Configuring Cisco Devices for Performance Monitoring

To measure performance variables such as network latency, no configuration is needed on the Cisco devices. The only requirement is that ICMP should not be blocked by firewalls or access control lists. However, to monitor the rest of the performance statistics, SNMP should be configured on the monitored devices. Most Cisco devices are SNMP aware, but SNMP is turned off by default. The following sections deal with configuring the SNMP agent on these devices:

• Cisco routers

• Cisco CatOS based Catalyst switches

• Cisco PIX Firewalls

• Cisco VPN 3000 Series concentrators

Enabling the SNMP Agent on Cisco Routers

The commands for configuring the SNMP agent on an IOS-based device, such as a router or switch, are listed in Table 6-5. Note that these commands should be executed in global configuration mode.

Based on the commands discussed, Example 6-3 shows a sample configuration for enabling the SNMP agent on an IOS device. Within the example, note the highlighted comments that explain some of the relevant configurations.

Example 6-3. Configuring the IOS-Based SNMP Agent

 Router-Dallas#config terminal Enter configuration commands, one per line. End with CNTL/Z. Router-Dallas(config)#access-list 10 permit 192.168.0.30 Router-Dallas(config)#access-list 10 permit 192.168.0.35 Router-Dallas(config)#snmp-server contact spope@abcinvestment.com Router-Dallas(config)#snmp-server location Dallas office 4th floor Router-Dallas(config)#snmp-server chassis-id 123456 Router-Dallas(config)#snmp-server community read ro 10 Router-Dallas(config)#exit Router-Dallas# show running ! Access-list will restrict SNMP agent to            ! respond to queries from the following 2 hosts only access-list 10 permit 192.168.0.30 access-list 10 permit 192.168.0.35 ! the snmp community is set to "read"                ! snmp agnet will only respond to manager            ! permitted by Access-list 10                        snmp-server community readw RW snmp-server community read RO 10 snmp-server location Dallas office 4th floor snmp-server contact spope@abcinvestment.com snmp-server chassis-id 123456 ! end Router-Dallas# show snmp Chassis: 123456 Contact: spope@abcinvestment.com Location: Dallas office 4th floor 16527 SNMP packets input     0 Bad SNMP version errors     15 Unknown community name     0 Illegal operation for community name supplied     0 Encoding errors     33534 Number of requested variables     0 Number of altered variables     6981 Get-request PDUs     9531 Get-next PDUs     0 Set-request PDUs 16512 SNMP packets output     0 Too big errors (Maximum packet size 1500)     66 No such name errors     0 Bad values errors     0 General errors     16512 Response PDUs     0 Trap PDUs SNMP logging: disabled Router-Dallas# 

Note

Routers often use access lists (also called access control lists, or ACLs) to block SNMP requests from the rest of the network. If your SNMP server cannot communicate with the router despite a correct configuration, use the show access-list or show running-configuration command on the router to verify the access lists. Additionally, the firewall between the SNMP server and the router might be blocking SNMP traffic.

Enabling the SNMP Agent on Cisco Switches

To configure the SNMP agent on a CatOS-based Catalyst switch, use the privileged-mode commands listed in Table 6-6.

Example 6-4 shows the commands for configuring the SNMP agent on the Catalyst switch.

Example 6-4. Configuring the CatOS SNMP Agent

 Console> (enable) set snmp community read-only read SNMP read-only community string set to 'read'. Console> (enable) show snmp RMON: Disabled Extended RMON: Extended RMON module is not present Traps Enabled: Port,Module,Chassis,Bridge,Repeater,Vtp,Auth,ippermit,Vmps,config,entity,stpx Port Traps Enabled: 1/1-2,4/1-48,5/1 Community-Access Community-String ---------------- -------------------- read-only read ---------------------------------------- 

Enabling the SNMP Agent on a Cisco PIX Firewall

To configure the SNMP agent on a Cisco PIX Firewall version 5.3 and higher, use the privileged-mode commands listed in Table 6-7. Note that unlike routers and switches, the PIX Firewall does not provide read/write access through SNMP. For the sake of security, the PIX Firewall only provides read-only access through SNMP.

Example 6-5 shows the commands for configuring the SNMP agent on a PIX Firewall.

Example 6-5. Configuring the PIX SNMP Agent

 Firewall-Dallas# config terminal Firewall-Dallas(config)# snmp-server host inside 192.168.0.30 Firewall-Dallas(config)# snmp-server location DALLAS Firewall-Dallas(config)# snmp-server contact SPOPE Firewall-Dallas(config)# snmp-server community read Firewall-Dallas(config)# exit Firewall-Dallas# show snmp snmp-server host inside 192.168.0.30 snmp-server location DALLAS snmp-server contact SPOPE snmp-server community read no snmp-server enable traps 

Enabling the SNMP Agent on Cisco VPN 3000 Concentrators

Cisco VPN 3000 Series concentrators contain a built-in SNMP agent with read-only capabilities. As a security measure, this feature only allows viewing the statistics of the concentrator but does not facilitate configuring through SNMP. To configure the SNMP agent on a VPN 3000 Series concentrator, follow these steps:

Step 1.	Log in to the VPN concentrator using a web browser.
Step 2.	Navigate to the SNMP server page by choosing Configuration > System > Management Protocols > SNMP.
Step 3.	On the SNMP server page, match the settings as shown in Figure 6-15 and enable SNMP by clicking the Apply button. Figure 6-15. VPN Concentrator Enable SNMP
Step 4.	Navigate to the SNMP communities page and click the Add button.
Step 5.	Add the SNMP read-only community (as shown in Figure 6-16) and click the Add button to return to SNMP communities page. Figure 6-16. VPN Concentrator SNMP Community
Step 6.	On the SNMP Communities page, save the configuration by clicking the Save Needed button in the upper-right corner.

Securing SNMP

SNMP was originally designed as a quick-and-easy way to monitor devices. Earlier versions lacked security features such as encryption and authentication. Additionally, the SNMP stack suffers from a series of security vulnerabilities. To enhance the security of their networks, Netadmins should take the following actions:

• Minimize the use of SNMP in the network.

• Turn off SNMP on devices that are not monitored.

• Block UDP/TCP ports 161 and 162 at the firewall and edge routers.

• Block UDP/TCP ports 161 and 162 from user VLANs because regular users do not need SNMP.

• Use SNMP version 3 if possible, although MRTG and Cacti do not support it yet.

• Always use longer and stronger community strings.

• Limit the number of SNMP managers (network management systems that can poll the SNMP agents) using the SNMP access-list features in IOS. Also, exercise caution while allowing SNMP managers read/write access.