Section 10 - System Management- 9 Points
10.1 RMON
This was another task that was (thankfully) doable because the tasks are spelled out. Use the DOC (especially the configuration example):
r5(config)#rmon alarm 1 ?
WORD MIB object to monitor
Where are the MIBs listed? Hmmm…the question gives you “lsystem.58.0″ – is that the MIB? Answer: YES.
r5(config)#rmon alarm 1 lsystem.58.0 ?
<1-2147483647> Sample interval <-in secondsr5(config)#rmon alarm 1 lsystem.58.0 60 ?
absolute Test each sample directly
delta Test delta between samples
The task asks for events to be triggered at 70% and 40%, so these would be absolute and not relative values.
r5(config)#rmon alarm 1 lsystem.58.0 60 absolute rising-threshold 75 ?
<0-65535> Event to fire on rising threshold crossing
falling-threshold Configure the falling threshold
So here’s my full line:
r5(config)#do sh run | i rmon
rmon alarm 1 lsystem.58.0 60 absolute rising-threshold 75 1 falling-threshold 40 2 owner config
Let’s config the events:
r5(config)#rmon event 1 desc ?
WORD Event descriptionr5(config)#rmon event 1 desc 5_MIN_CPU_OVER_70 ?
log Generate RMON log when the event fires
owner Specify an owner for the event
trap Generate SNMP trap when the event fires
<cr>r5(config)#rmon event 1 desc 5_MIN_CPU_OVER_70 trap ?
WORD SNMP community string <-stated in taskr5(config)#rmon event 1 desc 5_MIN_CPU_OVER_70 trap IETRAP log
r5(config)#rmon event 2 desc 5_MIN_CPU_UNDER_40 trap IETRAP log
The task asks me to send the text “Five Minute CPU Average Above 75%”. How do I do that?
It looks like you need to put that in the description:
The following example enables the rmon event global configuration command:
Router(config)# rmon event 1 log trap eventtrap description “High ifOutErrors” owner owner_a
r5(config)#do sh run | i rmon event
rmon event 1 log trap IETRAP description “Five Minute CPU Average Above 75%” owner config
rmon event 2 log trap IETRAP description “Five Minute CPU Average Below 40%” owner config
Okay let’s config the SNMP server values:
r5(config)#snmp-server comm IETRAP ?
<1-99> Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
ro Read-only access with this community string
rw Read-write access with this community string
view Restrict this community to a named MIB view
<cr>
Hmmm…I would think that “view” is what we need…or not 
view
(Optional) Specifies a previously defined view. The view defines the objects available to the SNMP community.
ro
(Optional) Specifies read-only access. Authorized management stations can only retrieve MIB objects.
rw
(Optional) Specifies read-write access. Authorized management stations can both retrieve and modify MIB objects.
Okay…do I just go ahead and give it RO or should I limit it to “view lsystem.58.0″ ?
I’ll just give it RO rights. Let’s configure the SNMP server next:
r5(config)#snmp-server host 132.1.33.100 traps ?
WORD SNMPv1/v2c community string or SNMPv3 user name
version SNMP version to use for notification messagesCrap! Too many choices:
r5(config)#snmp-server host 132.1.33.100 traps IETRAPS ?
atm Allow SNMP atm traps
bgp Allow BGP state change traps
bstun Allow bstun event traps
cnpd Allow NBAR Protocol Discovery traps
config Allow SNMP config traps
config-copy Allow SNMP config-copy traps
dlsw Allow dlsw traps
<—output truncated—>
vtp Allow SNMP VTP traps
x25 Allow x25 event traps
xgcp Allow XGCP protocol traps
<cr>
I like the look of that “<cr>” option.
Here’s my whole RMON config (about 20 minutes later):
r5#sh run | i rmon|snmp
snmp-server community IETRAP RO
snmp-server host 132.1.33.100 IETRAPS
rmon event 1 log trap IETRAP description “Five Minute CPU Average Above 75%” owner config
rmon event 2 log trap IETRAP description “Five Minute CPU Average Below 40%” owner config
rmon alarm 1 lsystem.58.0 60 absolute rising-threshold 75 1 falling-threshold 40 2 owner config
Which was 100% correct…except that I did not need to configure an snmp-server community for this router. Goodbye 3 points!!!
Cool:
r6#
*Mar 1 22:34:41.250: %RMON-5-FALLINGTRAP: Falling trap is generated because the value of lsystem.58.0 has fallen below the falling-threshold value 40
Verification commands:
r6#sh rmon ?
alarms Display the RMON alarm table
events Display the RMON event table
history Display the RMON history table
statistics Display the RMON statistics table
| Output modifiers
<cr>r6#sh rmon alarms
Alarm 1 is active, owned by config
Monitors lsystem.58.0 every 60 second(s)
Taking absolute samples, last value was 0
Rising threshold is 75, assigned to event 1
Falling threshold is 40, assigned to event 2
On startup enable rising or falling alarmr6#sh rmon events
Event 1 is active, owned by config
Description is Five Minute CPU Average Above 75%
Event firing causes log and trap to community IETRAP,
last event fired at 0y0w0d,00:00:00,
Current uptime 0y0w0d,22:41:22
Event 2 is active, owned by config
Description is Five Minute CPU Average Below 40%
Event firing causes log and trap to community IETRAP,
last event fired at 0y0w0d,22:34:41,
Current uptime 0y0w0d,22:41:22
Current log entries:
index uptime description
1 0y0w0d,22:34:41 Five Minute CPU Average Below 40%
10.2 Remote Access
Pretty straight-forward task requiring you to configure vty username/password and exec-timeout options. This task threw me for a loop though:
“Sixty seconds prior to automatically logging this user off r4 should send the user a warning message in order to give the user time to finish up and save any changes to the configuration.”
