Friday, November 26, 2010

Syslog configuration on Cisco devices

Before we get in configuration of Syslog Messages will see what are syslog messages and usage of syslog messages in day to day network management.

What are these Syslog messages?

The Syslogs, defined in RFC 3164, was originally written by Eric Allman. This protocol provides a transport to allow a device to send event notification messages across IP networks to event message collectors, also known as syslog servers. The protocol is simply designed to transport these event messages from the generating device to the collector. The collector doesn't send back an acknowledgment of the receipt of the messages [UDP based].

Each Syslog message refer to a facility (auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0, ... , local7 ). Facility here means component which is source of Syslog message generation,It is like a categorization of the event just occurred.

And each Syslog assigned a priority/Severity level (they are Emergency, Alert, Critical, Error, Warning, Notice, Info or Debug) by the sender of the message.

Every Syslog Message has information of device hostname, message text along with Severity and Facility details.

Following is a description of each field:

  • FACILITY— Refers to the source of the message, such as a hardware device, a protocol, or a module of the system software. Note that this FACILITY is Cisco specific and is only relevant within the message string. It is different from the facility defined in RFC 3164 for the syslog protocol.
  • SEVERITY— this is similar to the severity defined in Table 4-2.
  • MNEMONIC— this is a device-specific code that uniquely identifies the message.
  • Message-text— this is a text string that describes the message and can contain details such as port numbers and network addresses.

These messages received at independent Syslog server or integrated as part of NMS systems, which will be used for regular trouble shoot, analyze, audit and debugging any sort of issues device specific, access related and component level failures etc. Some of System even go beyond just receiving and do some kind proactive things like generating an Alert, Notifying to Network admin via E-mail and pagers etc.

Most vendors provide more utility commands to configure Severity level of events the device needs to be tracked at each Facility or global mode and reported to a listener called Syslog Receiver (Syslog Host).

As you might know Syslog uses UDP protocol at Transport Layer and Syslog host listens at port number 514 by default. Some of the available Syslog servers (Syslog receivers) are customized to listen on specified port (UDP) also Device vendors too allowed to change the port at which syslogs can be sent at Device level.

Let me go through how we can configure Syslogs Messages at Cisco Devices (IOS based devices).

Configuration of Syslog on Cisco IOS devices:

To enable syslog messages on Cisco devices, you need to login to device via telnet (most Cisco devices enabled in this way) and go to configuration mode.

Here is the illustration of commands and their sequence:

Step 1: Logging in to Cisco Device Global configuration mode

 Telnet <ip Address>
User Access Verification
Password:<enter telnet password>
CiscoDevice>en
Password:<enter Enable Password>
CiscoDevice#config terminal
Enter configuration commands, one per line.  End

Step 2: Configuring Severity level

Enable the trap/Severity level you would like to watch on. There will be 8 types of Syslog messages. We call them as Severity of particular event occurred. Every event is categorized one of these Global severity levels irrespective of which facility generated. So be sure what severity level of events to be notified to your Syslog Host. Be care when you set the level to debug which may slow down your device as well as network if it is main core device of your network access.

CiscoDevice(config)#logging trap <0-7>


 


Step 3: Configuring Facility
This is an optional configuration; even if you don't configure this you could receive syslogs at Syslog Server. By default, Cisco IOS devices use facility local7 while Cisco PIX Firewalls use local4 to send syslog messages. Moreover, most Cisco devices provide options to change the facility level from their default value.


Step 4: Configuring Source interface to send Syslog messages

CiscoDevice(config)#logging source-interface <management interface>

For switched the management interface would be default Vlan 1(for most Cisco devices)

Step 5: Configuring Syslog Server IP Address

CiscoDevice(config)#logging Host <Syslog Server>


Step 6: Verifying Running Configuration

CiscoDevice#sh running-config | inc logging


Step 7: Logged Syslog messages, statistics at Device
"show logging" gives you currently logged events, statistics, hosts receiving syslogs etc.


Another command "show logging count" gives over all count, facility wise information. To have this you need to configure following commands.

CiscoDevice(config)#logging count<cr>



Step 8: Verifying Syslog messages receiving at Syslog Host
You could verify the syslog messages by having a free Syslog Receiver running at your System. One of such free tool is available at Kiwi, here is the link.
http://www.kiwisyslog.com/kiwi-syslog-server-overview/

Install this Software and start the Syslog Daemon to listening on port 514 for the Syslog messages.

You may go to one of the device you just configured for syslog traps and do some configuration changes; you will immediately see the messages floating in to Syslog Daemon just started.

In case you are not seeing any syslog messages even after following all the above steps, please make sure of these:

  • Check the Management IP configured interface is the source interface for logging. This will happen in some of few Cisco Devices.
  • Check the Syslog Host ip, Syslog Severity level and Source interface is the Management interface.
  • Also check your Syslog server filtering IP address from which it can receive.

Following is a sample syslog message generated by a Cisco IOS device:

*Mar 6 22:48:34.452 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

Note that the message begins with a special character (*) and that the timestamp includes the time-zone information. The message was generated by the LINEPROTO facility at severity 5 (Notice). The MNEMONIC UPDOWN along with the message-text describes the event.

