17.1. 配置SNMP
提問 在路由器上啟用基本的SNMP服務(wù)
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server community ORARO ro
Router(config)#snmp-server community ORARW rw
Router(config)#end
Router#
從12.0以后啟用了另一種配置方式
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server group COOKRO v1
Router(config)#snmp-server user TESTRO1 COOKRO v1
Router(config)#snmp-server group BOOKRO v2c
Router(config)#snmp-server user TESTRO2 BOOKRO v2c
Router(config)#end
注釋 注重的是這里啟用的僅僅是簡單SNMP服務(wù),只會(huì)響應(yīng)SNMP的GET和SET請求,不會(huì)發(fā)送SNMP traps informs.由于SNMP V1和V2c都是明文傳輸community值所以需要后續(xù)的一些安全限制。show snmp group可以用來驗(yàn)證
17.2. 通過SNMP工具獲得路由器信息
注釋 可以使用snmpget, snmpwalk,snmpset命令直接對MIB進(jìn)行查詢,建議使用Solarwinds等圖形化工具,暫略。
思科MIBs信息:http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.sHtml.
17.3. 為SNMP訪問配置一些路由器重要信息
提問 為SNMP訪問提供類似路由器位置,序列號等重要信息
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server contact Ian Brown 416-555-2943
Router(config)#snmp-server location 999 Queen St. W., Toronto, Ont.
Router(config)#snmp-server chassis-id JAX123456789
Router(config)#end
Router#
注釋 無
<!--[if !supportLists]-->17.4. <!--[endif]-->使用SNMP獲得批量路由設(shè)備信息
注釋 使用perl腳本來進(jìn)行批量化操作,暫略
17.5. 使用控制列表來限制SNMP訪問
提問 使用控制列表的方式來提高SNMP訪問的安全性
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1
Router(config)#access-list 99 deny any
Router(config)#snmp-server community ORARO ro 99
Router(config)#access-list 98 permit 172.25.1.0 0.0.0.255
Router(config)#snmp-server community ORARW rw 98
Router(config)#end
Router#
SNMP Group的方法
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1
Router(config)#access-list 99 deny any
Router(config)#snmp-server group COOKRO v1 access 99
Router(config)#snmp-server user TESTRO1 COOKRO v1
Router(config)#end
Router#
從12.3(2)T以后支持命名控制列表
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list standard SNMPACL
Router2(config-std-nacl)#permit 172.25.1.0 0.0.0.255
Router2(config-std-nacl)#permit host 10.1.1.1
Router2(config-std-nacl)#deny any
Router2(config-std-nacl)#snmp-server community ORARO1 ro SNMPACL
Router2(config)#end
Router2#
注釋 無
17.6. 記錄非授權(quán)的SNMP嘗試
提問 對非授權(quán)的SNMP嘗試進(jìn)行日志記錄
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1
Router(config)#access-list 99 deny any log
Router(config)#snmp-server community ORARO ro 99
Router(config)#snmp-server community ORARW rw 99
Router(config)#end
Router#
注釋
Router#show access-list 99
Standard IP access list 99
permit 10.1.1.1 (1293 matches)
permit 172.25.1.0, wildcard bits 0.0.0.255 (630 matches)
deny any log (17 matches)
Router#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 26 messages logged
Logging to: vty2(0)
Buffer logging: level debugging, 49 messages logged
Trap logging: level informational, 53 message lines logged
Logging to 172.25.1.1, 53 message lines logged
Logging to 172.25.1.3, 53 message lines logged
Log Buffer (4096 bytes):
APR 15 22:33:21: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.22.13 1 packet
Apr 15 22:39:18: %SEC-6-IPACCESSLOGS: list 99 denied 10.121.212.11 3 packets
Router#
17.7. 限制MIB訪問
提問 限制特定的MIB可以被SNMP來訪問
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 deny any log
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server community ORARO view ORAVIEW ro 99
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server community ORARW view RESTRICTED rw 99
Router(config)#end
Router#
SNMP Group方式
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server group TEST v1 read ORAVIEW
Router(config)#snmp-server user ORARO TEST v1
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server group TEST2 v1 write RESTRICTED
Router(config)#snmp-server user ORARW TEST2 v1