I had NO idea how to approach this one. I know that you can use “send” to send messages to users on a device (I’ve used this in the past to fuck with other engineers). This was not an option though as it was a CLI and not configuration option. Plus, you have to specify the vty line to send to.
I needed to find a way to trigger this message after the user had been logged on (via vty) the router for 14 minutes. I had no idea how to do this. These two commands do the job:
absolute-timeout
logout-warning
absolute-timeout
To set the interval for closing the connection, use the absolute-timeout command in line configuration mode. To restore the default, use the no form of this command.absolute-timeout minutes
no absolute-timeoutUsage Guidelines
Use the absolute-timeout command line configuration command to configure the EXEC to terminate when the configured number of minutes occurs on the virtual terminal (vty) line. The absolute-timeout command terminates the connection after the specified time period has elapsed, regardless of whether the connection is being used at the time of termination. You can specify an absolute-timeout value for each port. The user is given 20 seconds notice before the session is terminated. You can use this command along with the logout-warning command to notify users of an impending logout.Cisco IOS software also provides the session-timeout and exec-timeout line configuration commands for releasing lines when they have been idle for too long.
I somewhat recall these commands from my first CCNA days (circa 1999).
Verification:
r5#telnet 150.1.4.4
Trying 150.1.4.4 … Open
User Access VerificationUsername: NOC
Password:
r4>en
Password:
r4#r4#sh run | sec line vty
line vty 0 4
exec-timeout 5 0
password cisco
logout-warning 30
absolute-timeout 2
login local
r4#
*
*
* Line timeout expired <-here’s your warning
*
*
r4#
[Connection to 150.1.4.4 closed by foreign host] <-30 seconds later
Good warning in the solution guide:
“If using the no exec-timeout command be careful not to issu the no exec command. If the no exec command is entered no one will be able to create an exec process and in turn will not be able to login.”
10.3 Remote Access Security
“In order to increase the security of your password database configure r4 so that the password for the NOC username is stored as an MD5 hash that represents the password CISCO.”
This was covered in the IEATC. Just remember that “service password-encryption” does NOT use MD5.
r4(config)#username NOC password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user passwordr4(config)#username NOC password 7 CISCO <-this is not md5 either
You need to use “username secret”
username secret
To encrypt a user password with Message Digest 5 (MD5) encryption, use the username secret command in global configuration mode.username name secret {[0] password | 5 encrypted-secret}
0
(Optional) Clear text password, which will be MD5 encrypted.
password
Clear text password.
5 encrypted-secret
MD5-encrypted text string, which will be stored as the encrypted user password.Usage Guidelines
Use the username secret command to configure a username and MD5-encrypted user password. The optional 0 keyword enables MD5 encryption on a clear text password; the 5 keyword enters an MD5 encryption string and saves it as the user MD5-encrypted secret. MD5 encryption is a strong encryption method that is not retrievable; thus, you cannot use MD5 encryption with protocols that require clear text passwords, such as Challenge Handshake Authentication Protocol (CHAP).The username secret command provides an additional layer of security over the username password. It also provides better security by encrypting the password using nonreversible MD5 encryption and storing the encrypted text. The added layer of MD5 encryption is useful in environments in which the password crosses the network or is stored on a TFTP server.
Use MD5 as the encryption type if you paste into this command an encrypted password that you copied from a router configuration file.
One other important caveat: Do NOT use 5 unless you are entering the HASH of the password (such as when you are copying a configuration with an already hashed password):
r4(config)#username NOC secret 5 CISCO
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.r4(config)#username NOC secret CISCO
r4(config)#do sh run | i username NOC
username NOC secret 5 $1$k4Jb$5n/mxY4CnrxT55OxYElHD1
10.4 Syslog
“Log all severity 7 and below messages to syslog server”
r3(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
<cr>
logging trap
“The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword)”Defaults
Syslog messages at level 0 to level 6 are generated, but will only be sent to a remote host if the logging host command is configured.
The second task asked you to turn off logging for certain events on certain interfaces. This is easy to do. You just need to remember that the configuration is under the interface and not in global config mode:
r3(config)#int s0/0:0
r3(config-if)#no logging event ?
dlci-status-change DLCICHANGE messages
frame-relay Frame-relay messages
link-status UPDOWN and CHANGE messages
subif-link-status Sub-interface UPDOWN and CHANGE messages
What is the difference between:
r3(config-if)#logging event frame-relay dlci
and
r3(config-if)#logging event dlci-status-change
If you configure both on an interface:
r3(config)#int s0/0:0
r3(config-if)#logging event frame-relay dlci
r3(config-if)#logging event dlci-status-change
Only dlci-status-change shows up:
r3(config-if)#do sh run int s0/0:0 | i logg
logging event dlci-status-change
This section took me a long time to complete but it wasn’t too bad. The DOC is your friend.
Thanks for this bit of info … it helped me PD an issue on our network {thumbsup}
Comment by RFC1795 — April 20, 2009 @ 12:32 pm |