Table Of Contents
Understanding System Management
Configure Identification Support
Create and Monitor Command Aliases
Set the Interval for Load Data
Configure Synchronization of Logging Messages
Configure NTP Broadcast Service
Configure NTP Access Restrictions
Configure the Source IP Address for NTP Packets
Configure the System as an Authoritative NTP Server
Configure NTP to Update the Cisco 7000 Calendar
Configure Time and Date Manually
Configure Summer Time (Daylight Savings Time)
Monitor Time and Calendar Services
Configure for Both SNMPv1 and SNMPv2
Generate a Downward-Compatible Configuration
Configure the Cisco Discovery Protocol
Set the CDP Transmission Timer and Hold Time
Disable and Enable CDP on an Interface
Enable RADIUS Access Server Authentication and Accounting
Configure Router to Display Network Access Server Port Type
Establish Kerberos-Authenticated Server-Client System
Protect Access to Terminal Lines
Protect Passwords with Enable Secret
Configure Multiple Privilege Levels
Set the Privilege Level for a Command
Change the Default Privilege Level for Lines
Display Current Privilege Levels
Logging In to a Privilege Level
Recover a Lost Enable Password
Implementation Considerations of Lock-and-Key Access
Monitor and Maintain Dynamic Access Lists
Establish Terminal Access Control
Enable TACACS and Extended TACACS
Set TACACS Password Protection at the User Level
Disable Password Checking at the User Level
Set Optional Password Verification
Set TACACS Password Protection at the Privileged Level
Disable Password Checking at the Privileged Level
Set Notification of User Actions
Set Authentication of User Actions
Establish the TACACS Server Host and Response Times
Specify the Amount of Time for Login Input
Enable the Extended TACACS Mode
Enable TACACS for PPP Protocol Authentication
Enable Standard TACACS for ARA Protocol Authentication
Enable Extended TACACS for ARA Protocol Authentication
Enable TACACS to Use a Specific ip Address for all Outgoing TACACS Packets
Enable AAA/TACACS+ and Set Authentication Key
Enable TACACS+ Password Protection at the Privileged Level
Enable Authentication for Login
Enable an Authentication Override
Specify TACACS+ Authorization for EXEC Access and Network Services
Establish Username Authentication
Receiving Automatic Warning Messages
Receiving the Automatic Shutdown Message
Set Up the TCP Keepalive Packet Service
Test Connections with the Ping Command
Log Errors to a UNIX Syslog Daemon
Enable Message Logging for a Slave Card
Set the Error Message Display Device
Define the Error Message Severity Level and Facilities
Enable Timestamps on Log Messages
Configure Switching and Scheduling Priorities
Set Fair Queuing for an Interface
Set Priority by Interface Type
Specify the Maximum Packets and Bytes in the Priority Queues
Assign a Priority Group or a Custom Queue to an Interface
Monitor the Priority and Custom Queuing Lists
Enable IP Accounting for Access List Violations
System Configuration File Example
Clock, Calendar, and NTP Configuration Examples
Define a Kerberos Realm Examples
Specify Kerberos Authentication Examples
Multiple Levels of Privileges Configuration Examples
Allowing Users to Clear Lines Examples
Defining an Enable Password for System Operators Examples
Disable a Privilege Level Example
TACACS Authentication Examples
AAA/TACACS+ Authentication Examples
Restrict Network Access Examples
Managing the System
This chapter describes the basic tasks that you can perform to manage the general system features of the Cisco IOS software—those features that are generally not specific to a particular protocol. Cisco's system management features are supported through the Simple Network Management Protocol (SNMP). Cisco supports the SNMP Version 1 protocol, referred to as SNMPv1, and the SNMP Version 2 protocol, referred to as SNMPv2. This chapter describes the tasks needed to configure SNMP support on Cisco routers. A part of SNMP is the Management Information Base (MIB). MIBs provide variables that can be set or read to change parameters or provide information on network devices and interfaces. Cisco supports several MIBs, including the Internet standard MIB II, and also provides its own Cisco MIB. For information on the Cisco MIB, see the Cisco Management Information Base (MIB) User Quick Reference.