Router(config)#end
Router#
注釋
Router#show snmp view
ORAVIEW mib-2 - included nonvolatile active
ORAVIEW at - excluded nonvolatile active
ORAVIEW cisco - included nonvolatile active
v1default internet - included volatile active
v1default internet.6.3.15 - excluded volatile active
v1default internet.6.3.16 - excluded volatile active
v1default internet.6.3.18 - excluded volatile active
RESTRICTED cisco - included nonvolatile active
RESTRICTED lsystem.55 - included nonvolatile active
Router#
17.8. 使用SNMP來修改路由器當(dāng)前配置
提問 使用SNMP來下載或者上傳路由器配置文件
回答
以安裝了NETSNMP的Freebsd為例
首先路由器啟用SNMP
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server community ORARW rw
Router(config)#end
下載配置
Freebsd% toUCh /tFTPboot/router.cfg
Freebsd% chmod 666 /tftpboot/router.cfg
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.55.172.25.1.1 s router.cfg
enterprises.9.2.1.55.172.25.1.1 = "router.cfg"
Freebsd%
修改配置后上傳保存
Freebsd% echo "no ip source-route" > /tftpboot/new.cfg
Freebsd% echo "end" >> /tftpboot/new.cfg
Freebsd% chmod 666 /tftpboot/new.cfg
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.53.172.25.1.1 s new.cfg
enterprises.9.2.1.53.172.25.1.1 = "new.cfg"
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.54.0 i 1
enterprises.9.2.1.54.0 = 1
Freebsd%
注釋 .1.3.6.1.4.1.9.2.1.55是思科MIB中發(fā)送當(dāng)前配置文件的OID值,172.25.1.1是TFTP服務(wù)器地址。在修改配置文件時(shí)候注重最后要加上end命令,注重這時(shí)的OID是.1.3.6.1.4.1.9.2.1.53。最后一個(gè)snmpset命令是對上傳配置進(jìn)行保存。當(dāng)然上述操作都可以使用Solarwinds軟件實(shí)現(xiàn)
17.9. 使用SNMP來升級IOS
提問 通過SNMP來遠(yuǎn)端升級路由器IOS
回答
首先路由器配置
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server community ORARW rw
Router(config)#end
下載當(dāng)前的IOS
Freebsd% touch /tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd% chmod 666 /tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.10.9.172.25.1.1 s c2600-jk9o3s-mz.122-7a.bin
enterprises.9.2.10.9.172.25.1.1 = "c2600-jk9o3s-mz.122-7a.bin"
Freebsd%
升級IOS
Freebsd% chmod 666 /tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.10.6.0 i 1
enterprises.9.2.10.6.0 = 1
Freebsd% snmpset v1 -c ORARW Router.1.3.6.1.4.1.9.2.10.12.172.25.1.1 s c2600-jk9o3s-mz.122-7a.bin
enterprises.9.2.10.12.172.25.1.1 = "c2600-jk9o3s-mz.122-7a.bin"
Freebsd%
注釋 例子中的Router是路由器的機(jī)器名也可以使用IP地址,.1.3.6.1.4.1.9.2.10.9.是相應(yīng)的OID。在對IOS升級的時(shí)候第一步做的是清除Flash,第二步才是上傳IOS。這種可以使用腳本來實(shí)現(xiàn)IOS的集中治理。
17.10. 使用SNMP來進(jìn)行批量的配置修改
注釋 使用perl腳本來進(jìn)行批量化操作,暫略
17.11. 避免非授權(quán)的配置修改
提問 只答應(yīng)特定的設(shè)備來通過SNMP和TFTP來發(fā)送和接收配置信息
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log
Router(config)#snmp-server tftp-server-list 92
Router(config)#snmp-server community ORARW rw
Router(config)#end
Router#
從12.3(2)T開始支持命名控制列表
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list standard TFTPACL
Router2(config-std-nacl)#permit 172.25.1.1
Router2(config-std-nacl)#deny any log
Router2(config-std-nacl)#exit
Router2(config)#snmp-server tftp-server-list TFTPACL
Router2(config)#snmp-server community ORARW rw
Router2(config)#end
Router2#
注釋 要注重的是這里限制的僅僅是通過SNMP發(fā)起的TFTP會(huì)話,對其他的文件傳輸不受影響。另外這里的控制列表是全局性的,不能針對特定的community值
17.12. 保持接口表名的永久性
提問 即使重啟也能保證SNMP使用相同的接口名
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server ifindex persist
Router(config)#end
Router#
也可以對單獨(dú)接口:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface Serial0/0
Router(config-if)#snmp ifindex persist
Router(config-if)#exit
Router(config)#end
Router#
注釋 很多工程師不知道內(nèi)部SNMP接口號是會(huì)變的,這樣在進(jìn)行查詢的時(shí)候會(huì)出錯(cuò),比如下面的例子,F(xiàn)astEthernet1/0的ifindex是5
Freebsd% snmpwalk v1 -c ORARO Router ifDescr
interfaces.ifTable.ifEntry.ifDescr.1 = "BRI0/0"
