SNMP

How to configure SNMPv3 in a Cisco Catalyst Switch – Series 2

In the first series we just started to know about SNMP Version 3 and we just created a SNMP View called ITKEView. Now let’s proceed further and create a SNMP group called “ITKEGroup”. This group is granted an access to view “ITKEview” which we created in the previous step. 

ITKE(config)# snmp-server group ITKEview v3 auth

Finally let’s create a SNMP username called   “ITKEuser” and grant it an access to the “ITKEGroup” that we created in previous step. We will provide an authentication password as well as privacy password which will serve as an encryption key for the SNMP protocol. ITKE(config)# nmp-server user ITKEuser  ITKEGroup  v3 auth md5 ITKEpass priv des56 ITKEpass2

How to configure SNMPv3 in a Cisco Catalyst Switch – Series 1

Configuring SNMP Version 3 in a Cisco Catalyst Switch is bit more complicated compared to SNMP v1 and v2.  But after configuring SNMPv3 you can relax as the SNMPv3 provides more security by adding authentication (username and password) as well as encryption to the protocol.  

What is SNMPv3 ?Simple Network Management Protocol version 3. The specification for this Full Standard protocol is published in RFCs 3410 and 3418. SNMPv3 provides a Full Standard administrative framework (authorization, access control, etc.) and a remote configuration/administration MIB. Also check the SNMPv3 documentation from Cisco Systems. 

How to configure SNMPv3 in a Cisco Catalyst Switch ? 

First we begin with configuration of SNMPv3 on the Cisco Catalyst Switch by creating a SNMP “view”. A “view” defines what information can be accessed by the SNMP user/group when they query the SNMPv3 enabled  Cisco Catalyst Switch.  In the below example we will create “view” called ITKEView. We will enable “system” , “internet” and  “interfaces” SNMP OIDS on the Cisco Catalyst Switch. 

ITKE(config)# snmp-server view ITKEView internet includedITKE(config)# snmp-server view ITKEView system includedITKE(config)# snmp-server view ITKEView interfaces included 

To be continued in next series

Discover Cisco Network Assistant (CNA)

Cisco Network Assistant (CNA) is a PC-based graphical network management application which is free tool included when a new Cisco Switch is purchased. Cisco Network Assistant (CNA) is capable of managing the standalone Cisco Switches and clusters of Cisco Switches in your intranet. Cisco Network Assistant (CNA) is best suited for Small to Mid Sized LANS. . Cisco Network Assistant (CNA) supports wide range of Cisco Catalyst Switches from Cisco 2900 through Cisco Catalyst 4506. The Cisco Network Assistant (CNA) manages many of the critical functions of a Cisco Switches & is optimized for wired and Wireless LANs (WLANs). The Cisco Network Assistant (CNA) provides a centralized network view and allows network administrators to employ its features across Cisco switches, routers, and access points.  With Cisco Network Assistant (CNA) a Network Administrators can easily apply common services, generate inventory reports, synchronize passwords and employ features across Cisco Switches, routers and access points.   Cisco Network Assistant (CNA) is available at no cost and can be downloaded from the Cisco Network Assistant Software Download.

What’s new in Cisco Network Assistant (CNA) Version 5.4?

Increased device limits: Supports up to 40 switches and routers

Enhanced discovery: Discover devices with subnet or IP range 

Diagnostics: Conduct on-demand or scheduled tests to verify hardware functionality 

Command-line interface (CLI) preview: View CLIs before they are sent to the device

In my next article I will focus on how to use the Cisco Network Assistant (CNA).

Network Inventory and Configuration Management

We all know much about Kiwi Syslog Software.  For many years I am using Kiwi Cat tools for configuration management and automate many of daily tasks. Kiwi Cat tool really helped me to perform many tasks like configuration backup, telnet, SSH and much more. The free version just supports 5 devices; hence I started looking at open source community and came across this wonderful application called Zip Tie.

