Archive for the ‘Cisco’ category

Enabling SNMP Traps and Informs

April 11th, 2010

Problem

You want the router to generate SNMP traps or informs in response to various network events.

Solution

The following configuration commands will enable your router to send unsolicited SNMP traps to a network management server:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#snmp-server enable traps

Router(config)#snmp-server host 172.25.1.1 ORATRAP config entity envmon hsrp

Router(config)#snmp-server host router.manoj.com ORATRAP bgp snmp envmon

Router(config)#end

Router# 

Notice that the snmp-server host command will accept either an IP address or a hostname.Beginning with SNMP Version 2c, Cisco routers also support SNMP informs. To enable SNMP informs, use the following commands:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#snmp-server enable informs

Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP snmp envmon

Router(config)#end

Router#

Discussion

SNMP Traps originate from the router’s agent and are sent via UDP (port 162) to the network management station (NMS). Unlike the information that the router sends to the NMS in response to an SNMP poll, a trap is unsolicited. The router’s agent decides that something important has happened, and that it needs to tell the NMS about it. Before the router agent can send traps, you must enable global trap support (see Table 17-4) and configure the trap host.

SNMP traps are one of the basic elements of fault management. In fact, Requirements for IP Version 4 Routers (RFC 1812) states that all routers must be capable of sending SNMP traps.

Cisco routers can send a large variety of different SNMP traps, including both standard traps, described in RFCs, and Cisco specific traps. The first step in configuring trap support is to enable the particular trap types you wish to use. In our examples, we choose to enable all SNMP trap types by using the configuration command snmp-server enable traps. The fact that we didn’t specify individual trap types implicitly enables all trap types. However, you can restrict the router to send only certain types of traps that you are interested in receiving. The various trap-type keywords are shown in Table 17-4. Note that this is a global command that affects all SNMP trap receivers.

Table 17-4. Cisco SNMP trap types

Keyword

Description
bgp Allow BGP state change traps
calltracker Send Call Tracker cal start/end notifications
config Allow SNMP configuration traps
cpu Send cpu related notifications
director Allow Distributed Director notifications
dspu Allow dspu event traps
eigrp Enable EGIRP SIA and neighbor auth failure traps
entity Allow SNMP entity traps
envmon Allow environmental monitor traps
flash Send flash insertion and removal traps
frame-relay Allow SNMP frame-relay traps
hsrp Allow SNMP HSRP traps
iplocalpool Allow IP local pool traps
ipmobile Allow mobile IP notifications
Ipsec Send IPsec notifications
isdn Allow SNMP ISDN traps
l2tun-pseudowire-status Send pseudowire state change notifications
l2tun-session Send Layer 2 tunnel session traps
llc2 Sends logical link control type-2 notifications
memory Allow memory pool and buffer pool notifications
mpls-ldp Send MPLS ldp status change traps
mpls-traffic-eng Send MPLS TE tunnel status change notifications
mpls-vpn Send MPLS VPN notifications
ospf Send OSPF sham link notifications
pim Allow PIM notificaitons
repeater Send standard repeater notifications
rsrb Allow rsrb event traps
rsvp Allow RSVP flow change traps
rtr Allow SNMP Response Time Reporter traps
sdlc Allow SDLC event traps
sdllc Allow SDLLC event traps
snmp Allow SNMP-type notifications
srp Send SRP notifications
stun Allow stun event traps
syslog Allow SNMP syslog traps
tty Allow TCP connection traps
udp-port The server host’s UDP port number
voice Allow SNMP voice traps
vrrp Send VRRP notifications
vsimaster Send VSI master notifications
X25 Allow x25 event traps

 

For example, you would use the following commands to tell the router to send only BGP and environmental-type traps:

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#snmp-server enable traps bgp
Router(config)#snmp-server enable traps envmon
Router(config)#end
Router# 

You can also disable a particular type of SNMP trap by using the following command:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#no snmp-server enable traps envmon
Router(config)#end
Router#

The following command displays which SNMP trap-types are enabled on a router:
Router#show running-config | include snmp-server enable

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps hsrp
snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps envmon

snmp-server enable traps bgp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps syslog

snmp-server enable traps rtr

snmp-server enable traps dlsw

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps voice poor-qov

Router#

 

The second step in configuring SNMP traps is to define the trap recipient by using the snmp-server host command. This command has the following attributes:

snmp-server host host-addr [traps | informs] [version {1 | 2c} ] community-string  [udp-port port] [trap-type]

 

The host-addr argument is the name or IP address of the NMS server that will receive the traps. You can define whether the router will send SNMP traps or informs to this host by specifying either the traps or informs keyword. If neither is specified, the default is to send traps. Also, you can specify which version of SNMP traps the router will send by including either version 1 or version 2c. If neither version is specified, the router will default to Version 1. Note that informs don’t exist in SNMP Version 1, so you must specify Version 2c (or version 3) if you want to enable this feature.

The community string argument specifies the community string that the router will send within the SNMP trap or inform. This doesn’t need to match either the read-only or read-write community strings on the router.

