CCIE Pursuit Blog

December 10, 2007

Internetwork Expert Volume II: Lab 2 – Section 10

Section 10 – System Management- 9 Points

10.1  RMON

This was another task that was (thankfully) doable because the tasks are spelled out.  Use the DOC (especially the configuration example):

Configuring RMON Support

r5(config)#rmon alarm 1 ?
  WORD  MIB object to monitor

Where are the MIBs listed? Hmmm…the question gives you “lsystem.58.0” – is that the MIB?  Answer: YES.

r5(config)#rmon alarm 1 lsystem.58.0 ?
  <1-2147483647>  Sample interval <-in seconds

r5(config)#rmon alarm 1 lsystem.58.0 60 ?
  absolute  Test each sample directly
  delta     Test delta between samples

The task asks for events to be triggered at 70% and 40%, so these would be absolute and not relative values.

r5(config)#rmon alarm 1 lsystem.58.0 60 absolute rising-threshold 75 ?
  <0-65535>          Event to fire on rising threshold crossing
  falling-threshold  Configure the falling threshold

So here’s my full line:

r5(config)#do sh run | i rmon
rmon alarm 1 lsystem.58.0 60 absolute rising-threshold 75 1 falling-threshold 40 2 owner config

Let’s config the events:

r5(config)#rmon event 1 desc ?
  WORD  Event description

r5(config)#rmon event 1 desc 5_MIN_CPU_OVER_70 ?
  log    Generate RMON log when the event fires
  owner  Specify an owner for the event
  trap   Generate SNMP trap when the event fires

r5(config)#rmon event 1 desc 5_MIN_CPU_OVER_70 trap ?
  WORD  SNMP community string <-stated in task

r5(config)#rmon event 1 desc 5_MIN_CPU_OVER_70 trap IETRAP log
r5(config)#rmon event 2 desc 5_MIN_CPU_UNDER_40 trap IETRAP log

The task asks me to send the text “Five Minute CPU Average Above 75%”.  How do I do that?

It looks like you need to put that in the description:

The following example enables the rmon event global configuration command:

Router(config)# rmon event 1 log trap eventtrap description “High ifOutErrors” owner owner_a

r5(config)#do sh run | i rmon event
rmon event 1 log trap IETRAP description “Five Minute CPU Average Above 75%” owner config
rmon event 2 log trap IETRAP description “Five Minute CPU Average Below 40%” owner config

Okay let’s config the SNMP server values:

r5(config)#snmp-server comm IETRAP ?
  <1-99>       Std IP accesslist allowing access with this community string
  <1300-1999>  Expanded IP accesslist allowing access with this community
  ro           Read-only access with this community string
  rw           Read-write access with this community string
  view         Restrict this community to a named MIB view

Hmmm…I would think that “view” is what we need…or not 🙂

snmp-server community

 (Optional) Specifies a previously defined view. The view defines the objects available to the SNMP community.
 (Optional) Specifies read-only access. Authorized management stations can only retrieve MIB objects.
 (Optional) Specifies read-write access. Authorized management stations can both retrieve and modify MIB objects.

Okay…do I just go ahead and give it RO or should I limit it to “view lsystem.58.0” ?

I’ll just give it RO rights.  Let’s configure the SNMP server next:

r5(config)#snmp-server host traps ?
  WORD     SNMPv1/v2c community string or SNMPv3 user name
  version  SNMP version to use for notification messages

Crap!  Too many choices:
r5(config)#snmp-server host traps IETRAPS ?
  atm          Allow SNMP atm traps
  bgp          Allow BGP state change traps
  bstun        Allow bstun event traps
  cnpd         Allow NBAR Protocol Discovery traps
  config       Allow SNMP config traps
  config-copy  Allow SNMP config-copy traps
  dlsw         Allow dlsw traps
<—output truncated—>
  vtp          Allow SNMP VTP traps
  x25          Allow x25 event traps
  xgcp         Allow XGCP protocol traps

I like the look of that “<cr>” option.  🙂

Here’s my whole RMON config (about 20 minutes later):

r5#sh run | i rmon|snmp
snmp-server community IETRAP RO
snmp-server host IETRAPS
rmon event 1 log trap IETRAP description “Five Minute CPU Average Above 75%” owner config
rmon event 2 log trap IETRAP description “Five Minute CPU Average Below 40%” owner config
rmon alarm 1 lsystem.58.0 60 absolute rising-threshold 75 1 falling-threshold 40 2 owner config

Which was 100% correct…except that I did not need to configure an snmp-server community for this router.  Goodbye 3 points!!!

*Mar  1 22:34:41.250: %RMON-5-FALLINGTRAP: Falling trap is generated because the value of lsystem.58.0 has fallen below the falling-threshold value 40

Verification commands:

r6#sh rmon ?
  alarms      Display the RMON alarm table
  events      Display the RMON event table
  history     Display the RMON history table
  statistics  Display the RMON statistics table
  |           Output modifiers

r6#sh rmon alarms
Alarm 1 is active
, owned by config
 Monitors lsystem.58.0 every 60 second(s)
 Taking absolute samples, last value was 0
 Rising threshold is 75, assigned to event 1
 Falling threshold is 40, assigned to event 2
 On startup enable rising or falling alarm

r6#sh rmon events
Event 1 is active
, owned by config
 Description is Five Minute CPU Average Above 75%
 Event firing causes log and trap to community IETRAP,
 last event fired at  0y0w0d,00:00:00,
 Current uptime       0y0w0d,22:41:22
Event 2 is active, owned by config
 Description is Five Minute CPU Average Below 40%
 Event firing causes log and trap to community IETRAP,
 last event fired at  0y0w0d,22:34:41,
 Current uptime       0y0w0d,22:41:22
 Current log entries:
  index  uptime              description
  1      0y0w0d,22:34:41     Five Minute CPU Average Below 40%

10.2 Remote Access

Pretty straight-forward task requiring you to configure vty username/password and exec-timeout options.  This task threw me for a loop though:

“Sixty seconds prior to automatically logging this user off r4 should send the user a warning message in order to give the user time to finish up and save any changes to the configuration.”

