Tag Archives: snmp

SNMP Polling over a Routing Instance

Reading Time: 3 minutes

Polling SNMP over a Routing Instance is quite straightforward once you understand the syntax necessary to specify that you want to poll the routing-instance. But when I tried this the first time, I didn’t have a clue why it didn’t work!

For a bit of background, we had a request from another team who’s network we manage, asking if they could SNMP details so they could poll an edge pair of SRX240’s. We use a routing instance to keep the management traffic separate from production traffic, so configured a SMNPv2 community and asked them to test it, but and they said it wasn’t working… BALLS :S

I set this up in the lab for testing; I used a Juniper SRX220 with Routing-Instance that had a Ubuntu 14.04LTS host directly connected to poll SNMP

I had configured SNMPv2 and enabled it to allow the relevant routing-instance to have access under the community stanza and enabled routing instance access under the overall stanza as well, thinking that this would be enough:

[edit]
[email protected]# show snmp 
community test {
    authorization read-only;
    routing-instance test {
        clients {
            192.168.1.0/24;
        }
    }
}
routing-instance-access;

However, when I did a snmpwalk….. I got nothing :/

[email protected]:~$ snmpwalk -v2c -ctest 192.168.1.1
^C

Not Good 🙁

I messed about with the configuration and asked a few colleagues and a senior, but none of them could see the issue. So, as you do when you don’t have a clue…. Time to Google! From my searches managed to find Juniper KB page that explained the different variations of syntax when polling SNMPv1/v2c with Routing Instances

There are 3 variations:

  • community string – which works if the user polls directly from inet.0
  • [email protected] string – which polls information for specific routing instance
  • [email protected] string – which allows polling information about inet.0 only

In essence when I was tried to SNMP poll the SRX with the syntax snmpwalk -v2c -ctest 192.168.1.1, it wasn’t referencing the routing instance because snmpwalk was trying to poll the master instance, which routing-instance had no access to.

For the syntax, I should have been using was snmpwalk -v2c [email protected] 192.168.1.1. By referencing the routing instance I was able to SNMP poll the SRX and all the interfaces that were within the routing-instance:

[email protected]:~$ snmpwalk -v2c [email protected] 192.168.1.1
\iso.3.6.1.2.1.1.1.0 = STRING: "Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X47-D30.4 #0: 2015-11-13 14:16:02 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X47-D30.4/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-11-13 15:4"

SNMPv3 Polling

For SNMPv3 when configuring your user, under snmp v3 access group stanza, the context-prefix HAS to be the same name as the Routing-Instance

[email protected]# show snmp 
v3 {
    usm {
        local-engine {
            user keeran {
                authentication-sha {
                    authentication-key "$9$WS8LdbYgojk.aJDkqmF3Ap01cyevWXNdleZUDjq.hSyKLx-VwoaUbwgJGU.m1RESrvXxdsYohSvLxNY2z3n/p0REylvW1IxN-VY2JGDk5Q/Ct01RUjqfzFAt8XxdYgDikf5FGU69CA0OLx7NdsUjHTFniHmTznCA8Xx7s2aJDmPQjiCt0ORE-VbsYo"; ## SECRET-DATA
                }
                privacy-des {
                    privacy-key "$9$qmz3/CtIhSpu1hcyW8-Vw2JGjHqPTzDj0B1IcSaZGimfQFntpB3nCuOBSy24oZUHPfz6/taZHmfT/9M8LxVw4oGDHq2gfTQF/9uO1hevxNdw24BIclMW-d.Pfz/C1RhleWOBX7N-wsmf5Tz6BIEKWLREyKMLN-.Pf569pu1yrvIRNdws4oQF36/t"; ## SECRET-DATA
                }
            }
        }
    }
    vacm {
        security-to-group {
            security-model usm {
                security-name keeran {
                    group view-all;
                }
            }
        }
        access {                        
            group view-all {
                context-prefix test {
                    security-model usm {
                        security-level privacy {
                            read-view view-all;
                            notify-view view-all;
                        }
                    }
                }
            }
        }
    }
}
view view-all {
    oid .1 include;
}
routing-instance-access;