Monday, November 22, 2010

Traffic Generation Using Cisco Pagent IOS

This is about generating simple UDP traffic using Pagent IOS on cisco routers. Cisco provided image can be used to send or receive traffic and to analyze the Bandwidth utilized by network interface. You could use this to generate certain amount of traffic of choose protocol (UDP or TCP)etc.

Basic configuration steps to generate traffic:

  1. Load pagent-ios image on device. You can found the images of specific router you are using from http://wwwin-pagent.cisco.com/    
  2. After downloading and booting with pagent IOS image, follow these steps to generate Traffic.
  3. Pagent (TGN:OFF,Fa0/0:none)# add udp add a traffic stream type, here I considered udp based
  4. Pagent (TGN:OFF,Fa0/0:1/1)#l2-dest-addr < >     Specify l2 address of destination
  5. Pagent (TGN:OFF,Fa0/0:1/1)#l2-src-addr < > Specify l2 src address
  6. Pagent (TGN:OFF,Fa0/0:1/1)#l3-src-addr     specify l3 src ip which is originator of Traffic
  7. Pagent (TGN:OFF,Fa0/0:1/1)#l3-dest-addr <>    specify l3 dest ip which is originator of Traffic 
  8. Pagent (TGN:OFF,Fa0/0:1/1)#rate <1-4294967295> No. of Packet per second send rate
  9. Pagent (TGN:OFF,Fa0/0:1/1)#data ?
  10. <0-65460> Starting position in data array.
    ASCII ascii data string. (Default is hex data string)
    continue continue from current offset
  11. Pagent(TGN:OFF,Fa0/0:1/1)#start       < Starts pumping the udp traffic on specified destination from the source>
  12. Pagent (TGN:OFF,Fa0/0:1/1)#show       < any point of time you could see the traffic statistics with this show command>
  13. Pagent (TGN:ON,Fa0/0:1/1)#stop

References:

Network Management: Configuring SNMP on different vendor devices


On Windows PC:

The Simple Network Management Protocol (SNMP) is an application-layer protocol. SNMP can help network administrators manage network performance, find and solve network problems, and plan for network growth more easily.

On Microsoft Windows, the SNMP service can be enabled and configured .When this is done, you will be allowed to retrieve information from the Microsoft Windows OS via SNMP. Proceed as follows:

  1. Install the SNMP service from the Add/Remove Programs -> Add/Remove Windows Components -> Management and Monitor Tools -> Details -> Simple Network Management Protocol.
  2. Once the service is installed, open the 'Services' panel and locate the 'SNMP Service'.
  3. Double click on the 'SNMP Service' to open the properties.
  4. Select the 'Security' tab. 
  5. In the 'Accepted Community Names' list, add new communities, for example:  'Public' community with 'READ ONLY'rights.
  6. Still in the 'Security' tab, select the radio button 'Accept SNMP Packets from these hosts'.
  7. Click on the 'Add' button to add the GFI Network Server Monitor or GFI LANguard Network Security Scanner machine. 
  8. Restart the 'SNMP Service'.
For more info on SNMP : http://www.cisco.com/warp/public/535/3.html


 

On Cisco Devices (routers, Switches, Access points):

Telnet <ip address>
User Access Verification
Password:<enter telnet password>
CiscoDevice>en
Password:<enter Enable Password>
CiscoDevice#config ter
Enter configuration commands, one per line.  End
CiscoDevice(config)#snmp-server community ro <community string ro>
CiscoDevice(config)#snmp-server community rw <community string rw>

CiscoDevice(config)#end

SNMP configuration verification
CiscoDevice#sh running-config | i snmp
CiscoDevice#sh snmp
Chassis: FOC1107Y2BJ
Contact: ravindhar
Location: Chennai
1091999 SNMP packets input
    0 Bad SNMP version errors
    22 Unknown community name
    0 Illegal operation for community name supplied
    2 Encoding errors
    6570917 Number of requested variables
    288 Number of altered variables
    23106 Get-request PDUs
    1068559 Get-next PDUs
    110 Set-request PDUs
1091975 SNMP packets output
    0 Too big errors (Maximum packet size 1500)
    14 No such name errors
    2 Bad values errors
    0 General errors
    1091975 Response PDUs
    0 Trap PDUs
SNMP global trap: enabled
SNMP logging: disabled
SNMP agent enabled

 

On HP Devices:

Follow the commands illustrated below to enable SNMP on HP devices.