Cisco Systems also provides CiscoWorks, a feature-rich network management application suite that is integrated with Sun Microsystems' SunNet Manager product running on a Sun SPARCstation platform. CiscoWorks provides a menu-driven graphical user interface and supports all five areas of network management. (See the next section, "Understanding System Management," for details.) With CiscoWorks, you can create network maps and set up automated network performance monitors and fault tests, such as pinpointing connectivity problems. Test results can be displayed in several graph formats. Refer to CiscoWorks online help for information on how to use CiscoWorks on a Sun SPARCstation. See the CiscoWorks Installation and Reference Guide for installation and reference information.
In addition to CiscoWorks for the Sun SPARCstation platform, Cisco Systems provides CiscoWorks for Windows. CiscoWorks for Windows incorporates the features of the Cisco Configuration Builder, which was based on an MS-Windows graphical user interface. CiscoWorks for Windows replaces the Cisco Configuration Builder, previously provided for configuring Cisco routers. For information on how to use CiscoWorks for Windows, refer to the online help provided with the product and the CiscoWorks for Windows Getting Started Guide.
For a list of recommended books on network management, refer to the appendix "References and Recommended Reading" in the Configuration Fundamentals Command Reference.
For a complete description of the commands mentioned in this chapter, refer to the "System Management Commands" chapter of the Configuration Fundamentals Command Reference.
Note
One or more of the commands that previously appeared in this chapter have been replaced by new commands. See the "Loading System Images, Microcode Images, and Configuration Files" chapter in the Configuration Fundamentals Configuration Guide for command information. The old commands continue to perform their normal function in the current release, but support for them will cease in future releases.
Understanding System Management
This chapter describes the tasks you can perform to manage the router and its performance on the network. In general, system or network management falls into the categories described in the following sections:
The configuration of network routers determines how the network operates. To manage router configurations, you need to list and compare configuration files on running routers, store configuration files on network servers for shared access, and perform software installations and upgrades. These configuration management tasks are described in the "Loading System Images, Microcode Images, and Configuration Files" chapter in the Configuration Fundamentals Configuration Guide.
Other configuration management tasks include naming the router, setting time services, configuring for synchronous logging of unsolicited messages and debug output, configuring, and SNMP support. These tasks are described in this chapter.
To manage security on the network, you need to restrict access to the system. You can do so on several different levels:
•
•
•
•
•
•
•
To manage network faults, you need to discover, isolate, and fix the problems. You can discover problems with the system's monitoring commands, isolate problems with the system's test commands, and resolve problems with other commands, including debug.
This section introduces basic fault management commands. For detailed troubleshooting procedures and a variety of scenarios, see the Troubleshooting Internetworking Systems. For complete details on all debug commands, see the Debug Command Reference.
•
To manage system performance, you need to monitor and determine response time, error rates, and availability. Once these factors are determined, you can perform load balancing and modify system parameters to enhance performance. For example, priority queuing allows you to prioritize traffic order. You can configure fast and autonomous switching to improve network throughput, as described in the "Configuring Interfaces" chapter in the Configuration Fundamentals Configuration Guide.
See the Internetwork Design Guide for additional information.
Accounting management allows you to track both individual and group usage of network resources. You can then reallocate resources as needed. For example, you can change the system timers and configure TCP keepalives. See also the IP accounting feature in the "Configuring IP" chapter of this manual. Additionally, the AAA/TACACS+ aaa accounting command allows you to set start-stop accounting for any or all of the listed functions for this command.
Configuration Management
You can complete any of the tasks in the following sections to perform configuration management functions:
•
•
•
•
•
•
•
•
Other configuration management tasks are described in the chapter entitled "Loading System Images, Microcode Images, and Configuration Files" in the Configuration Fundamentals Configuration Guide.
Configure Identification Support
Identification support allows you to query a TCP port for identification. This feature enables RFC 1413, an unsecure protocol for reporting the identity of a client that is initiating a TCP connection and a host responding to the connection. With identification support, you can connect a TCP port on a host, issue a simple text string to request information, and get back a simple text-string reply.
To configure identification support, perform the following task in global configuration mode:
Customize the Router Prompt
By default, the prompt consists of the router name followed by an angle bracket (>) for EXEC mode or a pound sign (#) for privileged EXEC mode. To customize your prompt, perform the following task in global configuration mode:
Customize the prompt.
promt string
Remove the configuration prompt (config).
no service prompt config
Set the Router Name
One of the first basic tasks is to name your router. The name is considered the host name and is the name that is displayed by the system prompt. If no name is configured, the system default name is Router. You can name the router in global configuration mode as follows:
For an example of configuring a router name, see the section "System Configuration File Example" at the end of this chapter.