Then when you run the snmpwalk you’ll need to add the flag -n to specify the context name, which will be the routing-instance. If you’ve used the same authentication and privacy types as me, your syntax should look something like this: snmpwalk -v 3 -u keeran -l authPriv -a SHA -A test1234 -x DES -X test1234 -n test 192.168.1.1

snmpwalk -v 3 -u keeran -l authPriv -a SHA -A test1234 -x DES -X test1234 -n test 192.168.1.1
iso.3.6.1.2.1.1.1.0 = STRING: "Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X47-D30.4 #0: 2015-11-13 14:16:02 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X47-D30.4/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-11-13 15:4"

This was pretty frustrating as there was no clear reason why it wasn’t working, and something that should have taken a few moments took days! So I’m hoping this will help you so that you don’t end up in a bit of a rage like I was lol

References

Juniper Knowledge Base: SNMP Polling SNMPv1/v2c via Routing Instance
Juniper Knowledge: SNMP Polling SNMPv3 via Routing Instance
Snmpwalk Man Page
snmpwalk -h

Share this:
Share

Installing LLDP on Ubuntu

Reading Time: 2 minutes

LLDP (Link Local Discovery Protocol) is an Open Standard Layer-2 protocol that is used by servers and network devices to advertise their identity and capabilities to other device, by directly connected devices. This standard is defined in IEEE 802.1AB. The information is sent via lldp-enabled interfaces, as Ethernet frame, over fixed interval. These frames contain LLDPDS (Link Local Discovery Protocol Data Unit) in a Type-Length-Value (TLV) format.

LLPDS include a wide range of information from hostname, description, and port name etc. Using LLPD can be very useful as you will be able to find out what devices are directly connected to a switch without having the joy of going cable tracking, and it’s useful for troubleshooting. With that in mind, this post will go into how you would enable LLDP on a Juniper and Cisco switch, and how to enable on Ubuntu 14.04LTS.

Let’s get cracking!

For my set up I’ve got ESXi host running Ubuntu 14.04LTS. It has three vNICs; one is connected to the OOB Cisco 3750G switch and other two connections go into a Virtual Chassis Juniper EX4200

Firstly enable lldp on your network device:

For a Juniper device set protocols lldp interface all and for a Cisco device lldp run or for CDP, under the interface you will need to run cdp enable (CDP is Cisco’s proprietary link discovery protocol)

You’ll need to install the LLDP and SNMP packages onto the server:

[email protected]:~$ sudo apt-get install lldpd snmp

You’ll need to start both of the processes to get them up and running:

[email protected]:~$ sudo service lldpd restart
[email protected]:~$ sudo service snmpd restart

Once you’ve started these you’ll have both enabled on your server, and you’ll have LLDP configured! Nice and simple 🙂

To confirm everything is working as expected, you can run a show command on switches and the server for verification:

On the Juniper EX4200 show lldp neighbors, shows the 2 server NICs connected to each member

show lldp neighbors
[email protected]> show lldp neighbors 
Local Interface    Parent Interface    Chassis Id          Port info          System Name
ge-0/0/2.0         -                   00:0c:29:4f:26:bb   eth1               km-vm1              
ge-1/0/2.0         -                   00:0c:29:4f:26:bb   eth2               km-vm1              
vme.0              -                   00:19:06:cd:8f:80   GigabitEthernet1/0/36 oob-sw0-10.lab

On the Cisco 3750G show lldp neighbors, show the 2 ESXi hosts connected using the switch for Out of Band.

