5.2.2.6 Lab – Configuring SNMP Answers

5.2.2.6 Lab – Configuring SNMP (Instructor Version)

Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway
R1 G0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 192.168.2.1 255.255.255.252 N/A
R2 S0/0/0 192.168.2.2 255.255.255.252 N/A
S1 VLAN 1 192.168.1.2 255.255.255.0 N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1

Objectives

Part 1: Build the Network and Configure Basic Device Settings
Part 2: Configure an SNMPv2 Manager and Agent
Part 3: Configure an SNMPv3 Manager and Agent

Background / Scenario

Simple Network Management Protocol (SNMP) is a network management protocol and an IETF standard which can be used to both monitor and control clients on the network. SNMP can be used to get and set variables related to the status and configuration of network hosts like routers and switches, as well as network client computers. The SNMP manager can poll SNMP agents for data, or data can be automatically sent to the SNMP manager by configuring traps on the SNMP agents.

In this lab, you will download, install, and configure SNMP management software on PC-A. You will also configure a Cisco router and Cisco switch as SNMP agents. After capturing SNMP notification messages from the SNMP agent, you will convert the MIB/Object ID codes to learn the details of the messages using the Cisco SNMP Object Navigator.

Note: The routers used with CCNA hands-on labs are Cisco 1941 Integrated Services Routers (ISRs) with Cisco IOS Release 15.4(3) (universalk9 image). The switches used are Cisco Catalyst 2960s with Cisco IOS Release 15.0(2) (lanbasek9 image). Other routers, switches and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.

Note: Make sure that the routers and switches have been erased and have no startup configurations. If you are unsure, contact your instructor.

Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.

Note: The snmp-server commands in this lab will cause the Cisco 2960 switch to issue a warning message when saving the configuration file to NVRAM. To avoid this warning message verify that the switch is using the lanbase-routing template. The IOS template is controlled by the Switch Database Manager (SDM). When changing the preferred template, the new template will be used after reboot even if the configuration is not saved.

S1# show sdm prefer

Use the following commands to assign the lanbase-routing template as the default SDM template.

S1# configure terminal
S1(config)# sdm prefer lanbase-routing
S1(config)# end
S1# reload

Required Resources

  • 2 Routers (Cisco 1941 with Cisco IOS, Release 15.4(3) universal image or comparable)
  • 1 Switch (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
  • 1 PC (Windows with terminal emulation program, such as Tera Term, SNMP manager, such as SNMP MIB Browser by ManageEngine, and Wireshark)
  • Console cables to configure the Cisco IOS devices via the console ports
  • Ethernet and serial cables as shown in the topology
  • SNMP Management Software (SNMP MIB Browser by ManageEngine)

Part 1: Build the Network and Configure Basic Device Settings

In Part 1, you will set up the network topology and configure the devices with basic settings.

Step 1: Cable the network as shown in the topology.

Step 2: Configure the PC host.

Step 3: Initialize and reload the switch and routers as necessary.

Step 4: Configure basic settings for the routers and switch.

a. Disable DNS lookup.

b. Configure device names as shown in the topology.

c. Configure IP addresses as shown in the Addressing Table. (Do not configure or enable the VLAN 1 interface on S1 at this time.)

d. Assign cisco as the console and vty password and enable login.

e. Assign class as the encrypted privileged EXEC mode password.

f. Configure logging synchronous to prevent console messages from interrupting command entry.

g. Verify successful connectivity between PC-A and R1 and between the routers by issuing the ping command.

h. Copy the running configuration to the startup configuration.

Part 2: Configure SNMPv2 Manager and Agent

In Part 2, SNMP management software will be installed and configured on PC-A, and R1 and S1 will be configured as SNMP agents.

Step 1: Install an SNMP management program.

a. Download and install the SNMP MIB Browser by ManageEngine from the following URL: https://www.manageengine.com/products/mibbrowser-free-tool/download.html. You will be asked to provide an email address to download the software.

b. Launch the ManageEngine MibBrowswer program.

1) If you receive an error message regarding the failure to load MIBs. Navigate to the MibBrowser Free Tool folder:

32bit: C:\Program Files (x86)\ManageEngine\MibBrowser Free Tool
64bit: C:\Program Files\ManageEngine\MibBrowser Free Tool

2) Right-click the mibs folder and select the Security tab. Click Edit. Select Users. Click Full control.
Click OK to change the permission.

3) Repeat the previous step with the conf folder.

4) Launch the ManageEngine MibBrowswer program again.

Step 2: Configure a SNMPv2 agent.

On S1, enter the following commands from the global configuration mode to configure the switch as an SNMP agent. In line 1 below, the SNMP community string is ciscolab, with read-only privileges, and the named access list SNMP_ACL defines which hosts are allowed to get SNMP information from S1. In lines 2 and 3, the SNMP manager location and contact commands provide descriptive contact information. Line 4 specifies the IP address of the host that will receive SNMP notifications, the SNMP version, and the community string. Line 5 enables all default SNMP traps, and lines 6 and 7 create the named access list, to control which hosts are permitted to get SNMP information from the switch.

