Reluctant to deploy SNMPv3?

Often I hear organizations complain about SNMPv3 being too complex to deploy. A lot of TCP/IP protocols in networks today have some level of complexity, encryption, hashed passwords, double authentication, shared key, triple handshake mechanism, etc.
But yet SNMPv2 still has community strings sent in “clear text” over the network.

In a Cisco network, you can tighten SNMPv2 security by binding it to an ACL, but isn’t that just telling a potential hacker who the NMS systems are? I always say: Whoever owns the NMS server(s), owns the network.

Recently I have deployed SNMPv3 onto a Cisco Network and surprisingly to my delight, found that I needed only to spend two hours on research.
The following SNMPv3 configuration is for a Cisco IOS device and it turned out to be very useful, secure and versatile for various NMS systems to manage the network.

I think the core concept to understand about SNMPv3 is users, groups and views. Some of the online PDFs and bulletins I’ve come across so far, has this in common when it comes to creating a SNMP v3 configuration.
–
Conceptually, here are the steps, in this exact order.

1. Assign an Engine ID for the SNMP Entity (its optional, but a very good idea)
2. Define a view and select a MIB
3. Define a group and tie it to a “view”
4. Define a user, add it to a group and add a password.

Example:
1. server engineID local 111100000000000000000000
2.
a. snmp-server view NOCview mib-2 included
b. snmp-server view NOCview cisco included
c. snmp-server view NOCview v1default included

3. snmp-server group NOCengineers v3 auth write NOCview
4. snmp-server user NMSops NOCengineers v3 auth md5 passW0rd20systemX487

Of course, there are more options available with regards to security like adding the “priv” command to the group for instance. All it means is that data will be encrypted: des56 encryption is such an option.

Oh yes, when you display the configuration, you won’t see any users – they’re hidden. The only way you can “see” them is through the “show snmp users/groups” command. I truly hope my explanation was understandable and simple enough to tame the perception of SNMPv3.
All the best.

Cheers
Pierre

(4 votes, average: 4.50 out of 5)
 Loading ...

1. With a 5000 device license,  Campus Manager will only manage 5500 devices.  After that -  no more.
2. The Windows Remote Management service can conflict with RME. Always check that it’s not running. (The WinRM service starts automatically on Windows Server 2008)
3. LMS 3.2 can run on Windows 2008 Server but,  You should disable the FIPS compliance for the CiscoWorks to work properly, because the SSL authentication might fail:

. To enable/disable FIPS on Windows 2003 and Windows 2008 servers:

1. Open  Start > Settings > Control Panel > Administrative tools > Local Security Policy.
2. Click Local Polices > Security Options.
3. Select System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
4. Right-click the selected policy and click Properties.
5. Select Enabled or Disabled to enable or disable FIPS compliant algorithms.
6. Click Apply.
7. Reboot the server for the changes to take effect.

Cheers

(4 votes, average: 4.00 out of 5)
 Loading ...

Hi there  -  here’s a great tip for CiscoWorks Campus Manger administrators and users.

Suppose you have a lot of network devices and you spent hours on moving all those little icons on your Topology Map.

Maybe you added all your important  devices (Core and Distribution for Data Centre) to the critical device poller; and maybe you even added a nice background wallpaper showing them geographically  – nice.

And then you get a call from another network administrator or user,  saying his map doesn’t look like the one you created. Well, that’s how LMS Campus Manager works. Every user account has its own map and settings.

BUT,  you copy your map to his account like this:

For LMS running on Windows, simply go to the Campus maps folder and find the right map to copy.  Suppose you created our mapas the “admin” user, the goto:  “C:\Program Files\CSCOpx\campus\etc\users\admin”. Now it might take some investigating which xml file is the right one.  In this example the file was called  ” 453.xml ”

Now copy that file to the other users folder. If  the user account was “george” then C:\Program Files\CSCOpx\campus\etc\users\george is where maps are located for george.  (Oh, yes. Remember that the user must at least save one map for the folder to exists)

Easy hey?.  If your running on solaris , you might consider running a crontab job to copy your map to other users on a scheduled time/date, depending on the users.

Cheers.

Cisco Unified Operations Manager 2.2 may produce an error about the server locale during the install.

And even though you checked the Regional Setting in Control Panel etc, you still get the error. Then its time to dive into the registry.

You need to edit your registry and remember to reboot.
Registry must be:
HKEY_USERS\.DEFAULT\Control Panel\International\Locale = 00000409
HKEY_CURRENT_USER\Control Panel\International\Locale = 00000409

cheers

(3 votes, average: 4.33 out of 5)
 Loading ...

I’ve seen this problem couple of times and thought its worth publishing.  Sometime the ACS SE loses its IP address when trying to set it up and reverts to DHCP.

Well, you really only need to apply this simple rule:  Plug a network cable in the ACS SE and just for kicks, ping the gateway.

