the security risk of revealing the payload information. (Packet capture is supported only on Cisco 2500 and AS5200 Ethernet interfaces.)

Configuration

1. Configure SNMP identity.

   1. Define the contact information:

       (global)  snmp-server contact   contact-string  

      The contact-string contains text information that the router can provide about the network administrator.

   2. Define the device location:

       (global)  snmp-server location   location-string  

      The location-string is text information that the router can provide about its physical location.

   3. Define the device serial number:

       (global)  snmp-server chassis-id   id-string  

      The id-string is text information that the router can provide about its own serial number. If the hardware serial number can be read by the IOS software, this number is the default chassis ID.

2. Configure SNMP Access.

   1. (Optional) Define SNMP views to restrict access to MIB objects:

       (global)  snmp-server view   view-name oid-tree  {  included   excluded  } 

      If necessary, an SNMP manager can be limited to view only specific parts of the router's MIB tree. A view can be defined with the name view-name. The oid-tree value is the object identifier of the MIB subtree in ASN.1 format. This value is a text string with numbers or words representing the subtree, separated by periods (such as system, cisco, system.4, and 1.*.2.3 ). Any component of the subtree can be wildcarded with an asterisk. Viewing access of the subtree is either permitted or denied with the included and excluded keywords.

      Multiple views can be defined, each applied to a different set of users or SNMP managers.

      NOTE

      For more information about the MIB tree structure and MIBs in general, see Appendix C, "SNMP MIB Structure."

   2. Define access methods for remote users.

      • (SNMPv1 or SNMPv2c only) Define community strings to allow access:

         (global)  snmp-server community   string  [  view   view  ] [  ro   rw  ]  acc-list  

        A community string value string is used to permit access to SNMP information on the router. Any SNMP manager that presents a matching community string is permitted access. An optional view can be specified with the view keyword. Access is then limited to only the MIB objects permitted by the view definition. Access is granted as read-only or read-write with the ro and rw keywords. An optional standard IP access list acc-list can be given to further limit access to only SNMP managers with permitted IP addresses.

      • (SNMPv3 only) Define names for the engine IDs.

        To specify the local engine ID name, enter the following command:

         (global)  snmp-server engineID  [  local   id-string  ]  [  remote   ip-address   udp-port   port   id-string  ] 

        SNMPv3 uses authentication and encryption based on several parameters. Each end of the SNMP trust relationship must be defined, in the form of engine ID text strings, id-string. These values are 24-character strings, but they can be specified with shorter strings that will be filled to the right with 0s. The local router running SNMP must be defined with the local keyword and id-string.

        To specify the remote SNMP engine ID name, enter the following command:

         (global)  snmp-server engineID remote   ip-address  [  udp-port   port  ]  id-string  

        The remote SNMP engine (an SNMP instance on a remote host or management station) is defined with an ip-address and a text string named id-string. An optional UDP port to use for the remote host can be given with the udp-port keyword (the default is 161).

        NOTE

        If either local or remote engine ID names change after these commands are used, the authentication keys become invalid, and users have to be reconfigured. MD5 and SHA keys are based on user passwords and the engine IDs.

      • (Optional) Define a group access template for SNMP users:

         (global)  snmp-server group  [  groupname  {  v1   v2c   v3  {  auth   noauth   priv  }}] [  read   readview  ] [  write   writeview  ] [  notify   notifyview  ] [  access   acc-list  ] 

        The template groupname defines the security policy to be used for groups of SNMP users. The SNMP version used by the group is set by the v1, v2c, and v3 keywords. For SNMPv3, the security level must also be specified as auth (packet authentication, no encryption), noauth (no packet authentication), or priv (packet authentication with encryption).

        SNMP views can also be specified to limit MIB access for the group, using the keywords read (view readview defines readable objects; it defaults to all Internet 1.3.6.1 OID space), write (view writeview defines writable objects; there is no default write access), and notify (view notifyview defines notifications that can be sent to the group; there is no default). An optional standard IP access list acc-list can be used to further limit SNMP access for the group.