S1(config)# snmp-server community ciscolab ro SNMP_ACL
S1(config)# snmp-server location Company_HQ
S1(config)# snmp-server contact [email protected]
S1(config)# snmp-server host 192.168.1.3 version 2c ciscolab
S1(config)# snmp-server enable traps
S1(config)# ip access-list standard SNMP_ACL
S1(config-std-nacl)# permit 192.168.1.3

Step 3: Verify the SNMPv2 settings.

Use the show commands to verify the SNMPv2 settings.

S1# show snmp  
Chassis: FCQ1628Y5MG  
Contact: [email protected]  
Location: Company_HQ  
0 SNMP packets input  
    0 Bad SNMP version errors  
    0 Unknown community name  
    0 Illegal operation for community name supplied  
    0 Encoding errors  
    0 Number of requested variables  
    0 Number of altered variables  
    0 Get-request PDUs  
    0 Get-next PDUs  
    0 Set-request PDUs  
    0 Input queue packet drops (Maximum queue size 1000)  
0 SNMP packets output  
    0 Too big errors (Maximum packet size 1500)  
    0 No such name errors  
    0 Bad values errors  
    0 General errors  
    0 Response PDUs  
    0 Trap PDUs  
SNMP global trap: enabled  

SNMP logging: enabled  
    Logging to 192.168.1.3.162, 0/10, 0 sent, 0 dropped.  
SNMP agent enabled
S1# show snmp community    

Community name: ciscolab  
Community Index: ciscolab  
Community SecurityName: ciscolab  
storage-type: nonvolatile        active access-list: SNMP_ACL  
<output omitted>

What is the configured SNMP community?
_____________________________________________________
The configured SNMP community is ciscolab.

Step 4: Enable SNMP trap.

In this step, you will start the SNMP trap and observe the messages when you configure and enable SVI on VLAN 1 for S1.

a. In the MibBrowser, click Edit > Settings. Verify that v2c is selected as the SNMP Version. Click OK to continue.

b. Click Trap Viewer UI .

c. Verify 162 is the Port number and configure ciscolab as the Community.

d. Click Start after you have verified the settings. The TrapList field displays 162:ciscolab.

e. To generate SNMP messages, configure and enable SVI on S1. Use the IP address 192.168.1.2 /24 for VLAN 1 and disable and enable the interface.

f. Enter the show snmp command to verify the SNMP messages were sent.

S1# show snmp  
Chassis: FCQ1628Y5MG  
Contact: [email protected]  
Location: Company_HQ
0 SNMP packets input  
    0 Bad SNMP version errors  
    0 Unknown community name  
    0 Illegal operation for community name supplied  
    0 Encoding errors  
    0 Number of requested variables  
    0 Number of altered variables  
    0 Get-request PDUs  
    0 Get-next PDUs  
    0 Set-request PDUs  
    0 Input queue packet drops (Maximum queue size 1000)  
2 SNMP packets output  
    0 Too big errors (Maximum packet size 1500)  
    0 No such name errors  
    0 Bad values errors  
    0 General errors  
    0 Response PDUs  
    2 Trap PDUs  
SNMP global trap: enabled  
  
SNMP logging: enabled  
    Logging to 192.168.1.3.162, 0/10, 2 sent, 0 dropped.  
SNMP agent enabled   
SNMP agent enabled

g. Navigate to the TrapViewer. View the messages that have been trapped by MibBrowser. To see the details of each message, click Show Details.

Part 3: Configure SNMPv3 Manager and Agent

Step 1: Configure a SNMPv3 agent on R1.

On R1, enter the following commands from the global configuration mode to configure the router as an SNMP agent. In lines 1 – 3 below, a standard ACL named PERMIT-ADMIN permits only the hosts of the network 192.168.1.0 /24 to access the SNMP agent running on R1. Line 4 configures an SNMP view, SNMP-RO, and it includes the iso tree from the MIB. In line 5, an SNMP group is configured with the name ADMIN, is set to SNMPv3 with authentication and encryption required, and only allows access limit to hosts permitted in the PERMIT-ADMIN ACL. Line 5 defines a user named USER1 with the group ADMIN. Authentication is set to use SHA with the password cisco12345 and encryption is set for AES 128 with cisco54321 as the configured password.

R1(config)# ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)# snmp-server view SNMP-RO iso included
R1(config)# snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
R1(config)# snmp-server user USER1 ADMIN v3 auth sha cisco12345 pri aes 128
cisco54321
R1(config)#
*Aug 5 02:52:50.715: Configuring snmpv3 USM user, persisting snmpEngineBoots.
Please Wait...

Step 2: Verify a SNMPv3 configuration on R1.

Use the show commands to verify the SNMPv3 settings.

