Passive Measurements• Syslog• SNMP
Syslog• Syslog is a means where messages originating on a device
are logged• Normally these are logged to a machine running the syslogd
daemon
Configuring syslog• On the router:
– logging history notifications– logging trap debugging– logging source-interface Loopback0– logging 10.1.1.1
• Logs will be sent to the device at ip address 10.1.1.1
Configuring syslog (continued)• On a unix host syslogd or syslog-ng can be used• /etc/syslog.conf
– Local7.* /var/log/netdev
• /etc/syslog-ng/syslog-ng.confdestination d_netdev {
file("/srv/syslog/netdev/$HOST/$YEAR$MONTH/$YEAR$MONTH$DAY-$HOST.log"template("$DATE $HOST $MESSAGE\n")template_escape(no)owner(root) group(network) perm(0640)dir_owner(root) dir_group(network) dir_perm(0750) create_dirs(yes)); };
filter f_netdev {facility(local7);
};
SNMP• SNMP is the Simple Network Management Protocol and
runs over TCP/IP and is embedded in many network devices allowing access to information
• An SNMP MIB is a Management Information Base –essentially a database that contains information about the state of objects within a device. The initial SNMP MIB (RFC1213) contained basic information for use with network management protocols in TCP/IP-based internets.
SNMP
• Since then the SNMP protocol has been enhanced by versions SNMPv2 and SNMPv3.
• Each SNMP capable device will have a community string (password) with the default for read access being “public”. Make sure you control SNMP access by passwords and ACLS!
Configuring SNMP• On a Cisco router:snmp-server community public RO 99snmp-server community thisismysecretcommunity RW 98 snmp-server ifindex persistsnmp-server trap link ietfsnmp-server trap-source Loopback0snmp-server packetsize 9178snmp-server location APL, ARRC, Kensington, WA 6151snmp-server contact [email protected] enable traps ttysnmp-server enable traps configsnmp-server enable traps entitysnmp-server enable traps envmon fan shutdown supply temperature statussnmp-server enable traps sonetsnmp-server enable traps bgpsnmp-server enable traps frame-relaysnmp-server enable traps rtrsnmp-server enable traps mpls traffic-engsnmp-server host 10.1.1.10 inform version 2c thisismysecretcommunity
SNMP Tools• There are a number of basic SNMP packages which
can be used to interrogate MIB Object Identifiers (OIDs). Net-SNMP (http://net-snmp.sourceforge.net/) contains command-line applications to retrieve information from SNMP capable devices.
snmp……• snmpget• snmpgetnext• snmpwalk• snmpstatus• snmpset• snmptranslate
OID translation• .1.3.6.1.2.1.2.2.1.10• iso(1).org(3).dod(6).internet(1).mgmt(2).mib-
2(1).Interfaces(2).iftable(2)Ifentry(1).ifInOctets(10).ifIndex
MIB values• RFC 1213
are counts of outbound unicast packets
ifOutUcastPkts(.1.3.6.1.2.1.2.2.1.17)
are counts of inbound unicast packets
ifInUcastPkts(.1.3.6.1.2.1.2.2.1.11)
are counts of the number of bytes output by the interface as shown in the show interfaces command
ifOutOctets (.1.3.6.1.2.1.2.2.1.16)
are counts of the number of bytes input by the interface as shown in the show interfaces command
ifInOctets (.1.3.6.1.2.1.2.2.1.10)
More MIB OIDs
are counted as unclassified errors
ifInUnknownProtos(.1.3.6.1.2.1.2.2.1.15)
are counts of all input errors as reflected in the show interfaces command
ifInErrors (.1.3.6.1.2.1.2.2.1.14)
are counted as no buffers as reflected in the show interfaces command
ifInDiscards (.1.3.6.1.2.1.2.2.1.13)
are counts of inbound broadcast and multicast packets
ifInNUcastPkts(.1.3.6.1.2.1.2.2.1.12)
And out…
is the number of packets allowed to be on the output queue as shown in the show interfaces command
ifOutQLen(.1.3.6.1.2.1.2.2.1.21)
are counted as output errors as shown in the show interfaces command
ifOutErrors(.1.3.6.1.2.1.2.2.1.20)
are counted as output drops as shown in the show interfaces command
ifOutDiscards(.1.3.6.1.2.1.2.2.1.19)
…but as speed increases…• Normally measurements of interface counters are taken at
5 minute intervals - 300 seconds. With 32 bit counters we get wrap around at (2**32/300)*8 bits per second –114Mbps – as opposed to petabits with 64bit counters
• Standard Interface management information is defined in the ifTable, and this is extended with SNMPv2 to the ifXTable described in RFC2233 ifTable uses 32 bit counters to store inbound and outbound octets (ifInOctets/ifOutOctets) while ifXTable uses 64-bit values (ifHCInOctets/ifHCOutOctets).