Create and Monitor Command Aliases
You can create aliases for commonly used or complex commands. Use word substitutions or abbreviations to tailor command syntax for you and your user community.
To create and display command aliases, perform the tasks in the following sections:
Create a Command Alias
To create a command alias, perform the following task in global configuration mode:
Display Command Aliases
To display alias names and the original command syntax, perform the following task in EXEC mode:
Show all command aliases and original command syntax, or specify the aliases in a particular command mode.
show aliases [mode]
Set the Interval for Load Data
You can change the period of time over which a set of data is used for computing load statistics. By decreasing the load interval, dial backup and other decisions are based on an average that is computed over a shorter period of time and is more responsive to bursts of traffic.
To change the length of time for which a set of data is used to compute load statistics, perform the following task in interface configuration mode:
Set the length of time for which data is used for load calculations.
load-interval seconds
Set Time Services
All Cisco routers provide an array of time-of-day services. These services allow the products to accurately keep track of the current time and date, to synchronize multiple products to the same time, and to provide time services to other systems.
The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the current date and time. The system clock can be set from a number of sources, and in turn can be used to distribute the current time through various mechanisms to other systems. When the system is initialized, the system clock is set based on the time in the Cisco 7000 hardware; on other models, the system clock it is set to midnight on March 1, 1993. The system clock can then be set from the following sources:
•
•
The system clock can provide time to the following services:
•
•
•
•
The system clock keeps track of time internally based on Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight savings time) so that the time is displayed correctly relative to the local time zone.
The system clock keeps track of whether the time is "authoritative" or not (that is, whether it has been set by a time source considered to be authoritative). If it is not authoritative, the time will be available only for display purposes and will not be redistributed.
Network Time Protocol
The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP. NTP is documented in RFC 1305.
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another.
NTP uses the concept of a "stratum" to describe how many NTP "hops" away a machine is from an authoritative time source. A "stratum 1" time server has a radio or atomic clock directly attached, a "stratum 2" time server receives its time via NTP from a "stratum 1" time server, and so on. A machine running NTP will automatically choose as its time source the machine with the lowest stratum number that it is configured to communicate with via NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP is careful to avoid synchronizing to a machine whose time may not be accurate. It avoids doing so in two ways. First of all, NTP will never synchronize to a machine that is not in turn synchronized itself. Secondly, NTP will compare the time reported by several machines, and will not synchronize to a machine whose time is significantly different than the others, even if its stratum is lower.
The communications between machines running NTP (known as "associations") are usually statically configured; each machine is given the IP address of all machines with which it should form associations. Accurate timekeeping is made possible by exchanging NTP messages between each pair of machines with an association. However, in a local-area network (LAN) environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each machine can simply be configured to send or receive broadcast messages. However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only.
The time kept on a machine is a critical resource, so we strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.
Cisco's implementation of NTP does not support stratum 1 service; in other words, it is not possible to connect to a radio or atomic clock. It is recommended that time service for your network be derived from the public NTP servers available in the IP Internet. If the network is isolated from the Internet, Cisco's implementation of NTP allows a machine to be configured so that it acts as though it is synchronized via NTP, when in fact it has determined the time using other means. Other machines then synchronize to that machine via NTP.
When multiple sources of time (VINES, Cisco 7000 calendar, manual configuration) are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.
A number of manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.
VINES Time Service
Time service is also available when Banyan VINES is configured. This protocol is a standard part of VINES. Cisco's implementation allows the VINES time service to be used in two ways. First, if the system has learned the time from some other source, it can act as a VINES time server and provide time to other machines running VINES. It also can use the VINES time service to set the system clock if no other form of time service is available.
Cisco 7000 Calendar
The Cisco 7000 contains a battery-powered calendar system that tracks the date and time across system restarts and power outages. This calendar system is always used to initialize the system clock when the system is restarted. It can also be considered to be an authoritative source of time and be redistributed via NTP or VINES time service if no other source is available. Furthermore, if NTP is running, the Cisco 7000 calendar can be periodically updated from NTP, compensating for the inherent drift in the calendar time.
Configure Synchronization of Logging Messages
You can configure the system to synchronize unsolicited messages and debug output with solicited device output and prompts for a specific line. You can identify the types of messages to be output asynchronously based on the level of severity. You can also determine the maximum number of buffers for storing asynchronous messages for the terminal after which messages are dropped.