R1# show run | include snmp
snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
snmp-server view SNMP-RO iso included

R1# show snmp user

User name: USER1
Engine ID: 800000090300D48CB5CEA0C0
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: ADMIN

Step 3: Configure SNMP manager access to the SNMPv3 agent.

a. Navigate to PC-A Open Wireshark. Start a live capture on the appropriate interface.

b. Enter snmp in the Filter field.

c. In the MibBrowser, click Edit > Settings. Select v3 for SNMP Version. Then click Add.

d. Enter the SNMPv3 settings that were configured on R1. Click OK to continue.

SNMPv3 Parameters Settings
Target Host 192.168.1.1
User Name USER1
Auth Protocol SHA
Priv Protocol CFB-AES-128
Target Port 161
Security Level Auth,Priv
Auth Password cisco12345
Priv Password cisco54321

e. Click Edit > Find Node. Enter ipAddrTable in the Find What field and click Close. Verify ipAddrTable is selected in the left panel and .iso.org.dod.internet.mgmt.mib-2.ip.ipAddrTable is listed in the ObjectID field.

f. Click Operation > GET to get all the objects under the select MIB object, ipAddrTable in this instance.

g. Navigate back to the Wireshark screen. Stop the live capture.

h. In the Results panel, right-click one of the results. Select Protocol Preferences > Simple Network Management Preferences.

i. Click Edit for the Users Table. Click New and enter user information in Step 1. Click OK.

j. Click OK to accept the user information. Click OK again to exit the Wireshark Preferences window.

k. Select one of the lines. Expand the SNMP result and view the decrypted messages.

Step 4: Review your results.

What are the IP addresses configured on R1 in the SNMPv3 results?
________________________________________________________
The IP addresses 192.168.1.1 and 192.168.2.1 are configured on R1.

Compare the Wireshark decrypted SNMP packets and MIB Browser results. Record your observations.
________________________________________________________
Both the decrypted Wireshark and MIB Browser OID information are the same.

Reflection

1. What are some of the potential benefits of monitoring a network with SNMP?
________________________________________________________
Answers will vary, but students may point to the ability of SNMP as an open and cross platform protocol to work with many different devices including host computers on the network. SNMP benefits a network administrator whose job it is to monitor the status and configuration of network hosts across the entire network.

2. Why is it preferable to solely use read-only access when working with SNMPv2?
________________________________________________________
Because SNMPv2 supports only unencrypted community strings, using read-write access would be a greater security risk.

3. What are the benefits of using SNMPv3 over SNMPv2?
________________________________________________________
SNMPv3 authenticates and encrypts packets over the network to provide secure access to devices. This addressed the vulnerabilities of earlier versions of SNMP.SNMPv3 provides three security features: message integrity and authentication, encryption and access control.

Router Interface Summary Table

Router Interface Summary
Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2
1800 Fast Ethernet 0/0 (F0/0) Fast Ethernet 0/1 (F0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
1900 Gigabit Ethernet 0/0 (G0/0) Gigabit Ethernet 0/1 (G0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
2801 Fast Ethernet 0/0 (F0/0) Fast Ethernet 0/1 (F0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
2811 Fast Ethernet 0/0 (F0/0) Fast Ethernet 0/1 (F0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
2900 Gigabit Ethernet 0/0 (G0/0) Gigabit Ethernet 0/1 (G0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.

Device Configs

Router R1

R1# show run
Building configuration...

Current configuration : 5969 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$OrtP$2NNYnom443a8KZ9OHt1rs.
!
no aaa new-model
memory-size iomem 15
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 192.168.2.1 255.255.255.252
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip access-list standard PERMIT-ADMIN
permit 192.168.1.0 0.0.0.255
!
!
!
snmp-server group ADMIN v3 priv read SNMP-RO access PERMIT-ADMIN
snmp-server view SNMP-RO iso included
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

Router R2

R2# show run
Building configuration...

Current configuration : 1251 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$QZ1F$RFH9AW.ayUS9fqOAjNpBD.
!
no aaa new-model
!
no ip domain lookup
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 192.168.2.2 255.255.255.252
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
password cisco
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password cisco
login
transport input all
!
scheduler allocate 20000 1000
!
end

Switch S1

S1#show run
Building configuration...

Current configuration : 4618 bytes
!
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$3v3u$anY1xkAH.LWanrI0LsGrc0
!
no aaa new-model
system mtu routing 1500
!
no ip domain-lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
ip http server
ip http secure-server
!
ip access-list standard SNMP_ACL
permit 192.168.1.3
snmp-server community ciscolab RO SNMP_ACL
snmp-server location snmp_manager
snmp-server contact ciscolab_admin
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan noguest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps power-ethernet police
snmp-server enable traps fru-ctrl
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps energywise
snmp-server enable traps ipsla
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 192.168.1.3 version 2c ciscolab
!
line con 0
password cisco
logging synchronous
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end

guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x