show lldp neighbors g1/0/48
oob-sw0-10.lab#show lldp neighbors g1/0/48
Capability codes:
    (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
    (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID           Local Intf     Hold-time  Capability      Port ID
km-vm2              Gi1/0/48       120                        000c.29d3.ac6d
km-vm1              Gi1/0/48       120                        000c.294f.26bb

On the server, lldpcli show neighbors, shows all Cisco and Juniper switches and the other ESXi host shared the OOB NIC

lldpcli show neighbors
[email protected]:~$ lldpcli show neighbors
-------------------------------------------------------------------------------
LLDP neighbors:
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 1, Time: 0 day, 22:19:29
  Chassis:     
    ChassisID:    mac 00:0c:29:d3:ac:77
    SysName:      km-vm2
    SysDescr:     Ubuntu 14.04.2 LTS Linux 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64
    MgmtIP:       10.1.0.141
    MgmtIP:       2001:41c1:4:8040:20c:29ff:fed3:ac6d
    Capability:   Bridge, off
    Capability:   Router, off
    Capability:   Wlan, off
  Port:        
    PortID:       mac 00:0c:29:d3:ac:6d
    PortDescr:    eth0
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 2, Time: 0 day, 22:19:11
  Chassis:     
    ChassisID:    mac 00:19:06:cd:8f:80
    SysName:      oob-sw0-10.lab
    SysDescr:     Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(1)SE, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 20-Jul-11 09:32 by prod_rel_team
    MgmtIP:       10.1.0.4
    Capability:   Bridge, on
    Capability:   Router, off
  Port:        
    PortID:       ifname Gi1/0/48
    PortDescr:    GigabitEthernet1/0/48
-------------------------------------------------------------------------------
Interface:    eth1, via: LLDP, RID: 6, Time: 0 day, 00:02:58
  Chassis:     
    ChassisID:    mac 40:a6:77:5f:60:00
    SysName:      EX4200-A
    SysDescr:     Juniper Networks, Inc. ex4200-48t , version 12.3R5.7 Build date: 2013-12-18 03:01:12 UTC 
    MgmtIP:       10.1.0.243
    Capability:   Bridge, on
    Capability:   Router, on
  Port:        
    PortID:       local 503
    PortDescr:    KM-VM-1
-------------------------------------------------------------------------------
Interface:    eth2, via: LLDP, RID: 6, Time: 0 day, 00:03:01
  Chassis:     
    ChassisID:    mac 40:a6:77:5f:60:00
    SysName:      EX4200-A
    SysDescr:     Juniper Networks, Inc. ex4200-48t , version 12.3R5.7 Build date: 2013-12-18 03:01:12 UTC 
    MgmtIP:       10.1.0.243
    Capability:   Bridge, on
    Capability:   Router, on
  Port:        
    PortID:       local 661
    PortDescr:    KM-VM-1
-------------------------------------------------------------------------------

You can see detailed information and additional commands that can be run using lldpcli, on the man pages or via Ubuntu documentation

Share this:
Share

Configuring SNMPv3

Reading Time: 2 minutes

This page will show, how you would configure SNMPv3 on Cisco and Juniper network device

Cisco IOS

You need to create a group, select the version of SNMP and whether you want to add USM (User Security Model) aka security level. Once the group has been created we will need to create a user, associate the user to the newly created group and set the authentication password and privacy password.

Cisco Security Levels
noAuthNoPrivThere is no authentication password requested and the communications between the agent and the server are not encrypted. The SNMP process just requests authorized username string match.
authNoPrivpassword authentication is requested either by MD5 or SHA hashing, however no encryption is used for communications between the devices.
authPrivauthentication is the same as authNoPriv however communications between the snmp process and the logging server is encrypted.