When synchronous logging of unsolicited messages and debug output is turned on, unsolicited device output is displayed on the console or printed after solicited device output is displayed or printed. Unsolicited messages and debug output is displayed on the console after the prompt for user input is returned. This is to keep unsolicited messages and debug output from being interspersed with solicited device output and prompts. After the unsolicited messages are displayed, the console displays the user prompt again.
To configure for synchronous logging of unsolicited messages and debug output with solicited device output and prompts, perform the following tasks:
Step 1
line [aux | console | VTY] line-number [ending-line-number]1
Step 2
logging synchronous [level severity-level | all] [limit number-of-buffers]
1 This command is documented in the "Terminal Lines and Modem Support Commands" chapter of the Access Services Command Reference.
Configure NTP
NTP services are enabled on all interfaces by default. The optional tasks you can perform are documented in the following sections:
•
•
•
•
•
Configure NTP Authentication
If you want to authenticate the associations with other systems for security purposes, perform the tasks that follow. The first task enables the NTP authentication feature. The second task defines each of the authentication keys. Each key has a key number, a type, and a value. Currently the only key type supported is md5. Third, a list of "trusted" authentication keys is defined. If a key is trusted, this system will be ready to synchronize to a system that uses this key in its NTP packets.
To configure NTP authentication, perform the following tasks in global configuration mode:
Configure NTP Associations
An NTP association can be a peer association (meaning that this system is willing to either synchronize to the other system or to allow the other system to synchronize to it), or it can be a server association (meaning that only this system will synchronize to the other system, and not the other way around). If you want to form an NTP association with another system, perform one of the following tasks in global configuration mode:
Note that only one end of an association needs to be configured; the other system will automatically establish the association.
See the example entitled "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configure NTP Broadcast Service
The system can either send broadcast packets or listen to them on an interface-by-interface basis. The estimated round-trip delay for broadcast packets can also be configured. Perform one or more of the following tasks in global configuration mode if you want to use NTP's broadcast feature:
Send NTP broadcast packets.
ntp broadcast [version number]
Receive NTP broadcast packets.
ntp broadcast client
Adjust estimated delay.
ntp broadcastdelay microseconds
See the example entitled "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configure NTP Access Restrictions
You can control NTP access on two levels by completing the following tasks:
•
•
Create an Access Group and Assign a Basic IP Access List to It
To control access to NTP services, you can create an NTP access group and apply a basic IP access list to it. To do so, perform the following task in global configuration mode:
Create an access group and apply a basic IP access list to it.
ntp access-group {query-only | serve-only | serve | peer} access-list-number
The access group options are scanned in the following order from least restrictive to most restrictive:
1
2
3
4
If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types will be granted.
For details on NTP control queries, see RFC 1305 (NTP version 3).
Disable NTP Services on a Specific Interface
NTP services are enabled on all interfaces by default. You can disable NTP packets from being received through an interface by performing the following task in interface configuration mode:
Configure the Source IP Address for NTP Packets
When the system sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Perform the following task in global configuration mode if you want to configure a specific interface from which the IP source address will be taken:
Configure an interface from which the IP source address will be taken.
ntp source interface
This interface will be used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source parameter on the ntp peer or ntp server command shown earlier in this chapter.
Configure the System as an Authoritative NTP Server
Perform the following task in global configuration mode if you want the system to be an authoritative NTP server, even if the system is not synchronized to an outside time source:
CautionUse this command with extreme caution. It is very easy to override valid time sources using this command, especially if a low stratum number is configured. Configuring multiple machines in the same network with the ntp master command can cause instability in timekeeping if the machines do not agree on the time.
For an example of configuring an authoritative NTP server, see the section "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configure NTP to Update the Cisco 7000 Calendar
Perform the following task in global configuration mode if the system is synchronized to an outside time source via NTP and you want the Cisco 7000 calendar to be synchronized periodically to NTP time:
For an example of configuring NTP to update the Cisco 7000 calendar, see the section "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configure VINES Time Service
Perform the following task in global configuration mode if you want to distribute the system clock to other VINES systems:
Distribute the system clock to other VINES systems.
vines time use-system1
1 This command is documented in the "Banyan VINES Commands" chapter in the Network Protocols Command Reference, Part 2.
To receive VINES time service to control the system clock, perform the following task in global configuration mode:
Receive VINES time service.
vines time set-system1
1 This command is documented in the "Banyan VINES Commands" chapter in the Network Protocols Command Reference, Part 2.
Configure Time and Date Manually
If no other source of time is available, you can manually configure the current time and date after the system is restarted. The time will remain accurate until the next system restart. We recommend that you use manual configuration only as a last resort.