interfaces.ifTable.ifEntry.ifDescr.2 = "Ethernet0/0"
interfaces.ifTable.ifEntry.ifDescr.3 = "BRI0/0:1"
interfaces.ifTable.ifEntry.ifDescr.4 = "BRI0/0:2"
interfaces.ifTable.ifEntry.ifDescr.5 = "FastEthernet1/0"
interfaces.ifTable.ifEntry.ifDescr.6 = "Null0"
interfaces.ifTable.ifEntry.ifDescr.7 = "Loopback0"
重啟以后再查詢就變成2了
Freebsd% snmpwalk v1 -c ORARO Router ifDescr
interfaces.ifTable.ifEntry.ifDescr.1 = "Ethernet0/0"
interfaces.ifTable.ifEntry.ifDescr.2 = "FastEthernet1/0"
interfaces.ifTable.ifEntry.ifDescr.3 = "Null0"
interfaces.ifTable.ifEntry.ifDescr.4 = "Loopback0"
這樣就會(huì)給網(wǎng)管造成困難
17.13. 啟用SNMP Traps和Informs
提問 配置路由器針對特定事件產(chǎn)生Traps或者Informs
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server enable traps
Router(config)#snmp-server host 172.25.1.1 ORATRAP config entity envmon hsrp
Router(config)#snmp-server host nms.oreilly.com ORATRAP bgp snmp envmon
Router(config)#end
Router#
從SNMP v2c開始路由器支持SNMP Informs
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server enable informs
Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP snmp envmon
Router(config)#end
Router#
注釋 這里的Traps是路由器主動(dòng)提供的,不是針對SNMP request的響應(yīng)。可以snmp-server enable traps envmon 來發(fā)送特定的TRAPS,也可以針對不同的NMS主機(jī)發(fā)送不同的traps
17.14. 以SNMP Trap的形式發(fā)送Syslog
提問 把Syslog封裝成SNMP Traps或者Informs
回答
Traps
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging history informational
Router(config)#snmp-server enable traps syslog
Router(config)#snmp-server host 172.25.1.1 ORATRAP syslog
Router(config)#end
Router#
Informs
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging history informational
Router(config)#snmp-server enable informs
Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP syslog
Router(config)#end
Router#
注釋 Router#clear counters
Clear "show interface" counters on all interfaces [confirm]
Router#
May 28 10:07:04: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)
上述的Syslog信息會(huì)變成下面的SNMP消息
Freebsd% tail snmptrapd.log
May 28 10:07:04 freebsd snmptrapd[77759]: 172.25.25.1: Enterprise Specific Trap (1) Uptime: 18 days, 22:35:26.99, enterprises.9.9.41.1.2.3.1.2.118 = "CLEAR", enterprises.9.9.41.1.2.3.1.3.118 = 6, enterprises.9.9.41.1.2.3.1.4.118 = "COUNTERS", enterprises.9.9.41.1.2.3.1.5.118 = "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)", enterprises.9.9.41.1.2.3.1.6.118 = Timeticks: (163652698) 18 days, 22:35:26.98
Freebsd%
17.15. 設(shè)定SNMP包大小
提問 修改缺省的SNMP包大小
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server packetsize 1480
Router(config)#end
Router#
注釋 缺省為1500字節(jié)
17.16. 設(shè)定SNMP隊(duì)列大小
提問 增加SNMP Trap隊(duì)列大小
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server queue-length 25
Router(config)#snmp-server inform pending 40
Router(config)#end
Router#
注釋 缺省對Trap的隊(duì)列是10個(gè)trap消息,對Inform是25個(gè)。可以通過show snmp來查看隊(duì)列配置和丟棄的Trap包
17.17. 設(shè)定SNMP 超時(shí)時(shí)長
提問 調(diào)整SNMP Trap的超時(shí)時(shí)長
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server trap-timeout 60
Router(config)#snmp-server inform timeout 120
Router(config)#end
Router#
注釋正確說是重傳等待時(shí)長
17.18. 禁止端口的Up/Down Traps
提問 忽略特定端口的鏈路狀態(tài)告警
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface Serial0/0
Router(config-if)#no snmp trap link-status
Router(config-if)#exit
Router(config)#end
Router#
注釋 比如特定的撥號接口等
17.19. 設(shè)定SNMP Traps的源發(fā)送地址
提問 設(shè)定SNMP Traps消息的源發(fā)送地址
回答
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server host 172.25.1.1 ORATRAP
Router(config)#snmp-server trap-source loopback0
Router(config)#end
Router#
注釋 無
17.20. 使用RMON來發(fā)送Traps
提問 實(shí)現(xiàn)當(dāng)CPU超過警戒后發(fā)送trap或者其他重要事件發(fā)送trap
回答
CPU超過特定閥值