      • (Optional) Define SNMP users and access methods.

        For SNMPv1 or SNMPv2c, apply a user to a group:

         (global)  snmp-server user   username groupname  [  remote   ip-address  ]   {  v1   v2c  } [  access   acc-list  ] 

        A user username is defined as belonging to the group template groupname. The IP address of the remote SNMP manager where the user belongs can be specified with the remote keyword. The version of SNMP must be specified with the v1 or v2c keywords. A standard IP access list can be used with the access keyword to allow only specific source addresses for the SNMP user.

        For SNMPv3, apply a user to a group and security policies:

         (global)  snmp-server user   username groupname  [  remote   ip-address  ]  v3  [  encrypted  ] [  auth  {  md5   sha  }  auth-password  [  priv des56   priv-password  ]] [  access   acc-list  ] 

        A user username is defined as belonging to the group template groupname. The IP address of the remote SNMP manager where the user belongs can be specified with the remote keyword. SNMP Version 3 must be specified with the v3 keyword. A standard IP access list can be used with the access keyword to allow only specific source addresses for the SNMP user.

        By default, passwords for the user are input as text strings. If the encrypted keyword is given, passwords must be input as MD5 digests (already encrypted). An authentication password for the user is specified with the auth keyword, the type of authentication as keywords md5 (HMAC-MD5-96 Message Digest 5) or sha (HMAC-SHA-96), and a text string as auth-password (up to 64 characters ).

        A password that enables privacy or encryption of SNMP packets for the user is defined with the priv des56 keyword and a text string priv-password (up to 64 characters).

        NOTE

        In order to use des56 and SHA encryption, you must have the cryptographic software image for your router.

   3. (Optional) Limit the router operations controlled by SNMP.

      • Enable the use of the SNMP reload operation:

         (global)  snmp-server system-shutdown  

        By default, SNMP cannot be used to issue a reload operation to the router. If this function is desired, this command can be used to enable reload control.

      • Specify the TFTP server operations controlled by SNMP:

         (global)  snmp-server tftp-server-list   acc-list  

        SNMP can be used to cause the router to save or load its configuration file to a TFTP server. The standard IP access list acc-list can be used to permit only a limited set of TFTP server IP addresses.

3. (Optional) Configure SNMP notifications.

   1. Define a global list of notifications to send:

       (global)  snmp-server enable traps  [  type  ] [  option  ] 

      Notifications (both traps and informs) are enabled for the types specified. Because only one type can be given with this command, the command can be issued as many times as necessary. If the type keyword is not specified, all available notifications are enabled. In addition, if this command is not issued at least once, none of the notifications it controls are enabled.

      Here are possible notifications:

      • aaa-server AAA server state changes (AS5300 and AS5800).

      • bgp BGP state changes.

      • calltracker Call setup or teardown .

      • config Router configuration changes.

      • dial Dialing state changes.

      • dlsw DLSw state changes. The option keyword can be circuit (circuit state changes) or tconn (peer transport connections).

      • ds0-busyout Busyout state of DS0 interfaces (AS5300).

      • ds1-loopback DS1 in loopback mode (AS5300).

      • dsp DSPU state changes with PU or LU.

      • entity Configuration changes (entity MIB).

      • envmon Environmental conditions have been exceeded. The option keyword can be voltage (line voltage), shutdown (a shutdown condition is pending), supply (redundant power supply), fan (fan failure), or temperature. If no option is given, all options are enabled.

      • frame-relay DLCI status changes.

      • hsrp HSRP state changes.

      • isdn Status of ISDN calls. The option keyword can be call-information, chan-not-avail (D channel unavailable), layer2 (layer 2 status changes), or u-interface.

      • msdp Multicast Source Discovery Protocol (MSDP) status changes.

      • repeater Ethernet hub repeater status. The option keyword can be health (RFC 1516 health information) or reset (RFC 1516 hub reset).