To set up time services, complete the following tasks as needed. If you have an outside source to which the router can synchronize, you do not need to manually set the system clock.
•
Configure the Time Zone
Complete the following task in global configuration mode to manually configure the time zone used by the Cisco IOS software:
For an example of configuring the time zone, see the section "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configure Summer Time (Daylight Savings Time)
To configure summer time (daylight savings time) in areas where it starts and ends on a particular day of the week each year, perform the following task in global configuration mode:
Configure summer time.
clock summer-time zone recurring [week day month hh:mm week day month hh:mm [offset]]
If summer time in your area does not follow this pattern, you can configure the exact date and time of the next summer time events by performing one of the following tasks in global configuration mode:
For an example of configuring summer time, see the section "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Set the System Clock
If you have an outside source on the network that provides time services (such as an NTP server or VINES time service), you do not need to manually set the system clock.
However, if you have do not have any time service source, complete one of the following tasks in EXEC mode to set the system clock:
Set the system clock.
clock set hh:mm:ss day month year
or
clock set hh:mm:ss month day year
Set the System Calendar
In addition to a system clock, the Cisco 4500 and Cisco 7000 hardware provides a system calendar that can set the system time and control the system clock, as well as enable the router to act as a time service for the network.
You can complete the following tasks to enable the Cisco 4500 and Cisco 7000 calendar capabilities:
•
•
•
Set the Router Calendar
The calendar maintains time separately from the system clock. It continues to run when the system is restarted or power is turned off. Typically, it only needs to be manually set once, when the system is first installed. If time is available from an external source using NTP, the calendar can be updated from the system clock instead.
If you do not have an external time source, perform the following task in EXEC mode to set the system calendar:
Set the calendar.
calendar set hh:mm:ss day month year
or
calendar set hh:mm:ss month day year
Set the Router as a Network Time Source
Although the system clock is always initialized from the calendar when the system is restarted, by default it is not considered to be authoritative and so will not be redistributed with NTP or VINES Time Service. To make the calendar be authoritative, complete the following task in global configuration mode:
Enable the router to act as a valid time source to which network peers can synchronize.
clock calendar-valid
For an example of making the calendar authoritative, see the section "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Set the System Clock from the Calendar
To set the system clock to the new calendar setting, perform the following task in EXEC mode:
Set the Calendar from the System Clock
To update the calendar with the new clock setting, perform the following task in EXEC mode:
Monitor Time and Calendar Services
To monitor clock, calendar, and NTP EXEC services, complete the following tasks in EXEC mode:
Enable Minor Services
You can access minor TCP, UDP, and BOOTP services available from hosts on the network. These services are enabled by default.
To enable these services, perform the following tasks in global configuration mode:
Enable the Finger Protocol
You can enable the Finger protocol so that people throughout the network can get a list of the users currently using the router. The information displayed includes the processes running on the system, the line number, connection name, idle time, and terminal location. To enable the Finger protocol, perform the following task in global configuration mode:
Hide Telnet Addresses
You can hide addresses while attempting to establish a Telnet session. To configure the router to suppress Telnet addresses, perform the following task in global configuration mode:
The hide feature suppresses the display of the address and continues to display all other messages that would normally display during a connection attempt, such as detailed error messages if the connection was not successful.
Use the busy-message command with the service hide-telnet-address command to customize the information displayed during Telnet connection attempts. If the connection attempt is not successful, the router suppresses the address and displays the message specified with the busy-message command.
Configure SNMP Support
The Simple Network Management Protocol (SNMP) system consists of three parts: an SNMP manager, an SNMP agent, and a Management Information Base (MIB). SNMP is an application-layer protocol that allows SNMP manager and agent stations to communicate. SNMP provides a message format for sending information between an SNMP manager and an SNMP agent. The SNMP manager can be part of a Network Management System (NMS), such as CiscoWorks.
The agent and MIB reside on the router. To configure SNMP on the router, you define the relationship between the manager and the agent.
The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager can get a value from an agent or store a value into that agent.The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to a manager's requests to get or set data.
