Simple Network Management Protocol and SYSLOG servers

SNMP is an application layer protcol which provides the ability for an agent and a manager to process important information.

An agent is on the device you wish to retrieve information from and write it to a database. The database the agent writes to is called the Management Information Base (MIB).

If an agent is set to RW, the management interface can be used to change configuration on that router. The messages that poll information from the SNMP agent are termed ‘GET’ messages, and the messages that write variables to the agent are called ‘SET’ messages.

The most common situation for SNMP is to store the agent information on a server for later viewing. This SNMP server is termed a Network Management Station (NMS).

A SNMP agent can periodically update the NMS using SNMP Traps. Traps can be configured to send a notification to the NMS software if an interface goes down. A common NMS is SolarWinds or Cacti.

SNMP messages are considered unreliable as there is no acknowledgement from the NMS that a SNMP message has been received. Later versions of SNMP (SNMP Version 3) support an acknowledgment process, so they are called reliable.

An example SNMP output:

snmmpget -v2c -c public 10.10.1.1
1.3.6.1.4.1.9.2.1.58.0
SNMPv2-SMI::enterprises.9.2.1.58.0 = INTEGER: 11.

The above is broken down as such;
snmpget: The tool used to retrieve the SNMP message from 10.10.1.1
-v2c: The version of SNMP used. This does not support the acknowledgement of an SNMP message.
-c public: The -C stands for community, and public is a default value for the SNMP community.
10.10.1.1: This is the IP address of the polled station.

Versions 1 and 2 of SNMP lack a great deal of security, only using the community as the authentication.
Version 3 of SNMP introduces password authentication and also encryption.

Read Only (RO) This allows a read only state to the MIB.
Read Write (RW) This allows read and write access to the MIB.
Read write access should seldom be used as the NMS can actually change the configuration of a router if it has the RW flag set. For instance, a SNMP community set to RW can shutdown an interface.

Access Lists (ACLs) can be used to restrict access to the SNMP community.

snmp-server community community EXAMPLE_ACL

As discussed briefly above, SNMP version 3 enabled authentication, encryption and message integrity.

Authentication ensures that a packet comes from a known and trusted source.
Encryption helps to ensure that the information can not be read in transmit from the SNMP Agent and the NMS.
Message Integrity ensures that the message has not been tampered with in transit.

You can choose the implement all or just some of the above features in SNMP verion 3. Below lists the options to enable some, or all features.

Key Concepts

NoAuthNoPriv uses authentication, but only with a username. There is no encryption with this level of access.

The keyword to configure this on the snmp-server command is ‘noauth’

AuthNoPriv uses MD5 or SHA authentication, but once again, does not have encryption.

The keyword to configure this on the snmp-server command is ‘auth’

The authPriv uses MD5 or SHA authentication, and also supports DES or DES-56 encryption.

The keyword to configure this on the snmp-server command is ‘priv’

Syslog servers can be build to store router/switch, well, system logs. For example, say that a router has it’s gigabit 0/1 interface flapping, this can fill the routers buffer quite quickly, and you won’t be able to trace back to when the issue started occurring. A syslog is a good way to have these messages stored.

Common destinations for syslog messages are:

The logging buffer (RAM on the router/switch)
The console line
The terminal lines
A syslog server

System Message Severity Levels
0 Emergency – The system may be unusable
1 Alert – Immediate action may be required
2 Critical – A critical event took place
3 Error – The router experienced an error
4 Warning – A condition might warrant attention
5 Notification – A normal but significant condition occurred.
6 Informational – A normal event occurred
7 Debugging – The output listed as a result of the debug command

Levels 0 – 4 are events that could seriously affect the device, whereas levels 5 – 7 are less important messages.

NetFlow

Netflow has a specific job: The efficiently as possible provide statistics on IP pakcets flowing through networking devices.

Companies use NetFlow for some of the following points
– General network traffic accounting.
– Usage-based network billing for consumers of network services.
– Network design, including redesigns to include new network devices and applications to meet the needs of growing infrastructures.
– General network security design.
– Denial of Service (DOS) detection and prevention
– Ongoing network monitoring.

Network Flows

NetFlow breaks down TCP/IP communication for statstical recording by using a concept called a ‘Flow’.
A flow is a unidirectional stream of packets between a specific source system and a specific destination.

Key Concept: The source and destinations are defined by their network layer IP address and the transport layer source and destination port numbers.

Below are some of the commonly used Flows for NetFlow:

– Source IP address
– Desination IP address
– Source port address
– Destination port address
– Layer 3 protocol
– Type of service (TOS) marking (QOS)
– Input logical interface

Configuring NetFlow

1. Configure the capture of data about flows, using the ip flow interface ingress/egress subcommand.
2. Configure the details about the server which NetFlow should send the data with the ip flow-export global command.

For example:

1. IP flow-export destination address port
2. IP flow-export version version
3. IP flow-export source type number

Show ip cache flow details the collected NetFlow data on the router

To confirm export parameters, the Show IP flow export command will detail this.