 What is Zip Tie? ZipTie is a framework for Network Inventory and Configuration Management. ZipTie allows you to easily discover all devices in your network to create a comprehensive inventory and to manage the configuration of those devices. Every installation includes a suite of tools to help manage your network. In addition, ZipTie is constantly under development and leverages a large community of network experts who share their tools, device adapters, and experience. It allows you to create or import your own custom tools or download them from the ZipTie community. The software is free to download, use, and distribute. ZipTie.org is the community site and tools exchange for Open Network Inventory and Configuration Management. (Courtesy Zip tie) For a more detailed explanation of ZipTie, please read this technical white paper by Roger Castillo, AlterPoint’s CTO entitled ZipTie Network Inventory Management Framework - enabling the next era of network management tools.

Screen shot courtesy Zip Tie web site

How to Secure SNMP in Cisco Switches and Routers

This article focus on the ways how we can secure SNMP access in Cisco Switches and Routers

Simple Network Management Protocol (SNMP)   uses the default UDP port 161 for general SNMP messages and UDP port 162 for SNMP trap messages.

SNMP is a service used to perform network management functions using a data structure called a Management Information Base (MIB). Unfortunately, SNMP version 1 is widely implemented but not very secure, using only clear-text community strings for access to information on the switch, including its configuration file.

If SNMP is not being used, then executing the following commands will disable the service.
Switch(config)# no snmp-server community
Switch(config)# no snmp-server enable traps
Switch(config)# no snmp-server system-shutdown
Switch(config)# no snmp-server

If SNMP is required for a switch or router configure the switch or router  for SNMP version 3. This version is more secure than SNMP version 1 because version 3 can use cryptographic hashes for authentication to protect the community string. The above commands for disabling SNMP are recommended for use before deploying SNMP version 3 to remove any possible default community strings. The following commands show an example User Security Model for SNMP version 3 for the switch. The model begins with creating a standard access-list (e.g., 12) that allows only those systems that manage the switch. Next, define a group (e.g., admins) with read and write MIB views (e.g., adminview). Then each user (e.g., root) is added to the group with a password (e.g., 5ecret-5TR1N) that can be hashed (e.g., using md5) before being sent across the network. Also, the standard access-list (e.g., 12) is applied to the user. Finally, the MIB view (e.g., adminview) is defined by one or more statements to include or to exclude portions of the MIB. The MIB view in the following example gives access to the Internet branch of the MIB except the branches that display IP addresses and IP routing information.

Switch(config)# no access-list 12
Switch(config)# access-list 12 permit 10.0.0.2
Switch(config)# access-list 12 permit 10.0.0.4
Switch(config)# snmp-server group admins v3 auth read adminview write adminview
Switch(config)# snmp-server user root admins v3 auth md5 5ecret-5TR1N access 12

Switch(config)# snmp-server view adminview internet included
Switch(config)# snmp-server view adminview ipAddrEntry excluded
Switch(config)# snmp-server view adminview ipRouteEntry excluded

If SNMP is required for a switch and only SNMP version 1 is available, then the following commands show an example of how to configure the switch with a community string (e.g., g00d-5tr1n9) that has read-only permissions and a standard access-list (e.g., 12) applied to it.

Switch(config)# no access-list 12
Switch(config)# access-list 12 permit 10.0.0.2
Switch(config)# access-list 12 permit 10.0.0.4
Switch(config)# snmp-server community g00d-5tr1n9 ro 12

In addition to the configuration of the SNMP service, SNMP Trap information can be sent to the systems that manage the switches. The following commands show an example of this configuration.

Switch(config)# snmp-server host 10.0.0.2 traps g00d-5tr1n9-2
Switch(config)# snmp-server host 10.0.0.4 traps g00d-5tr1n9-2
Switch(config)# snmp-server trap-source Loopback0
Switch(config)# snmp-server enable traps