HP ProCurve Switch 2512(config)# snmp-server
 contact               Name of the switch administrator.
 location              Description of the switch location.
 community             Add/delete SNMP community.
community             Add/delete SNMP community.
 host                  Define SNMP traps and their receivers.
 enable                Enable/disable authentication traps to be sent when a
                       management station attempts an unauthorized access.
HP ProCurve Switch 2512(config)# snmp-server community
 ASCII-STR             Enter an ASCII string for the 'community'
                       command/parameter.
HP ProCurve Switch 2512(config)# snmp-server community public
 operator              The community can access all except the CONFIG MIB.
 manager               The community can access all MIB objects.
 restricted            MIB variables cannot be set, only read.
 unrestricted          Any MIB variable that has read/write access can be set.
 <cr>
HP ProCurve Switch 2512(config)# snmp-server community public manager
 restricted            MIB variables cannot be set, only read.
 unrestricted          Any MIB variable that has read/write access can be set.
 <cr>
HP ProCurve Switch 2512(config)# snmp-server community public manager unrestricted
 <cr>
HP ProCurve Switch 2512(config)# snmp-server
 contact               Name of the switch administrator.
 location              Description of the switch location.
 community             Add/delete SNMP community.
 host                  Define SNMP traps and their receivers.
 enable                Enable/disable authentication traps to be sent when a
                       management station attempts an unauthorized access.
HP ProCurve Switch 2512(config)# snmp-server enable traps
HP ProCurve Switch 2512(config)# exit
HP ProCurve Switch 2512# exit
HP ProCurve Switch 2512> exit
Do you want to log out [y/n]? y
Do you want to save current configuration [y/n]?y

 

To remove SNMP configuration, Just enter the above sequence with "no " as precedence to every command.


 

On Netgear Devices:

Follow these steps to configure SNMP on Netgear devices.

Step 1: access the device from http:// <ip address> the browser and enter the Admin credentials of the device.
Step 2: Go to Switch->Advanced->SNMP->Communities-> It will show the two Tables with add and delete options.
Step 3: Click on Add button for any of table depends on your need add the community string with management station as Your Agent or All.

 

On DLink:

Login to the DLink device using admin credentials via telnet and do follow the illustrated command to complete the SNMP configuration.

Step 1: DGS-3024:4#create snmp community public view ?
Command: create snmp community public view ?
Next possible completions:
read_only           read_write
Step 2: DGS-3024:4#create snmp community <public> view read_only
Step 3: DGS-3024:4#create snmp community <private> view read_write
Step 4: DGS-3024:4#show snmp community
step 5: Command: show snmp community
 SNMP Community Table
Community Name                    View Name                         Access Right
--------------------------------  --------------------------------  ------------
private                           CommunityView                     read_write
public                            CommunityView                     read_only
Total Entries: 2

 

On 3Com Devices:

The 3Com devices can be configured SNMP either from Browser or from CLI, whichever is comfortable to you.

Via http login:

  1. Open Explorer, enter the device ip(3com) and login as Admin user.
  2. Select device view->Ststem->Management->Community Strings->Modify
  3. Enter the credentials and save them, with this the device will be accessible via SNMP from NMS System or SNMP manager.
Via Telnet:

  1. Open a Telnet terminal either using putty or windows command prompt and login to the device using admin credentials. Here are the steps to do. 
    Login: admin
    Password:

    Menu options: -------3Com SuperStack 3 Switch 3824 24-port---------------------
     bridge              - Administer bridge-wide parameters
     feature             - Administer system features
     gettingStarted      - Basic device configuration
     logout              - Logout of the Command Line Interface
     physicalInterface   - Administer physical interfaces
     protocol            - Administer protocols
     security            - Administer security
     system              - Administer system-level functions
     trafficManagement   - Administer traffic management

    Type ? for help.
    --------------------------------3ComSwitch  (1)--------------------------------
    Select menu option: system


    Menu options: -------3Com SuperStack 3 Switch 3824 24-port---------------------
     backupConfig        - Administer configuration backup
     console             - Administer console port
     control             - Administer system control
     inventory           - Stack information
     management          - Administer system management
     summary             - Display summary information

    Type "quit" to return to previous menu or ? for help.
    --------------------------------3ComSwitch  (1)--------------------------------
    Select menu option (system): management


    Menu options: -------3Com SuperStack 3 Switch 3824 24-port---------------------
     contact             - Set the system contact
     location            - Set the system location
     name                - Set the system name
     password            - Set the system password
     snmp                - Administer SNMP

    Type "quit" to return to previous menu or ? for help.
    --------------------------------3ComSwitch  (1)--------------------------------
    Select menu option (system/management): snm


    Menu options: -------3Com SuperStack 3 Switch 3824 24-port---------------------
     community           - Set the SNMP community string
     linkTraps           - Enable/disable link up/down traps
     trap                - Administer SNMP trap destinations

    Type "quit" to return to previous menu or ? for help.
    --------------------------------3ComSwitch  (1)--------------------------------
    Select menu option (system/management/snmp): com

    Enter Read/Write community [private]: private
    Enter Read Only community [public]: public

    Select menu option (system/management/snmp):

 

On LinkSys:

  1. On Linksys devices, unlike IOS command line for configuring SNMP, you need to launch a brower and enter the device ip and login with your admin credentials. You will found a tab named SNMP.
  2. Under tab SNMP, select the communities, and enter new to add new SNMP credentials.
  3. With this you have configured the device to be managed via SNMP protocol.