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#rmon event 1 log trap ORATRAP description "CPU on Router has exceeded threshold" owner ijbrown
Router(config)#rmon event 2 log description "CPU on Router has normalized" owner ijbrown
Router(config)#rmon alarm 1 lsystem.57.0 60 absolute rising-threshold 70 1 falling-threshold 40 2 owner ijbrown
Router(config)#end
Router#
內(nèi)存利用超過特定閥值
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#rmon event 4 log trap ORATRAP description "Low memory condition on Router" owner ijbrown
Router(config)#rmon event 5 log trap ORATRAP description "Low Memory condition cleared on Router" owner ijbrown
Router(config)#rmon alarm 3 lsystem.8.0 60 absolute rising-threshold 1500000 5 falling-threshold 1000000 4 owner ijbrown
Router(config)#end
Router#
鏈路利用率超過固定閥值
er#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#rmon event 6 log trap ORATRAP description "Bandwidth utilization has exceeded threshold on Router interface Serial 0/0" owner ijbrown
Router(config)#rmon event 7 log trap ORATRAP description "Bandwidth utilization has normalized on Router interface Serial 0/0" owner ijbrown
Router(config)#! Configure inbound alarm on Serial0/0 (ifNumber 3)
Router(config)#rmon alarm 4 lifEntry.6.3 300 absolute rising-threshold 1000000 6 falling-threshold 800000 7 owner ijbrown
Router(config)#! Configure outbound alarm on Serial0/0 (ifNumber 3)
Router(config)#rmon alarm 5 lifEntry.8.3 300 absolute rising-threshold 1000000 6 falling-threshold 800000 7 owner ijbrown
Router(config)#end
Router#
注釋 路由器內(nèi)置了這種廉價(jià)的監(jiān)控方案
Router>show rmon events
Event 1 is active, owned by ijbrown
Description is CPU on Router has exceeded threshold
Event firing causes log and trap to community ORATRAP, last fired 00:00:00
Event 2 is active, owned by ijbrown
Description is CPU on Router has normalized
Event firing causes log, last fired 2w2d
Current log entries:
index time description
1 2w2d CPU on Router has normalized
Router>
17.21. 啟用SNMPv3
提問 啟用SNMPv3提供安全性
回答
(noAuthNoPriv):
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group NOTSAFE v3 noauth read TESTV3
Router(config)#snmp-server user WEAK NOTSAFE v3
Router(config)#end
Router#
(authNoPriv):
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#snmp-server user cking ORAROV3 v3 auth md5 daytona19y
Router(config)#end
Router#
(authPriv)
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy
Router(config)#end
Router#
注釋 v3最大的優(yōu)點(diǎn)就是增加了安全性,有例子中三種模式可以選擇
17.22. 高強(qiáng)度SNMPv3加密
提問 增強(qiáng)V3的加密
回答
從12.4(2)T開始增強(qiáng)了加密方法
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass
Router1(config)#end
Router1#
或者
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass
Router1(config)#end
Router1#
注釋 無
<!--[if !supportLists]-->17.23. <!--[endif]-->使用 SAA
提問 配置路由器自動(dòng)輪詢另一臺(tái)設(shè)備來獲得性能統(tǒng)計(jì)
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#rtr responder
Router1(config)#rtr 10
Router1(config-rtr)#type echo protocol ipIcmpEcho 10.1.2.3
Router1(config-rtr)#tag ECHO_TEST
Router1(config-rtr)#threshold 1000
Router1(config-rtr)#frequency 300
Router1(config-rtr)#exit
Router1(config)#rtr schedule 10 life 2147483647 start-time now
Router1(config)#rtr 20
Router1(config-rtr)#type jitter dest-ipaddr 10.1.2.3 dest-port 99 num-packets 100
Router1(config-rtr)#tag JITTER_TEST
Router1(config-rtr)#frequency 300
Router1(config-rtr)#exit
Router1(config)#rtr schedule 20 life 100000 start-time now ageout 3600
Router1(config)#exit
Router1#
目標(biāo)路由器,用來響應(yīng)SAA測試
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#rtr responder
Router2(config)#exit
Router2#
注釋 無
新聞熱點(diǎn)
疑難解答
圖片精選
