Tag Archives: cisco

Configuring SNMPv3

This page will show, how you would configure SNMPv3 on Cisco and Juniper network device

Cisco IOS

You need to create a group, select the version of SNMP and whether you want to add USM (User Security Model) aka security level. Once the group has been created we will need to create a user, associate the user to the newly created group and set the authentication password and privacy password.

Cisco Security Levels
noAuthNoPrivThere is no authentication password requested and the communications between the agent and the server are not encrypted. The SNMP process just requests authorized username string match.
authNoPrivpassword authentication is requested either by MD5 or SHA hashing, however no encryption is used for communications between the devices.
authPrivauthentication is the same as authNoPriv however communications between the snmp process and the logging server is encrypted.

On Cisco IOS, its quite simple to get it SNMPv3 configured:

Switch(config)#snmp-server group test1 v3 priv
Switch(config)#snmp-server user test1 test1 v3 auth sha test1 priv aes 128 test1

Now that v3 user has been created, we can run and snmpwalk to make sure it working as expected:

[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 172.31.184.140
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 01-May-08 15:42 by antonino
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.516
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (582733) 1:37:07.33
SNMPv2-MIB::sysContact.0 = STRING: "Write a comment :D"
SNMPv2-MIB::sysName.0 = STRING: Switch.lab.co
SNMPv2-MIB::sysLocation.0 = STRING: "The Lab in Space"
SNMPv2-MIB::sysServices.0 = INTEGER: 6
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00"

Juniper Junos

With Junos, you will need to create your user, create your security-group, set the security-model, assign a user and once you have the group created and confirmed you will be able to set the privileges for each of the groups by assigned the MIB views

Security Model levelsSecurity LevelMIB Views
AnyAny security model
USMSNMPv3 security model
v1SNMPV1 security model
v2cSNMPv2c security model
NoneProvides no authentication and no encryption.
AuthenticationProvides authentication but no encryption.
PrivacyProvides authentication and encryption.
Notify-viewgroup user is inform of MIB updates
Read-viewthe group user can see the MIB updates
Write-viewthe group user can make changes to the MIB updates.

The configuration looks more complex on Junos than on IOS however it’s quite straightforward:

set snmp name "This a test for snmpwalk example :p"
set snmp location "The Lab in Space"
set snmp contact "Write a comment :D"
set snmp v3 usm local-engine user test1 authentication-sha authentication-password test1234
set snmp v3 usm local-engine user test1 privacy-aes128 privacy-password test1234
set snmp v3 vacm security-to-group security-model usm security-name test1 group view-all
set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy read-view view-all
set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy notify-view view-all
set snmp view view-all oid .1 include

As like before, we can run and snmpwalk to make sure it working as expected:

[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458338855) 53 days, 1:09:48.55
SNMPv2-MIB::sysContact.0 = STRING: Write a comment :D
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

With SNMPv3 available, you should be using v3 for the additional security available. You don’t have the option to configure SNMPv3 without user authentication and/or unencrypted (noAuthNoPriv) but this kinda pointless use SNMPv3 with no authentication or encryption. There could be situations where you will need user authentication but not need encryption (authNoPriv) however in most cases you will use both.

Share this:
Share

How to Snmpwalk on Ubuntu 14.04LTS

You will need to sudo or root privileges to install the following packages

snmpd 
snmp

Once these have been installed you will get following command available to you:

[email protected]:~$ snmp
snmp-bridge-mib  snmpconf         snmpget          snmpset          snmptranslate    snmpvacm
snmpbulkget      snmpd            snmpgetnext      snmpstatus       snmptrap         snmpwalk
snmpbulkwalk     snmpdelta        snmpinform       snmptable        snmptrapd        
snmpcheck        snmpdf           snmpnetstat      snmptest         snmpusm

Snmpwalk is useful command to collect information from network device with SNMP agents. Depending on what version of SNMP, you will need to use one of the following commands

SNMPv1

snmpwalk -v1 -c{ community-name } ip_address

snmpwalk -v 1 -ctest-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458062064) 53 days, 0:23:40.64
SNMPv2-MIB::sysContact.0 = STRING: Write a comment :D
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