      • snmp Basic router status changes. The option keyword can be authentication (authentication failures), linkup (the interface has come up), linkdown (the interface has gone down), or coldstart (the router is reinitializing). If none of these keywords is given, all of them are enabled.

   2. Define recipients of notifications:

       (global)  snmp-server host   host  [  traps   informs  ] [  version  {  1   2c   3  [  auth   noauth   priv  ]}]  community-string  [  udp-port   port  ] [  type  ] 

      A single host ( host is either IP address or host name) is specified to receive SNMP notifications (either traps or informs ). The SNMP version can optionally be given as SNMPv1 ( 1, the default), SNMPv2c ( 2c ), or SNMPv3 ( 3 ). With SNMPv3, a keyword can be given to select the type of security: auth (use MD5 and SHA authentication), noauth (no authentication or privacy, the default), or priv (DES encryption for privacy).

      The community-string keyword is used to specify a "password" that is shared between the SNMP agent and SNMP manager. The UDP port used can be given as port (the default is 162).

      The notification type can be given as one of the following keywords. If no keyword is specified, all available notifications are enabled for the host.

      • aaa-server AAA server state changes (AS5300 and AS5800).

      • bgp BGP state changes.

      • bstun Block Serial Tunneling (BSTUN) state changes.

      • calltracker Call setup or teardown.

      • casa MultiNode Load Balancing (MNLB) forwarding agent state changes.

      • channel Channel Interface Processor (CIP) state changes.

      • config Router configuration changes.

      • dlsw DLSw state changes. The option keyword can be circuit (circuit state changes) or tconn (peer transport connections).

      • ds0-busyout ; Busyout state of DS0 interfaces (AS5300).

      • ds1-loopback DS1 in loopback mode (AS5300).

      • dsp Domain-Specific Part (DSP).

      • dspu DSPU state changes with PU or LU.

      • entity Configuration changes (entity MIB).

      • envmon Environmental conditions have been exceeded. The option keyword can be voltage (line voltage), shutdown (a shutdown condition is pending), supply (redundant power supply), fan (fan failure), or temperature. If no option is given, all options are enabled.

      • frame-relay DLCI status changes.

      • hsrp HSRP state changes.

      • isdn Status of ISDN calls. The option keyword can be call-information, chan-not-avail (the D channel is unavailable), layer2 (layer 2 status changes), or u-interface.

      • llc2 Logical Link Control type 2 (LLC2) state changes.

      • msdp Multicast Source Discovery Protocol (MSDP) status changes.

      • repeater Ethernet hub repeater status. The option keyword can be health (RFC 1516 health information) or reset (RFC 1516 hub reset).

      • rsrb Remote Source-Route Bridging (RSRB) state changes.

      • rsvp Resource Reservation Protocol (RSVP).

      • rtr Service Assurance Agent (SAA or RTR).

      • sdlc Synchronous Data Link Control (SDLC).

      • sdllc SDLC Logical Link Control (SDLLC).

      • snmp Basic router status changes. The option keyword can be authentication (authentication failures), linkup (the interface has come up), linkdown (the interface has gone down), or coldstart (the router is reinitializing). If none of these keywords is given, all of them are enabled.

      • stun Serial Tunnel (STUN).

      • syslog Logging messages. The syslog level is defined with the logging history level command.

      • tty TCP connection closing.

      • voice Voice port state changes.

      • x25 X.25 events.

      • xgcp External Media Gateway Control Protocol (XGCP).

   3. (Optional) Tune notification parameters.

      • Specify inform request options:

         (global)  snmp-server informs  [  retries   retries  ] [  timeout   seconds  ]   [  pending   pending  ] 

        Informs are sent in a reliable fashion, requiring acknowledgment from the inform recipient. The maximum number of inform retries can be set with the retries keyword (the default is 3). The timeout keyword sets the number of seconds to wait for an acknowledgment before resending (the default is 30 seconds). Pending informs must also be kept in router memory until they are acknowledged. The pending keyword sets the maximum number of pending requests kept in memory at any one time (the default is 25). As soon as the maximum is reached, the oldest request is removed from memory.