Even though it has been said that this was fixed with patch: applACS-4.1-set-ip-CSCsm73656-Patch.zip, I still found this behaviour with ACS 4.2.

And oh yes, Its not a router console – so set-up your terminal software for console access like this:

•Baud = 115200
•Databits = 8
•Parity = N
•Stops = 1
•Flow control = None

Cheers

(1 votes, average: 4.00 out of 5)
 Loading ...

QPM still underdeveloped.

Is it just me or does QPM seem to be still in preschool?  With Release 4.1 there are two patches released after. But still, it would seem as though device support is a mystery.

Suppose you need to configure QOS on 4503-SUP6 on the supervisor module. Sure, only if you’re running IOS 12.1E.  And if you need auto-qos it needs to be 12.2S.  And then there’s the  strange missing information about the 4503 line cards. Still investigating.

FCAPS

Faults,

Configuration,

Accounting,

Performance,

Security.

Definitions and Facts:

FCAPS  is an ITU-T standard model for enterprise or network management.

The Telecommunication Standardization Sector (ITU-T) coordinates standards for telecommunications on behalf of the ITU and is based in Geneva, Switzerland. The ITU was established 17 May 1865 of which South Africa is a member since 1910.

FCAPS is an acronym for a categorical model of the working objectives of network management .

FCAPS is also an extension of the popular network management conceptual frameworks called Telecommunication Management Network (TMN), which describes network management in 4 layers. Each TMN layer needs to perform some or all FCAPS functions in certain ways.

Network Management FCAPS and TMN Model:

There are many network management technologies and protocols which address some of the FCAPS functions.

Some Vendors have developed large integrated applications for Network Management, often providing an end –to–end solution for FCAPS functions. In reality, there will always be some room for another feature, report, or capability. It is therefore up to a proficient Network Management Architect or Engineer to integrate such applications in the best way possible according to the business needs.

The Five Domains:

• 1. Fault management

A fault is an event which has a negative significance. The goal of fault management is to recognize, isolate, correct and log faults that occur in the network. Because faults can cause downtime or unacceptable network degradation, fault management is perhaps the most widely implemented of the ISO network management elements.

Examples:

CiscoWorks LMS – Device Fault Manager (DFM)

EMC  Smarts Family

CA Spectrum

HP Openview

• 2. Configuration management

Hardware and programming (configurations) changes, including the addition of new equipment and programs, modification of existing systems, and removal of obsolete systems and programs, are coordinated. Also used to simplify the configuration of devices. Used for inventory of equipment and programs is kept and updated regularly.

Examples:

CiscoWorks LMS – Resource Manager Essential (RME)

EMC  Voyence Control

• 3. Accounting management

Often referred to as billing or allocation management. The goal is to gather usage statistics for users. To measure network utilization and activities of individual or group uses on the network for the purpose of network usage regulation and billing. For non-billed networks, “administration” replaces “accounting”. The goals of administration are to administer the set of authorized users by establishing users, passwords, and permissions, and to administer the operations of the equipment such as by performing software backup and synchronization.

Examples:

Cisco Access Control Server (ACS)

Mind CTI

• 4. Performance management

To measure and make available various aspects of network performance for network performance monitoring and optimization. The network performance variables include network throughput, user response times, and line utilization.  It also helps an IT manager to prepare the network for the future, as well as to determine the efficiency of the current network, for example, in relation to the investments done to set it up. The network performance also addresses error rates and response times areas. By collecting and analysing performance data, the network health can be monitored. Trends can indicate capacity or reliability issues before they become service affecting.

Performance thresholds can be set in order to trigger an alarm. The alarm would be handled by the normal fault management process.

Examples:

CA eHealth

Netscout

Infovista

Opnet

NetQos (By the way:  CA acquired NetQoS, Inc. for $200 Million in middle September 2009.)

• 5. Security management

Security management is the process of controlling access to assets in the network. Data security can be achieved mainly with authentication and encryption. To control access to network resources so that the network cannot be sabotaged and sensitive information can only be accessed by those with authorization. This level is also to help protected against hackers, unauthorized users, and physical or electronic sabotage. Confidentiality of user information is maintained where necessary or warranted. The security systems also allow network administrators to control what each individual authorized user can (and cannot) do with the system.

Examples:

Cisco Access Control Server (ACS)

CS-MARS

(1 votes, average: 5.00 out of 5)
 Loading ...

Part 1 of LMS Q&A

1. Can you add a device in DCR without an IP address?
Yes, as long as the devicename can resolve to an IP address by means of DNS or a local hostfile.

2. What’s the main difference with the results of a manual log-rotation job and a scheduled log-rotation job.?

Size (Manual: No COMPRESSION option, but when you schedule a job you have a chance to select compression method such as GZ etc.

3. How many licenses does switch stack occupy? The stack consists of 3 X CAT3750′s.
One.

CSCsv65933