An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP manager to a condition on the network. Traps can indicate improper user authentication, restarts, link status (up or down), closing of a TCP connection, or loss of connection to a neighbor router.
illustrates the communications relationship between the SNMP manager and agent. It shows that a manager can send the agent requests to get and set MIB values. The agent can respond to these requests. Independent of this interaction, the agent can send unsolicited traps to the manager notifying the manager of network conditions.
Figure 29 Communication between an SNMP Agent and Manager
Cisco supports the SNMP Version 1 protocol, referred to as SNMPv1, and the SNMP Version 2 protocol, referred to as SNMPv2. Cisco's implementation of SNMP supports all MIB II variables (as described in RFC 1213) and SNMP traps (as described in RFC 1215). See the Cisco Management Information Base (MIB) User Quick Reference for a list and detailed description of each Cisco MIB variable and SNMP trap.
RFC 1447, "SNMPv2 Party MIB" (April 1993), describes the managed objects that correspond to the properties associated with SNMPv2 parties, SNMPv2 contexts, and access control policies, as defined by the SNMPv2 Administrative Model. RFC 1450, "SNMPv2 MIB," (April 1993) describes the managed objects that instrument the behavior of an SNMPv2 implementation. Cisco supports the MIB variables as required by the conformance clauses specified in these MIBs.
Cisco also provides its own MIB with every system. One of the set of MIB objects provided is the Cisco Chassis MIB that enables the SNMP manager to gather data on system card descriptions, serial numbers, hardware and software revision levels, and slot locations.
Although SNMPv2 offers more robust support than SNMPv1, Cisco continues to support SNMPv1. This is because not all management stations have migrated to SNMPv2 and you must configure the relationship between the agent and the manager to use the version of SNMP supported by the management station.
SNMPv1 offers a community-based form of security defined through an IP address access control list and password. SNMPv2 offers richer security configured through an access policy that defines the relationship between a single manager and agent. SNMPv2 security includes message authentication support using the Message Digest (MD5) algorithm, but because of the Data Encryption Standard (DES) export restrictions, it does not include encryption support through DES. SNMPv2 security provides data origin authentication, ensures data integrity, and protects against message stream modification.
In addition to enhanced security, SNMPv2 support includes a bulk retrieval mechanism and more detailed error message reporting to management stations. The bulk retrieval mechanism supports the retrieval of tables and large quantities of information, minimizing the number of round-trips required.
The SNMPv2 improved error handling support includes expanded error codes that distinguish different kinds of error conditions; these conditions are reported through a single error code in SNMPv1. Error return codes now report the error type. Three kinds of exceptions are also reported: no such object exceptions, no such instance exceptions, and end of MIB view exceptions.
There is no specific command that you use to enable SNMP. The first snmp-server command that you enter enables both versions of SNMP.
To configure SNMP support, perform the tasks in one of the following sections:
•
To configure relationship between the agent and the manager on the router, you need to know the version of the SNMP protocol that the management station supports. An agent can communicate with multiple managers; for this reason, you can configure the Cisco IOS software to support communications with one management station using the SNMPv1 protocol and another using the SNMPv2 protocol.
Configure for Both SNMPv1 and SNMPv2
You can perform tasks in the following sections to configure support for both SNMPv1 and SNMPv2:
•
•
•
•
Enable the SNMP Agent Shutdown Mechanism
Using SNMP packets, a network management tool can send messages to users on virtual terminals and the console. This facility operates in a similar fashion to the EXEC send command; however, the SNMP request that causes the message to be issued to the users also specifies the action to be taken after the message is delivered. One possible action is a shutdown request. After a system is shut down, typically it is reloaded. Because the ability to cause a reload from the network is a powerful feature, it is protected by the snmp-server system-shutdown global configuration command. If you do not issue this command, the shutdown mechanism is not enabled. To enable the SNMP agent shutdown mechanism, perform the following task:
Use the SNMP message reload feature and request a system shutdown message.
snmp-server system-shutdown
To understand how to use this feature with SNMP requests, read the document mib.txt available by anonymous FTP from ftp.cisco.com.