IF-MIB (64-bit counters)
ifHCOutBroadcastPkts(.1.3.6.1.2.1.31.1.1.1.13)
ifHCInBroadcastPkts(.1.3.6.1.2.1.31.1.1.1.9)
ifHCOutMulticastPkts(.1.3.6.1.2.1.31.1.1.1.12)
ifHCInMulticastPkts(.1.3.6.1.2.1.31.1.1.1.8)
ifHCOutUcastPkts(.1.3.6.1.2.1.31.1.1.1.11)
ifHCInUcastPkts(.1.3.6.1.2.1.31.1.1.1.7)
ifHCOutOctets(1.3.6.1.2.1.31.1.1.1.10)
ifHCInOctets(.1.3.6.1.2.1.31.1.1.1.6)
Exercise:• % snmpwalk –v 2c 111.2.3.4 –c public• % snmpwalk –v 2c 111.2.3.4 –c public ifInOctets• % snmpwalk –v 2c 111.2.3.4 –c public .1.3.6.1.2.1.2.2.1.10• % snmpwalk –v 2c 111.2.3.4 –c public ifHCInOctets• % snmpwalk –v 2c 111.2.3.4 –c public .1.3.6.1.2.1.31.1.1.1.6
• Why is ifIndex persist important?
Monitoring Interface Status%{ifAdminStatus} = (
1 => 'up',2 => 'down'
);%{ifOperStatus} = (
1 => 'up',2 => 'down'
);
Monitoring BGP$oid{bgpPeerState} = ".1.3.6.1.2.1.15.3.1.2";$oid{bgpPeerRemoteAs} = ".1.3.6.1.2.1.15.3.1.9";$soid{bgpPeerRemoteAs} = "mib-2.15.3.1.9";$soid{bgpPeerState} = "mib-2.15.3.1.2";%{bgpPeerState} = (
1 => 'idle',2 => 'connect',3 => 'active',4 => 'opensent',5 => 'openconfirm',6 => 'established'
);
Monitoring OSPF$oid{ospfNbrIpAddr} = ".1.3.6.1.2.1.14.10.1.1";$oid{ospfNbrRtrId} = ".1.3.6.1.2.1.14.10.1.3";$oid{ospfNbrState} = ".1.3.6.1.2.1.14.10.1.6";$soid{ospfNbrIpAddr} = "mib-2.14.10.1.1";$soid{ospfNbrRtrId} = "mib-2.14.10.1.3";$soid{ospfNbrState} = "mib-2.14.10.1.6";%{ospfNbrState} = (
1 => 'down',2 => 'attempt',3 => 'init',4 => 'twoWay',5 => 'exchangeStart',6 => 'exchange',7 => 'loading',8 => 'full'
);
.
Monitoring MSDP$oid{msdpPeerState} = ".1.3.6.1.3.92.1.1.5.1.3";$soid{msdpPeerState} = "experimental.92.1.1.5.1.3";$soid{msdpPeerLocalAddress} = "experimental.92.1.1.5.1.18";$oid{msdpPeerLocalAddress} = ".1.3.6.1.3.92.1.1.5.1.18";%{msdpPeerState} = (
1 => 'inactive',2 => 'listen',3 => 'connecting',4 => 'established',5 => 'disabled'
);
Where to find OIDs?• MIB files:
– /usr/share/snmp/mibs• Cisco OID Translator
– http://tac1.ciscomessage.com/cgi-bin3/DM/y/eQvN0FGprp0GYT0BABd0A3
snmpbulkwalk• More efficient than snmpwalk as the request is processed
bulk fashion• Can result in far fewer packets and processing overhead
on both the interrogated device and the machine requesting
• Very useful if monitoring a large number of hosts
MRTG• MRTG is the Multi Router Traffic Grapher created by
Tobias Oetiker. It is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing graphical images which provide a live visual representation of this traffic. Check http://www.ee.ethz.ch/stats/mrtg/ for an example. MRTG is based on Perl and C and works under UNIX and Windows NT. MRTG is being successfully used in many places
MRTG• While MRTG is generally used to interrogate SNMP
(Simple Network Management Protocol) instances on a network device such as a switch or router, it has the capability to interact with almost any type of user defined input.
• If you have lots of devices to monitor and many things to monitor MRTG can hog the CPU of your collecting host!
MRTG basics • cfgmaker community@router > host.cfg• Set crontab entry• indexmaker host.cfg• Ensure data files are available via http
Monitoring OIDs• ifInDiscards• ifOutDiscards• ifIn Errors• ifOutErrors• monitoring router CPU
– .1.3.6.1.4.1.9.2.1.57.0– .1.3.6.1.4.1.9.2.1.58.0
• monitoring environmentals– .1.3.6.1.4.1.9.9.13.1.3.1.3.2– .1.3.6.1.4.1.9.9.13.1.3.1.3.1