I had NO idea how to approach this one.  I know that you can use “send” to send messages to users on a device (I’ve used this in the past to fuck with other engineers).  This was not an option though as it was a CLI and not configuration option.  Plus, you have to specify the vty line to send to.

I needed to find a way to trigger this message after the user had been logged on (via vty) the router for 14 minutes.  I had no idea how to do this.  These two commands do the job:


To set the interval for closing the connection, use the absolute-timeout command in line configuration mode. To restore the default, use the no form of this command.

absolute-timeout minutes
no absolute-timeout

Usage Guidelines
Use the absolute-timeout command line configuration command to configure the EXEC to terminate when the configured number of minutes occurs on the virtual terminal (vty) line. The absolute-timeout command terminates the connection after the specified time period has elapsed, regardless of whether the connection is being used at the time of termination. You can specify an absolute-timeout value for each port. The user is given 20 seconds notice before the session is terminated. You can use this command along with the logout-warning command to notify users of an impending logout.

Cisco IOS software also provides the session-timeout and exec-timeout line configuration commands for releasing lines when they have been idle for too long.

I somewhat recall these commands from my first CCNA days (circa 1999).


Trying … Open
User Access Verification

Username: NOC

r4#sh run | sec line vty
line vty 0 4
 exec-timeout 5 0
 password cisco
 logout-warning 30
 absolute-timeout 2
 login local

* Line timeout expired   <-here’s your warning 🙂
[Connection to closed by foreign host] <-30 seconds later

Good warning in the solution guide:

“If using the no exec-timeout command be careful not to issu the no exec command.  If the no exec command is entered no one will be able to create an exec process and in turn will not be able to login.”

10.3 Remote Access Security

“In order to increase the security of your password database configure r4 so that the password for the NOC username is stored as an MD5 hash that represents the password CISCO.”

This was covered in the IEATC.  Just remember that “service password-encryption” does NOT use MD5.

r4(config)#username NOC password ?
  0     Specifies an UNENCRYPTED password will follow
  7     Specifies a HIDDEN password will follow
  LINE  The UNENCRYPTED (cleartext) user password

r4(config)#username NOC password 7 CISCO  <-this is not md5 either

You need to use “username secret”

username secret
To encrypt a user password with Message Digest 5 (MD5) encryption, use the username secret command in global configuration mode.

username name secret {[0] password | 5 encrypted-secret}
 (Optional) Clear text password, which will be MD5 encrypted.
 Clear text password.
5 encrypted-secret
 MD5-encrypted text string, which will be stored as the encrypted user password.

Usage Guidelines
Use the username secret command to configure a username and MD5-encrypted user password. The optional 0 keyword enables MD5 encryption on a clear text password; the 5 keyword enters an MD5 encryption string and saves it as the user MD5-encrypted secret. MD5 encryption is a strong encryption method that is not retrievable; thus, you cannot use MD5 encryption with protocols that require clear text passwords, such as Challenge Handshake Authentication Protocol (CHAP).

The username secret command provides an additional layer of security over the username password. It also provides better security by encrypting the password using nonreversible MD5 encryption and storing the encrypted text. The added layer of MD5 encryption is useful in environments in which the password crosses the network or is stored on a TFTP server.

Use MD5 as the encryption type if you paste into this command an encrypted password that you copied from a router configuration file.

One other important caveat:  Do NOT use 5 unless you are entering the HASH of the password (such as when you are copying a configuration with an already hashed password):

r4(config)#username NOC secret 5 CISCO
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

r4(config)#username NOC secret CISCO
r4(config)#do sh run | i username NOC
username NOC secret 5 $1$k4Jb$5n/mxY4CnrxT55OxYElHD1

10.4 Syslog

“Log all severity 7 and below messages to syslog server”

r3(config)#logging trap ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)

logging trap
“The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword)”

Syslog messages at level 0 to level 6 are generated, but will only be sent to a remote host if the logging host command is configured.

The second task asked you to turn off logging for certain events on certain interfaces.  This is easy to do.  You just need to remember that the configuration is under the interface and not in global config mode:

r3(config)#int s0/0:0
r3(config-if)#no logging event ?
  dlci-status-change  DLCICHANGE messages
  frame-relay         Frame-relay messages
  link-status         UPDOWN and CHANGE messages
  subif-link-status   Sub-interface UPDOWN and CHANGE messages

What is the difference between:

r3(config-if)#logging event frame-relay dlci


r3(config-if)#logging event dlci-status-change

If you configure both on an interface:

r3(config)#int s0/0:0
r3(config-if)#logging event frame-relay dlci
r3(config-if)#logging event dlci-status-change

Only dlci-status-change shows up:

r3(config-if)#do sh run int s0/0:0 | i logg
 logging event dlci-status-change

This section took me a long time to complete but it wasn’t too bad.  The DOC is your friend.  🙂


1 Comment »

  1. Thanks for this bit of info … it helped me PD an issue on our network {thumbsup}

    Comment by RFC1795 — April 20, 2009 @ 12:32 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: