snmp
CCIE

RMON and MIBs

02/03/11 15:36

Quick tip: RMON and MIB

RMON is generally an easy task, can be tricky but usually on CCIE workbooks the task are fair.

The hardest part for me is to find the MIB to monitor.

This is the task: monitor interface Vlan1, send a trap if it receives more than 100 packets every 30 seconds, send a trap if it goes under 50 packets every 30 seconds.

First step: find Vlan1 ifindex.

R#sh snmp mib ifmib ifindex 
Vlan99: Ifindex = 10
Virtual-Access2: Ifindex = 13
FastEthernet4: Ifindex = 5
FastEthernet0: Ifindex = 1
FastEthernet2: Ifindex = 3
Loopback0: Ifindex = 12
Null0: Ifindex = 6
Virtual-Access1: Ifindex = 11
Vlan1: Ifindex = 7
Virtual-Template1: Ifindex = 9
NVI0: Ifindex = 8
FastEthernet1: Ifindex = 2
FastEthernet3: Ifindex = 4


So Vlan1 has ifIndex value 7.

Now how do we find the MIB of incoming packets?

My method is to grep the output of command "sh snmp mib" and it usually works:

R#sh snmp mib | i ifIn
ifIndex
ifInOctets
ifInUcastPkts
ifInNUcastPkts
ifInDiscards
ifInErrors
ifInUnknownProtos
ifInMulticastPkts
ifInBroadcastPkts


Here it is: "ifInUcastPkts" look the right MIB entry.

Since we're looking for the entry related to Vlan1, ifIndex 7, we should use "ifInUcastPkts.7" on the rmon command.

R(config)#rmon alarm 1 ifInUcastPkts.7 30 delta rising-threshold 100 1 falling-threshold 50 2 owner ADMIN


If we write a wrong snmp object we get an error like "Unknown object:"

If you know a better method write me.


And remember, even if it's not required, don't forget to apply

R(config)#snmp-server ifindex persist


since ifIndex could change at the next reboot breaking our configuration.


Snmp v3

01/03/11 20:22

Snmp v3 is described in many RFC, like RFC3414 and so on.

History and security of the various SNMP versions are easy to find and well known, let's focus on configuration.

SNMPv3 can work in three ways:
  • noAuthNoPriv
  • authNoPriv
  • authPriv


For the tests I use a Cisco871 as snmp-server and a OSX computer to walk the MIBs.


noAuthNoPriv
No authorization, no encryption

Router configuration;

R(config)#snmp-server view noAuthNoPriv internet included
R(config)#snmp-server user user1 noAuthNoPriv v3
R(config)#snmp-server group noAuthNoPriv v3 noauth read noAuthNoPriv


Query from OSX:

snmpwalk -v 3 -l noAuthNoPriv -u user1 10.1.0.254


As we can see in the screenshot, the data is not encrypted, the username is cleartext:

snmp1


Now we implement the first security level, authorization.


authNoPriv
Authorization required, data is not encrypted

Router configuration:

R(config)#snmp-server user user2 authNoPriv v3 auth sha CISCO123
R(config)#snmp-server group authNoPriv v3 auth read authNoPriv
R(config)#snmp-server view authNoPriv internet included


Query from OSX:

snmpwalk -v 3 -a SHA -A CISCO123 -l authNoPriv -u user2 10.1.0.254


The capture now shows "Authenticated: Set", we can still see the username "user2".

snmp2

Next step: privacy (encryption).


authPriv
Authorization required, data is encrypted

Router configuration:

R(config)#snmp-server user user3 authPriv v3 auth sha CISCO123 priv aes 128 CISCO123 
R(config)#snmp-server view authPriv internet included
R(config)#snmp-server group authPriv v3 priv read authPriv


Query from OSX:

snmpwalk -v 3 -a SHA -A CISCO123 -x AES -X CISCO123 -l authPriv -u user3 10.1.0.254


The capture shows that encryption is enabled now:

snmp3


SNMP is often referred as "Security in Not My Problem", v3 gives as an acceptable security level to use it with confidence.