Tuesday 7 July 2020

SNMPv2c and SNMPv3 Polling and Traps Configuration in Cisco (IOS-XR)



SNMPv2c
community: snmpcomm123
management IP address: 192.168.10.100
SNMP Polling Server: 192.168.20.199
SNMP Trap Server: 192.168.20.200

SNMPv2c Polling Configuration:

ipv4 access-list SNMP-ALLOW
 10 permit ipv4 host 192.168.20.199 any

snmp-server contact DC-ADMIN
snmp-server location Datacentre
snmp-server trap-source Loopback0
snmp-server community snmpcomm123 RO SystemOwner IPv4 SNMP-ALLOW


SNMPv2c Traps Configuration:
configure
snmp-server traps
snmp-server host 192.168.20.200 traps snmpcomm123  

Verify:

/usr/bin/snmpwalk -M /usr/local/snmp/mibs -v2c -c snmpcomm123 192.168.10.100:161 sysDescr.0 
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS XR Software (Cisco ASR9K Series),  Version 6.2.3[Default]
Copyright (c) 2018 by Cisco Systems, Inc.


SNMPv3
user: snmpuser
Security Level: Authpriv with SHA authentication and AES 128bit Privacy
management IP address: 192.168.10.100
AuthPass: authpass123!
PrivPass: privpass123!
View Name: ALLVIEW
Username:
Group Name: SNMPGROUP
SNMP Polling Server: 192.168.20.199
SNMP Trap Server: 192.168.20.200

SNMPv3 Polling Configuration:

ipv4 access-list SNMP-ALLOW
 10 permit ipv4 host 192.168.20.199 any

snmp-server view ALLVIEW 1.3 included
snmp-server group SNMPGROUP  v3 priv notify ALLVIEW read ALLVIEW IPv4 SNMP-ALLOW
snmp-server user SNMPUSER SNMPGROUP v3 auth sha authpass123! priv aes 128 privpass123! IPv4 SNMP-ALLOW

SNMPv3 Traps Configuration:
snmp-server host 192.168.20.200 traps version 3 priv SNMPUSER


Additional Tip: (Manual trigger of SNMP traps)
#snmp test trap interface link-down
#snmp test trap interface link-up


Here's the Juniper version for SNMPv2c and SNMPv3 configuration --> SNMP Configuration in Juniper
at No comments:

Thursday 2 July 2020

Control Plane Policing (CoPP) Configuration in Cisco IOS

As per Cisco website definition:
Control Plane Policing (CoPP) is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance.

Here's a sample configuration in applying CoPP.


Step1: Create necessary ACLs 
a. Important services,e.g.NTP,SSH,SNMP

ip access-list extended SSH-ACL
 permit tcp host 192.168.10.10 any eq 22
 permit tcp host 192.168.20.20 any eq 22
 deny   tcp any any eq 22

ip access-list standard SNMP-ACL
 permit 192.168.30.30
 permit 192.168.40.40

ip access-list standard NTP-ACL
 permit 172.16.18.2
 permit 172.16.18.3

b.ICMP
ip access-list extended ICMP-ACL
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any ttl-exceeded
  permit icmp any any port-unreachable

c. IGP
ip access-list extended IGP-ACL
  permit ospf any any
  permit tcp 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255 eq bgp
  permit tcp 192.168.3.0 0.0.0.255 eq bgp 192.168.3.0 0.0.0.255

d. Those harmful services or traffic
ip access-list extended HARMFUL-ACL
 permit tcp any any fragments
 permit udp any any fragments
 permit icmp any any fragments
 permit ip any any fragments
 permit udp any any range netbios-ns netbios-ss
 permit tcp any any eq 445
 permit udp any any eq 445
 permit udp any any eq 1434
 permit tcp any any range 137 139

e. All traffic
ip access-list extended ALL-ACL
 permit pim any any
 permit igmp any any
 permit icmp any any
 permit gre any any
 permit tcp any any
 permit udp any any
 permit ip any any


Step2: Configure Class Map
class-map match-any CoPP-SSH-SNMP-NTP
 match access-group name SSH-ACL
 match access-group name SNMP-ACL
 match access-group name NTP-ACL

class-map match-all CoPP-ICMP
 match access-group name ICMP-ACL

class-map match-all CoPP-IGP
 match access-group name IGP-ACL

class-map match-all CoPP-HARMFUL
 match access-group name HARMFUL-ACL

class-map match-all CoPP-ALL
 match access-group name ALL-ACL


Step3:Configure Policy Map (conform and exceed-action can be transmit or drop)
 police  [Target Bit Rate] [burst bytes] [burst bytes] [burst bytes] [conform-action] [transmit/drop]  [exceed-action] [transmit/drop]
 police  [cir]  [Target Bit Rate]  [conform burst] [burst bytes] [excess burst] [burst bytes] [conform-action] [transmit/drop]  [exceed-action] [transmit/drop]

Assumption: 5% excess burst

policy-map CoPP
  class CoPP-SSH-SNMP-NTP
  police 200000 10000 10000 conform-action transmit  exceed-action transmit
class CoPP-ICMP
  police 200000 10000 10000  conform-action transmit  exceed-action transmit
 class CoPP-IGP
  police 500000 25000 25000 conform-action transmit  exceed-action transmit
 class CoPP-HARMFUL
  police cir 40000 bc 2000 be 2000 conform-action transmit  exceed-action drop
 class CoPP-ALL
  police 300000 15000 15000 conform-action transmit  exceed-action transmit


For CoPP Best Practices,you can refer to this Cisco CoPP Best Practices
at No comments:
Subscribe to: Posts (Atom)