SNMPv2

snmpwalk -v2c -c{ community-name } ip_address

snmpwalk -v2c -ctest-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458070509) 53 days, 0:25:05.09
SNMPv2-MIB::sysContact.0 = STRING: Write a comment :D
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

SNMPv3

snmpwalk -v 3 -u { username } -l { noAuthNoPriv|authNoPriv|authPriv } -a { MD5|SHA } -A { authentication-password } -x { DES|AES } -X { privary-password } ip_address

snmpwalk -v3 -u test -l authPriv -a SHA -A test-lab -x AES -X test-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458338855) 53 days, 1:09:48.55
SNMPv2-MIB::sysContact.0 = STRING: Write a comment :D
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4
Share this:
Share

Creating a Cisco Lab with Dynamips/Dynagen on Ubuntu

If you’re like myself who doesn’t have the space, time, money or power in your own home, having a large scale network lab isn’t really possible. So network in a box would be ideal. Having worked with a couple of pretty cool and smart engineers PacketJedi from thepacketstream.com and Darren from mellowd.co.uk, they suggested that I should look into creating a Virtual Cisco Lab with a server. Originally, I was using GNS3 (an awesome tool for network engineers, whether a noob or a season vet) to emulate Cisco IOS routers. The issue I found was when I wanted to have large scale topologies, my laptop wasn’t able to cope and the heat was amazing (not in the good way!). To get around this, I got went and got myself a dedicated server from UK Dedicated Servers and installed the packages that were being used behind the GNS3 GUI interface.

This is how i got my network in a box created:

You will need be root or a sudo privileged user.

1. sudo apt-get update
2. sudo apt-get upgrade
3. sudo apt-get install dynagen dynamips iptables-persistent
4. sudo nano /etc/iptables/rules.v4

iptables rules for dynamips
-A INPUT -p tcp -m multiport --dports 7200:7201 -j ACCEPT
-A INPUT -p udp -m multiport --dports 7200:7201 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 2100:2199 -j ACCEPT
-A INPUT -p udp -m multiport --dports 2100:2199 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000 -j ACCEPT

6. sudo service iptables-persistent restart
7. cd /usr/sbin/
8. sudo touch startlab.sh
9. sudo nano startlab.sh

Use a script to run dynamips (heavily borrowed from Darren’s blog)

Automated Dynamips Script
#!/bin/bash

function killdyn() {

# This function kills all existing dynamips and dynagen processes

echo “Killing any existing Dynamips processes …”

pkill -5 dynamips

pkill -5 dynagen

}

function startdyn() {

# This function starts the dynamips hypervisors

echo “Initializing Dynamips Hypervisors …”

#/usr/bin/dynamips.bin -H 7201 > /dev/null 2>&1 &
/usr/bin/dynamips -H 7201 > /dev/null 2>&1 &

}

function cleanfolder() {

# This functions cleans the working folder out

echo “Clearing out folder”
find -name ‘c7200_*’ -exec rm {} +
}

clear

while :

do

echo ” 1. The Basic”

echo -n “Make A Selection: “

#
read opt

case $opt in
1)killdyn;
cd /home/kmarquis/working;
cleanfolder;
startdyn;
/usr/bin/dynagen /home/kmarquis/dynamips/net/Basic.net;;

99)killdyn;

exit 1;;

*)echo “$opt is not a valid option”;

echo “Press [enter] key to continue…”;

read enterKey;;

esac

done

10. sudo chmod -R 766 startlab.sh

In your home directory

11. mkdir -p IOS
12. mkdir -p dynamips/net
13. mkdir -p working
14. mkdir -p config

You can now create/copy your .net topologies into the related folder (dynamips/net for my example) then all you would need to do is run the script

startlab.sh

Now you will be able to get started with labbing 🙂

Note: You can get Cisco IOS images from the Cisco website, if you have support contract with them. Outside of that I can’t tell you where you can find them, but as ever with the internet if you look hard enough you may get luck!

Share this:
Share