You can change the default SNMP trap port from 162 (the default) to another value with the optional udp-port keyword. This keyword must be followed by the alternative UDP port number that you want to use.

Finally, if the trap-type keyword is present, it allows you to configure the types of types that the router will send to this server. There is a list of valid trap types in Table 17-4. The command can accept one or more types. However, if no trap types are included, the router will default to sending every enabled trap type.

There are two important things to note about this command. First, you must enable trap-types via the global command before you can specify them for a particular host. Second, this command will allow you to send different sets of traps to different servers. This can sometimes be useful if you have multiple NMS servers that handle different management functions.

The configuration for SNMP informs is almost the same as SNMP traps. The main difference is that you can’t enable individual inform types by using the global snmp-server enable informs command. The global inform command lacks the granularity of the same trap-based command. However, you can still enable specific inform types on the host-level command. This can mean more typing if there are several inform recipients. But there is no loss of functionality.

Thanks
Manoj Chauhan

View Comments »

Posted in Cisco, Network, Network Performance, Security

Tags:

Proposed IT subnetting Infrastructure

January 24th, 2010

Proposed IT subnetting Infrastructure 

  1. For External communication we will use Cisco Router(Cisco ASA5520 firewall)
  2. For internal communication we will use managed switch Dell Power Connect 6248

Why use a Managed Switch?

  • Limit broadcast traffic and increase security using VLANs
  • Remove traffic bottlenecks using port trunking
  • Guarantee bandwidth for time-sensitive voice and video traffic using Traffic Prioritisation
  • We will manage switch for internal communication. I mean to say when one server (Test5) wants to talk to another server (Test) at that time it will use manager switch for the internal communication. It will not forward the traffic to the router.

Switching Services

Unlike bridges that use software to create and manage a filter table, switches use application specific integrated circuits (ASICs) to build and maintain their filter tables. But it’s still okay to think of a layer 2 switch as a multiport bridge because their basic reason for being is the same: to break up collision domains.

Layer 2 switches are faster than routers because they don’t take up time looking at the Network layer header information. Instead, they look at the frame’s hardware addresses before deciding to either forward the frame or drop it. 

Switches create private dedicated collision domains and provide independent bandwidth on each port, unlike hubs. Figure 1.1 shows five hosts connected to a switch—all running 10Mbps half duplex to the server. Unlike a hub, each host has 10Mbps dedicated communication to the server.

nnetwork
FIGURE 1.1 Switches create private domains.

Three Switch Functions at Layer 2 

  1.  
    1. Address learning
    2. Forward/filter decisions
    3. Loop avoidance 

Here’s a list of the basic tasks we’ll be done in the switch Dell Power Connect 6248 

  1. Setting the passwords
  2. Setting the hostname
  3. To configure the switch with different VLANs and other network functions

            Add VLAN and Description

            Configuring the IP address and subnet mask & gateway address

            Assigning switch ports to VLANs.

            Routing between VLANs

  1. Hosts in a VLAN live in their own broadcast domain and can communicate freely. VLANs create network partitioning and traffic separation at layer 2 of the OSI, and as I said when I told you why we still need routers, if you want hosts or any other IP-addressable device to communicate between VLANs, a layer 3 device is absolutely necessary.

What we see in Figure 1.2 is that each router interface is plugged into an access link. This means that each of the routers’ interface IP addresses would then become the default gateway address for each host in each VLAN.

FIGURE 1.2 Router with individual VLAN associations

nnetwork

  1. Router connecting three VLANs together for inter-VLAN communication, one interface for each VLAN.
  2. Remember that a created VLAN is unused until it is assigned to a switch port or ports, and that all ports are always assigned in VLAN 1 unless set otherwise. 

Configuring Inter-VLAN
nnetwork
The first thing we need to do here is figure out which subnets are being used. By looking at the router configuration in the figure, you can see that we’re using 192.168.1.0 with DMZ, 192.168.1.32 with Corporate and 192.168.1.64 with Production. And by looking at the switch configuration, you can see that ports 1,2 and 3 etc are in DMZ, and port 4,5 and 6 etc is in Corporate and port 7 and 8 etc is in Production. This means that Hosts on DMZ are in VLAN 1, hosts in Corporate are in VLAN 2 and hosts on Production are in VLAN 3. Here’s what the hosts’ IP addresses should be: 

DMZ: 192.168.1.0, 255.255.255.224, default gateway 192.168.1.30
Corporate: 192.168.1.32, 255.255.255.224, default gateway 192.168.1.62
Production: 192.168.1.64, 255.255.255.224, default gateway 192.168.1.94 

Inter-VLAN example
nnetwork
Complete Working Flow Diagram

 

 

 

nnetwork

Thanks
Manoj Chauhan

View Comments »

Posted in Cisco, Network, Network Performance

Tags:

Small to Medium-Sized Network Using Catalyst 3560 Switches

January 17th, 2010

Figure 1-1 shows a configuration for a network of up to 500 employees. This network uses Catalyst 3560 Layer 3 switches with high-speed connections to two routers. For network reliability and load balancing, this network has HSRP enabled on the routers and on the switches. This ensures connectivity to the Internet, WAN, and mission-critical network resources in case one of the routers or switches fails. The switches are using routed uplinks for faster failover. They are also configured with equal-cost routing for load sharing and redundancy.