      • Specify trap options:

         (global)  snmp-server trap-timeout   seconds  (global)  snmp-server queue-length   length  

        SNMP traps are not sent reliably, because no acknowledgment is required. Traps can be queued and re-sent only when there is no route to the trap recipient. In that case, the router waits seconds (the default is 30) before retransmitting the trap. In addition, ten traps can be queued for each recipient by default. The queue-length command can be used to set the queue size to length traps each.

      • Specify the source address to use for notifications:

         (global)  snmp-server trap-source   interface  

        SNMP traps can be sent from any available router interface. To have the router send all traps using a single source IP address, specify the interface to use. In this way, traps can easily be associated with the source router.

   4. (Optional) Enable SNMP link traps on specific interfaces:

       (interface)  snmp trap link-status  

      By default, all interfaces generate SNMP link traps when they go up or down. If this is not desired, use the no snmp trap link-status command on specific interfaces.

4. (Optional) Enable SNMP manager:

    (global)  snmp-server manager  

   Allow the router to send SNMP requests and to receive SNMP responses and SNMP notifications from another device.

5. (Optional) Enable RMON support.

   1. Configure the type of analysis:

       (interface)  rmon  {  native   promiscuous  } 

      The native keyword causes RMON to examine only packets destined for the router interface. Otherwise, promiscuous examines all packets on the LAN segment.

      NOTE

      RMON analysis is CPU- intensive . Enable RMON only after you have determined that it will not adversely affect the router's performance. Obviously, promiscuous mode causes more CPU overhead, because more packets are examined.

   2. (Optional) Define the size of the RMON queue:

       (global)  rmon queuesize   packets  

      The size of the RMON analysis queue can be set to the number of packets (the default is 64).

   3. Define an RMON alarm:

       (global)  rmon alarm   number object interval  {  delta   absolute  }  rising-   threshold   rise  [  event  ]  falling-threshold   fall  [  event  ] [  owner   string  ] 

      An alarm indexed by number is configured to monitor a specific MIB variable object. The object is given as a dotted -decimal value in the form of entry. integer. instance. The interval field specifies the number of seconds that the alarm monitors the object. The delta keyword watches a change between MIB variables, and absolute watches a MIB variable directly. The alarm can be configured to test the object against a rising-threshold and a falling-threshold, where rise and fall are the threshold values that trigger the alarm. The event fields specify an event number in an event table to trigger for the rising and falling thresholds. An optional owner text string can be given as the owner of the alarm.

   4. Define the type of data to collect.

      • Collect history statistics:

         (interface)  rmon collection history  {  controlEntry   number  } [  owner   name  ]   [  buckets   nbuckets  ] [  interval   seconds  ] 

        The history group of statistics is assigned an index number. An optional owner can be assigned for the collection. The buckets keyword defines the number of collection buckets to be used. The interval keyword specifies the number of seconds during the polling cycle.

      • Collect other statistics:

         (interface)  rmon collection  {  host   matrix   rmon1  } {  controlEntry   number  }   [  owner   name  ] 

        Statistics can be gathered based on host devices ( host ), on conversations between devices ( matrix ), or on all possible RMON collections ( rmon1 ). The history group of statistics is assigned an index number. An optional owner can be assigned for the collection.

Example

A router is configured for SNMP, using community public for read-only access and community noc_team for read-write access. SNMP access is limited to any host in the 172.30.0.0 network for read-only and to network management hosts 172.30.5.91 and 172.30.5.95 for read-write access. SNMP traps are sent to an SNMP agent machine at 172.30.5.93 using community string nms. All possible traps are sent, except for router configuration change traps.

  snmp-server contact John Doe, Network Operations   snmp-server location Building A, closet 415   snmp-server community public ro 5   snmp-server community noc_team rw 6   snmp-server host 172.30.5.93 traps nms   snmp-server enable traps   no snmp-server enable config   access-list 5 permit 172.30.0.0 0.0.255.255   access-list 6 permit host 172.30.5.91   access-list 6 permit host 172.30.5.95