= SNMP Hands - On = Through this hands-on you will Install and learn to use the SNMP commands, Explore and identify standard vs enterprise parts of the MIB tree and Install vendor specific MIBs and use those with the SNMP commands == Setting up the Virtualbox == === Installation of virtualbox and Downloading virtual hard disks === - Download and install virtualbox 5.0.x​ - Download the Virtual Hard disks from the LEARN mirror. You can get them by following links * [http://192.248.4.49/ipv6/Netmon.vdi Netmon.vdi] - Note down the location of downloaded vdi files === Creating the VM Netmon === - Start !VirtualBox and Click on '''New''' button (at top-right) to create new virtual machine - Enter name of the VM as '''Netmon''' - Select OS Type: '''Linux''' - Select Version: '''Ubuntu (64-bit)''' - Then click on Continue button - Set VM's memory size to '''2048MB''' and click on Continue button - Set VM's hard disk option to '''Use an existing virtual hard disk file''' and click the browse button and browse to the location where you download the virtual hard disks. Then select the '''Netmon.vdi''' file and click on the create button. - You will see a new virtual machine named Netmon appears on Virtual Box Manager Window ==== Setting up Network Interfaces ==== - Select the Netmon VM from left panel on Virtual box, right click and open '''Settings''' - Click on the '''Network''' title - On '''Adapter 1''' check the '''Enable Network Adapter''' . Then change '''Attached to be''' to the '''Bridged Adapter''' and make sure the '''name''' of the interface is the same interface which you use to connect to the outside (Either Wi-Fi or Ethernet). This virtual interface will work as the WAN port of the of your virtual campus network that can be used to connect from out side. - Click on '''Advanced''' drop down list and change the '''promiscuous mode''' to '''Allow All''' - Click '''OK''' ==== Netmon VM ==== Before running Dynagen you have to start your VMs and assign IP address to the VM's network interfaces. - Select the '''Netmon''' VM from left panel on Virtual box, right click '''Start''' and wait till the VM starts - login to the machine using the following user credentials {{{ usrname : learn password : }}} - Then change the '''interfaces''' file. Root password is the same as class password {{{ sudo vi /etc/network/interfaces }}} - locate the following lines {{{ iface enp0s3 inet static address 192.168.56.2 netmask 255.255.255.0 network 192.168.56.0 broadcast 192.168.56.255 gateway 192.168.56.1 dns-nameservers 192.248.1.161 }}} - Change it to the following lines. You can find your IP Address from this [wiki:2017netmonipallocation table] {{{ iface enp0s3 inet static address netmask 255.255.255.0 network 192.248.6.0 broadcast 192.248.6.255 gateway 192.248.6.254 dns-nameservers 192.248.1.161 }}} - Save and Exit the editor (type ''':wq''') - When you completed the IP settings , reboot the machine {{{ sudo reboot }}} - Confirm the correct IP settings by '''ifconfig''' command. Your result should be something like the following. Check the IP address of enp0s3 Interface and see whether the other interfaces are up {{{ enp0s3 Link encap:Ethernet HWaddr 08:00:27:8c:e0:26 inet addr: Bcast:192.248.6.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe8c:e026/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1120 errors:0 dropped:0 overruns:0 frame:0 TX packets:7550 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:99387 (99.3 KB) TX bytes:567441 (567.4 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:160 errors:0 dropped:0 overruns:0 frame:0 TX packets:160 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:11840 (11.8 KB) TX bytes:11840 (11.8 KB) }}} - Try ping to some known hosts and see the results. {{{ ping 192.248.6.254 ping 192.248.1.161 ping www.google.com }}} === Remote Access === ==== Windows ==== - Download [https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe Putty] - type your vm's IP address in the hostname text box. set the port as '''22''' - Click open and You will ask the username and Password of your vm. Provide them and You will be able to remote login to your linux machine ==== !Mac/Linux ==== - Open a terminal - Type ssh @ - Give password and you will have a remote login to your linux machine === Install SNMP === Update your software package repository {{{ $ sudo apt-get update }}} This might take a few moments if everyone in class is doing this at the same moment. Install the net-snmp tools: {{{ $ sudo apt-get install snmp $ sudo apt-get install snmp-mibs-downloader }}} The second of the two commands downloads the standard IETF and IANA SNMP MIBs which are not included by default. Now, edit the file /etc/snmp/snmp.conf: {{{ $ sudo vi /etc/snmp/snmp.conf }}} Note: Here we are using '''vi''' editor. You can use any text editor you are familiar with Change this line: {{{ mibs : }}} so that it looks like: {{{ # mibs : }}} (You are "commenting out" the empty mibs statement, which was telling the snmp* tools not to automatically load the mibs in the /usr/share/mibs/ directory) Now, in your home directory make a .snmp directory with file snmp.conf inside it, make it readable only be you, and add the credentials to it: {{{ $ cd $ mkdir .snmp $ chmod 700 .snmp/ $ vi .snmp/snmp.conf }}} Put the following contents in the file: {{{ defVersion 3 defSecurityLevel authNoPriv defSecurityName admin defAuthPassphrase defAuthType SHA # Default community when using SNMP v2c defCommunity NetManage }}} Creating this configuration file means you won't have to enter your credentials everytime you use one of the SNMP utilities. Otherwise you would have to add all these values on the command line like this: {{{ snmpstatus -v3 -l authNoPriv -a SHA -u admin -A NetManage pcX }}} === Configure SNMP on Your !Router/Switch (Already Done) === ==== Cisco ==== connect to your router and go to configure mode. {{{ Router> enable Router# configure terminal }}} Now we need to add an Access Control List rule for SNMP access, turn on SNMP, assign a read-only SNMP community string as well as a SNMPv3 group and user and tell the router to maintain SNMP information across reboots. To do this we do: {{{ Router(config)# access-list 99 permit 192.248.6.0 255.255.255.0 Router(config)# snmp-server community NetManage ro 99 Router(config)# snmp-server group ReadGroup v3 auth access 99 Router(config)# snmp-server user admin ReadGroup v3 auth sha Router(config)# snmp-server ifindex persist Now let's exit and save this new configuration to the routers permanent config. Router(config)# exit Router# write memory Router# exit }}} ==== HP ==== Connect to the Router and go to config mode {{{ system-view }}} Add the following configurations {{{ [Router]acl number 2000 [Router-acl-basic-2000]rule 0 permit source 192.248.0.0 0.0.255.255 [Router]snmp-agent [Router]snmp-agent community read NetManage [Router]snmp-agent sys-info version all [Router]snmp-agent group v3 ReadGroup authentication acl 2000 [Router]snmp-agent usm-user v3 admin ReadGroup authentication-mode sha ]X'HZJP&@!!'OJC-8#V/`,NY%"E! }}} Now to see if your changes are working. === Testing SNMP === To check that your SNMP installation works, run the snmpstatus command on each of the following devices {{{ $ snmpstatus }}} Note that you just used SNMPv3. Not all devices that implement SNMP support v3. Try again, adding "-v2c" as a parameter. Notice that the command automatically uses the community string in the snmp.conf file instead of the v3 user credentials. Try "-v1". === Configuration of snmpd on your PC === For this exercise your group needs to verify that the snmpd service is running and responding to queries for all machines in your group. First enable snmpd on your machine, then test if your machine is responding, then check each machine of your other group members. Install the SNMP agent (daemon) {{{ $ sudo apt-get install snmpd $ sudo apt-get install libsnmp-dev }}} ==== Configuration ==== We will make a backup of the distributed config, and then we will create our own: {{{ $ cd /etc/snmp $ sudo mv snmpd.conf snmpd.conf.dist $ sudo vi snmpd.conf }}} Then, copy/paste the following (change pcX to your own pc number): {{{ # Listen for connections on all interfaces (both IPv4 *and* IPv6) agentAddress udp:161,udp6:[::1]:161 # For SNMPv2: Configure Read-Only community and restrict who can connect rocommunity NetManage 10.10.0.0/16 rocommunity NetManage 127.0.0.1 # Information about this host sysLocation NSRC Network Management Workshop sysContact sysadm@pcX.ws.nsrc.org # Which OSI layers are active in this host # (Application + End-to-End layers) sysServices 72 # Include proprietary dskTable MIB (in addition to hrStorageTable) includeAllDisks 10% }}} Now save and exit from the editor. Now we will add the same SNMPv3 user to your PC. We need to stop snmpd before adding the user, and restart it to read the above changes as well as the new user: {{{ $ sudo service snmpd stop $ sudo net-snmp-create-v3-user -a SHA -A admin $ sudo service snmpd start }}} Check that snmpd is working: {{{ $ snmpstatus localhost }}} Test your neighbors {{{ $ snmpstatus }}} === SNMP Walk and OIDs === Now, you are going to use the snmpwalk command, part of the SNMP toolkit, to list the tables associated with the OIDs listed below, on each piece of equipment you tried above: OID {{{ 1.3.6.1.4.1.25506.2.6.1.1.1.1.6 1.3.6.1.4.1.25506.2.6.1.1.1.1.8 1.3.6.1.4.1.25506.2.6.1.1.1.1.12 }}} You will try this with two forms of the snmpwalk command: {{{ $ snmpwalk }}} and {{{ $ snmpwalk -On }}} example : === Adding MIBs === Remember when you ran: $ snmpwalk .1.3.6.1.4.1.9.9.13.1 If you noticed, the SNMP client (snmpwalk) couldn't interpret all the OIDs coming back from the Agent: SNMPv2-SMI::enterprises.9.9.13.1.3.1.2.1 = STRING: "chassis" SNMPv2-SMI::enterprises.9.9.13.1.3.1.6.1 = INTEGER: 1 What is 9.9.13.1.3.1 ? To be able to interpret this information, we need to download extra MIBs: Download them now as follows: {{{ $ cd /usr/share/mibs $ sudo mkdir cisco $ cd cisco $ sudo wget http://www.ws.nsrc.org/downloads/mibs/CISCO-SMI.my $ sudo wget http://www.ws.nsrc.org/downloads/mibs/CISCO-ENVMON-MIB.my }}} Now we need to tell the snmp tools that we have the cisco MIBS it should load. So edit the file /etc/snmp/snmp.conf, and add the following two lines: {{{ mibdirs +/usr/share/mibs/cisco mibs +CISCO-ENVMON-MIB:CISCO-SMI }}} Save the file, quit. Now, try again: $ snmpwalk .1.3.6.1.4.1.9.9.13.1