The switches are connected to workstations, local servers, and IEEE 802.3af compliant and noncompliant powered devices (such as Cisco IP Phones). The server farm includes a call-processing server running Cisco CallManager software. Cisco CallManager controls call processing, routing, and IP phone features and nfiguration. The switches are interconnected through Gigabit interfaces.

This network uses VLANs to logically segment the network into well-defined broadcast groups and for security management. Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.

When an end station in one VLAN needs to communicate with an end station in another VLAN, a router or Layer 3 switch routes the traffic to the appropriate destination VLAN. In this network, the switches are roviding inter-VLAN routing. VLAN access control lists (VLAN maps) on the switches provide
intra-VLAN security and prevent unauthorized users from accessing critical pieces of the network. In addition to inter-VLAN routing, the multilayer switches provide QoS mechanisms such as DSCP
priorities to prioritize the different types of network traffic and to deliver high-priority traffic in a predictable manner. If congestion occurs, QoS drops low-priority traffic to allow delivery of
high-priority traffic.

For pre-standard and IEEE 802.3af-compliant powered devices connected to Catalyst Power over Ethernet (PoE) switches, 802.1p/Q QoS gives voice traffic forwarding-priority over data traffic.
Catalyst PoE switch ports automatically detect any Cisco pre-standard and IEEE 802.3af-compliant powered devices that are connected. Each PoE switch port provides 15.4 W of power per port. The
powered device, such as an IP phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power
sources to receive power.

Cisco CallManager controls call processing, routing, and IP phone features and configuration. Users with workstations running Cisco SoftPhone software can place, receive, and control calls from their PCs.
Using Cisco IP Phones, Cisco CallManager software, and Cisco SoftPhone software integrates telephony and IP networks, and the IP network supports both voice and data.
With the multilayer switches providing inter-VLAN routing and other network services, the routers focus on firewall services, Network Address Translation (NAT) services, voice-over-IP (VoIP) gateway
services, and WAN and Internet access.

Figure 1-1 Catalyst 3560 Switches in a Collapsed Backbone Configuration

Switch-failover
Failover Overview

The failover feature lets you use a standby FWSM to take over the functionality of a failed FWSM. Failover is compatible with both routed and transparent firewall modes, and with single and
multiple context modes. When the active module fails, it changes to the standby state, while the standby module changes to the
active state.

The module that becomes active takes over the active module IP addresses (or, for transparent firewall, the management IP address) and MAC address, and it begins passing traffic. The FWSM has one MAC
address for all interfaces. The module that was active and is now in standby state takes over the standby IP addresses and MAC address.

Because network devices see no change in the MAC to IP address pairing, failover is unnoticed by the rest of the network. However, the host switch needs to reassociate the new active and standby chassis
slots with their corresponding MAC addresses. The FWSM helps this process by sending out gratuitous ARPs on all its VLAN interfaces.

The standby module can effectively take over as the active module because it has the same configuration, and it is assigned the same VLANs from the switch.

Regular and Stateful Failover

The FWSM supports two types of failover:

• Regular failover—When a failover occurs, all active connections are dropped and clients need to reestablish connections when the new active module takes over.
• Stateful failover—During normal operation, the active module continually passes per-connection stateful information (for each context) to the standby module. The interval between stateful
information updates is 10 seconds, but if you set the module polltime to be greater than 10 seconds, then that interval is used.

After a failover occurs, the same connection information is available at the new active module. Supported end-user applications are not required to reconnect to keep the same communication
session.

The state information passed to the standby module includes the following data:

– NAT translation table
– TCP connection states
– UDP connection states (for connections lasting at least 15 seconds)
– HTTP connection states (Optional)
– H.323, SIP, and MGCP UDP media connections
– ARP table
– (Transparent firewall mode only) MAC address table

Failover and State Links

This section describes the failover link and, for stateful failover, the state link, and it includes the following topics:

• Failover Link
• State Link

Failover Link

The two modules constantly communicate over a failover link to determine the operating status of each module. Communications over the failover link include the following data:

• The module state (active or standby).
• Hello messages (also sent on all other interfaces).
• Configuration synchronization between the two modules.

The failover link uses a special VLAN interface that you do not configure as a normal networking interface; rather, it exists only for failover communications. This VLAN should only be used for the
failover link (and optionally for the state link). For multiple context mode, the failover link resides in the system configuration. This interface (and the
state link, if used) is the only configurable interface in the system configuration.

State Link

To use stateful failover, configure a state link to pass all state information. This link can be the same as the failover link, but we recommend that you assign a separate VLAN and IP address for the state link.
The state traffic can be large, and performance is improved with separate links. In multiple context mode, the state link resides in the system configuration. This interface and the
failover interface are the only interfaces in the system configuration.

View Comments »

Posted in Cisco