On Cisco IOS, its quite simple to get it SNMPv3 configured:

Switch(config)#snmp-server group test1 v3 priv
Switch(config)#snmp-server user test1 test1 v3 auth sha test1 priv aes 128 test1

Now that v3 user has been created, we can run and snmpwalk to make sure it working as expected:

[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 172.31.184.140
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 01-May-08 15:42 by antonino
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.516
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (582733) 1:37:07.33
SNMPv2-MIB::sysContact.0 = STRING: "Write a comment :D"
SNMPv2-MIB::sysName.0 = STRING: Switch.lab.co
SNMPv2-MIB::sysLocation.0 = STRING: "The Lab in Space"
SNMPv2-MIB::sysServices.0 = INTEGER: 6
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00"

Juniper Junos

With Junos, you will need to create your user, create your security-group, set the security-model, assign a user and once you have the group created and confirmed you will be able to set the privileges for each of the groups by assigned the MIB views

Security Model levelsSecurity LevelMIB Views
AnyAny security model
USMSNMPv3 security model
v1SNMPV1 security model
v2cSNMPv2c security model
NoneProvides no authentication and no encryption.
AuthenticationProvides authentication but no encryption.
PrivacyProvides authentication and encryption.
Notify-viewgroup user is inform of MIB updates
Read-viewthe group user can see the MIB updates
Write-viewthe group user can make changes to the MIB updates.

The configuration looks more complex on Junos than on IOS however it’s quite straightforward:

set snmp name "This a test for snmpwalk example :p"
set snmp location "The Lab in Space"
set snmp contact "Write a comment :D"
set snmp v3 usm local-engine user test1 authentication-sha authentication-password test1234
set snmp v3 usm local-engine user test1 privacy-aes128 privacy-password test1234
set snmp v3 vacm security-to-group security-model usm security-name test1 group view-all
set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy read-view view-all
set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy notify-view view-all
set snmp view view-all oid .1 include

As like before, we can run and snmpwalk to make sure it working as expected:

[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458338855) 53 days, 1:09:48.55
SNMPv2-MIB::sysContact.0 = STRING: Write a comment 😀
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

With SNMPv3 available, you should be using v3 for the additional security available. You don’t have the option to configure SNMPv3 without user authentication and/or unencrypted (noAuthNoPriv) but this kinda pointless use SNMPv3 with no authentication or encryption. There could be situations where you will need user authentication but not need encryption (authNoPriv) however in most cases you will use both.

Share this:
Share

How to Snmpwalk on Ubuntu 14.04LTS

Reading Time: 2 minutes

You will need to sudo or root privileges to install the following packages

snmpd 
snmp

Once these have been installed you will get following command available to you:

[email protected]:~$ snmp
snmp-bridge-mib  snmpconf         snmpget          snmpset          snmptranslate    snmpvacm
snmpbulkget      snmpd            snmpgetnext      snmpstatus       snmptrap         snmpwalk
snmpbulkwalk     snmpdelta        snmpinform       snmptable        snmptrapd        
snmpcheck        snmpdf           snmpnetstat      snmptest         snmpusm

Snmpwalk is useful command to collect information from network device with SNMP agents. Depending on what version of SNMP, you will need to use one of the following commands

SNMPv1

snmpwalk -v1 -c{ community-name } ip_address

snmpwalk -v 1 -ctest-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458062064) 53 days, 0:23:40.64
SNMPv2-MIB::sysContact.0 = STRING: Write a comment 😀
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

SNMPv2

snmpwalk -v2c -c{ community-name } ip_address

snmpwalk -v2c -ctest-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458070509) 53 days, 0:25:05.09
SNMPv2-MIB::sysContact.0 = STRING: Write a comment 😀
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

SNMPv3

snmpwalk -v 3 -u { username } -l { noAuthNoPriv|authNoPriv|authPriv } -a { MD5|SHA } -A { authentication-password } -x { DES|AES } -X { privary-password } ip_address

snmpwalk -v3 -u test -l authPriv -a SHA -A test-lab -x AES -X test-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458338855) 53 days, 1:09:48.55
SNMPv2-MIB::sysContact.0 = STRING: Write a comment 😀
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4
Share this:
Share