Establish the Contact, Location, and Serial Number of the SNMP Agent
You can set the system contact, location, and serial number of the SNMP agent so that these descriptions can be accessed through the configuration file. To do so, perform one or more of the following tasks in global configuration mode:
Set the system contact string.
snmp-server contact text
Set the system location string.
snmp-server location text
Set the system serial number.
snmp-server chassis-id text
Define the Maximum SNMP Agent Packet Size
You can set the maximum packet size permitted when the SNMP agent is receiving a request or generating a reply. To do so, perform the following task in global configuration mode:
Limit TFTP Servers Used Via SNMP
You can limit the TFTP servers used for saving and loading configuration files via SNMP to the servers specified in an access list. To do so, perform the following task in global configuration mode:
Limit TFTP servers used for configuration file copies via SNMP to the servers in an access list.
snmp-server tftp-server-list number
Monitor SNMP Status
To monitor SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, complete the following task in EXEC mode:
Disable the SNMP Agent
To disable both versions of SNMP (SNMPv1 and SNMPv2) concurrently, perform the following task in global configuration mode:
Configure SNMPv2 Support
SNMPv2 security requires that you create an access policy that defines the relationship between a manager and the agent. For each management station that the agent communicates with, you must create a separate access policy. Creating an access policy is a multiple-task process:
Step 1
Step 2
Step 3
Step 4
•
•
shows the information exchanged between the manager and the agent. The top arrow, leading from the manager to the agent, shows the types of requests the manager can send to the agent. The bottom arrow, leading from the agent to the manager, shows the kind of information that the agent can send to the manager. Note that the agent sends trap messages to the manager in response to certain network conditions; trap messages are unsolicited and are not related to the request/response communication exchange between the manager and the agent that occurs in relation to MIB variables. For any given manager and agent relationship, the privileges defined in the access policy constrain communications to a specific set of operations.
Figure 30 Flow of Management Operations Requests, Responses, and Traps between the Manager and the Agent
You must create access policies for each new agent that is installed. You also must create access policies on an agent when new management stations with which the agent will communicate are installed. Moreover, every time a network address changes on a management station, you must reconfigure the access policy to reflect the new information for the management station.
This section describes each task that you must perform to configure an access policy. Then it addresses the alternative method and describes the task of configuring the user ID for the simplified security conventions method.
To configure support for SNMv2, perform the following tasks:
•
•
•
•
•
After you create a record, you can modify the record contents by changing one or more of the record values. To do this, issue the command again, naming the record that you created originally. You must fully specify the record values, including the argument values to remain unchanged.
Create or Modify an SNMP View Record
To create or modify an SNMP view record, perform the following task in global configuration mode
Create or modify a view record.
snmp-server view view-name oid-tree {included | excluded} [volatile]
:
To remove a view record, use the no snmp-server view command.
Create or Modify an SNMP Context Record
To create or modify an SNMP context record, perform the following task in global configuration mode:
Create or modify a context record.
snmp-server context context-name context-oid view-name [volatile]
To remove a context entry, use the no snmp-server context command. Specify only the name of the context. The name identifies the context to be deleted.
Create or Modify an SNMPv2 Party Record
To create or modify an SNMPv2 party record, perform the following task in global configuration mode
:
To remove a party record, use the no snmp-server party command.
Create an SNMPv2 Access Policy
To create or modify an SNMPv2 access policy, perform the following task in global configuration mode:
Create or modify an access policy.
snmp-server access-policy destination-party source-party context privileges [volatile]
To remove an SNMPv2 access-policy, use the no snmp-server access-policy command. Specify all three arguments to correctly identify the access policy to be deleted. A difference of one value constitutes a unique access policy entry.
Define SNMPv2 Trap Operations
The SNMP trap operations allow a system administrator to configure the agent router to send information to an SNMP manager when a particular event occurs.
To define the recipient of the trap message, you configure a party record for the manager, including the protocol address, and specify the party record as the destination party for the snmp-server access policy command. To configure the router to send traps to a host, perform the following tasks in global configuration mode:
Optionally, you can specify a value other than the default for the source interface, message (packet) queue length for each trap host, or retransmission interval.
To change trap operation values, perform any of the following optional tasks in global configuration mode:
By default, SNMP link traps are sent when an interface goes up or down. For interfaces expected to go up and down during normal usage, such as ISDN interfaces, the output generated by these traps may not be useful. Use the no snmp trap link-status command to disable these traps.
Configure SNMPv1 Support
If the manager supports only the SNMPv1 protocol, you must configure the relationship between the manager and the agent using SNMPv1 support. You can use either of two methods to configure access to the agent. There are trade-offs involved in choosing one method over the other. The methods differ in the following ways:
•
•
To configure access policy support for SNMPv1, perform the tasks in the following sections:
•
•
•
•
•
