CCNP ROUTE 2.0: SNMP, NTP

SNMP (Simple Network Management Protocol)


Simple Network Management Protocol (SNMP) is used to transmit network management information from one network device to another.

  • SNMP Manager – the monitoring device (eg SolarWinds NPM)
  • SNMP Agents – the devices being monitored (eg router, switch etc)
  • The Management Information Base (MIB), this database is on the agent device that contains information about the agent.

SNMP Managers poll the agent devices using UDP port 161, sends 2 Types of messages:

A GET is a request from the manager to the agent for information
A SET is from the manager to the agent requesting a variable be SET

A Manager is generally configured to poll an agent frequently, eg every 10 minutes. If the agent has a critical failure seconds after being polled the manager will not know about the failure until the next polling interval. The polling interval can be reduced to poll more regularly this however has an impact on performance on the manager (depending on the number of agents the manager is polling).

SNMP Traps can be configured on an agent to trigger on a certain event and send a notification to the manager.

Versions

There are 3 versions of SNMP – version 1, 2c and 3. v3 is considered the only secure version as it can be authenticated and encrypted, version 1 and 2c DO NOT.

SNMP community strings are used in SNMP v1 and 2c, allows you to set the string as either Read Only (RO) or Read Write (RW).

SNMPv3 allows the creation of groups and assigning users to the group

3 Security Levels

Auth        authNoPriv – authentication BUT NO privacy (eg encryption)
noauth        noAuthNoPriv – NO authentication and NO privacy
Priv        authPriv – authenticated and privacy

Example configuration of SNMP v2

Configure a Community String

snmp-server community CCNP ro
snmp-server location Main Office < — optional
snmp-server contact Network Team < — optional

Configure and ACL and permit access to Community

ip access-list standard SNMP_MANAGERS
permit 10.10.0.1
deny any log
snmp-server community CCNP ro SNMP_MANAGERS

Configure SNMP Traps

snmp-server host 10.10.0.10 traps version 2 CCNP
snmp-server source-interface traps loopback0
snmp-server enable traps

Show Commands

show snmp host” command will display the host configuration for the traps destination, including IP address, port, Community String (user) and version


show snmp community” command will display all configured communities on a device, including the name and if configured the ACL.

Example configuration of SNMP v3

Create SNMP Group
snmp-server group CCNP v3 priv

Create an SNMP User

To create an SNMP user you have to specify a Username, the group the user belongs, snmp version number, auth, authentication algorithm (md5 or sha), authentication password, priv, encryption algorithm (3des, aes or des), encryption algorithm strength (128, 192 or 256), privacy password.

snmp-server user SNMPADM CCNP v3 auth sha PASSWORD priv aes 128 PASSWORD

Access Control List (ACL)

You can permit only authorised SNMP Managers by creating an ACL and append “access” to the end

ip access-list standard SNMP_MANAGERS
permit 10.10.0.1
deny any log
snmp-server user SNMPADM CCNP v3 auth sha PASSWORD priv aes 128 PASSWORD access SNMP_MANAGERS

SNMP Traps

snmp-server host 10.10.0.1 traps version 3 priv SNMPADM

show snmp user
show snmp group

NTP (Network Time Protocol)

Network devices such has a routers, switches etc need to synchronise their clocks in order to have accurate syslog timestamps, which makes troubleshooting easier. An accurate time is also very important when using digital certificates, due to the fact certificates have an expiry therefore the device must have an accurate time/date. NTP can be used to specify a time source in order for our network devices to keep their clocks up to date.

NTP can be used for regular synchronisation of device clock with one or more time servers.

UDP port 123

NTP synchronizes only the software clock by default. To synchronise the hardware clock use the command: “ntp update-calendar” (this may depend on the IOS version in use).

NTP Configuration

NTP Server

ntp master 4

NTP Client

ntp server 10.10.0.1 prefer
ntp server 10.10.0.2

NTP Authentication


NTP Server

ntp authenticate
ntp authentication-key 1 md5 SPECIFY_THE_KEY
ntp trusted-key 1

NTP Client

ntp authenticate
ntp authentication-key 1 md5 SPECIFY_THE_KEY
ntp trusted-key 1
ntp server 10.10.0.1 key 1

To confirm NTP authentication use the command: “show ntp association detail“.

Enabling NTP authentication on the server, a device that is NOT enabled with the correct authentication details can still synchronise its clock. If you require to limit the devices using the NTP server to sync it’s time you must use an ACL.


Configure ACL on the NTP Server

ip access-list standard NTP_CLIENTS
permit 10.10.0.2
deny any log

ntp access-group NTP_CLIENTS

Show/Debug commands

The “show ntp status” command will display if the clock is synchronised, the current time, the NTP server

show ntp association detail” command will display information such as the configured NTP server and if authentication is configured.

Use the commands “debug ntp packets” to determine if NTP packets are being received/sent. If an NTP client is communicating with the NTP server correctly the debug should display a received message from the client and a sent message to the client.


If an ACL is configured and traffic is not permitted you’d expect to see only 1 message being sent from the NTP client to the NTP server and NO response.


If you have configured an ACL and are logging on the dropped events expect to see events in the log


 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s