Beruflich Dokumente
Kultur Dokumente
Network Management
SWITCH v6 Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Logging Switch
Activity
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Syslog Messages
Catalyst switches can be configured to generate an
audit trail of messages describing important events
that have occurred. These system message logs
(syslog) can then be collected and analyzed to
determine what has happened, when it happened,
and how severe the event was.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Syslog Messages
Each message contains the following fields:
Timestamp: The date and time from the internal switch
clock.
Facility Code: A system identifier that categorizes the
switch function or module that has generated the message.
Chapter 7
Cisco Public
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 7
Cisco Public
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Cisco Public
11
Cisco Public
12
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Cisco Public
14
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
15
NTP (Network
Time Protocol)
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Cisco Public
22
Securing NTP
Notice that the NTP configurations in the preceding section reference
only the IP addresses of NTP servers, implying that time
synchronization is open for any device to use. You can take some
additional measures to secure NTP in your network. First, you can
enable NTP authentication.
The authentication process does not encrypt the NTP data; it is used to
authenticate an NTP server so that the NTP client knows it is a trusted
source. Without authentication, a client might mistakenly synchronize its
clock with an attacker posing as an NTP server.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Securing NTP
Use the following global configuration commands to enable NTP
authentication. Define an authentication key, then enable authentication,
then specify the authentication key number to use when communicating
with an NTP server:
Switch(config)# ntp authentication-key key-number md5 key-string
Switch(config)# ntp authenticate
Switch(config)# ntp trusted-key key-number
Switch(config)# ntp server ip-address key key-number
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Securing NTP
You should also consider adding an access list to limit which devices
can communicate with a switch using NTP. Use the following global
configuration commands to define an access list and to apply it to NTP
operation. Only addresses permitted by the access list are allowed to
use NTP services:
Switch(config)# access-list acl-num permit ip-address mask
Switch(config)# ntp access-group {serve-only | serve | peer | query-only} aclnum
For the ntp access-group command, you should use one of the
following keywords to specify which type of NTP activity should be
permitted:
serve-only: Only synchronization requests are permitted.
serve: Synchronization and control requests are permitted; the device is not
permitted to synchronize its own time clock.
peer: Synchronization and control requests are permitted; the device can
Chapter 7
Cisco Public
25
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
28
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
29
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
30
SNMP (Simple
Network
Managament
Protocol)
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
31
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
32
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
33
Foundation Topics
The Simple Network Management Protocol (SNMP) enables a network
device to share information about itself and its activities. A complete
SNMP system consists of the following parts:
SNMP manager: A network management system that uses SNMP to
poll and receive data from any number of network devices. The
SNMP manager usually is an application that runs in a central
location.
SNMP agent: A process that runs on the network device being
monitored. All types of data are gathered by the device itself and
stored in a local database. The agent can then respond to SNMP
polls and queries with information from the database, and it can send
unsolicited alerts or traps to an SNMP manager.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
34
Foundation Topics
In the case of Catalyst switches in the network, each switch
automatically collects data about itself, its resources, and each of its
interfaces. This data is stored in a Management Information Base
(MIB) database in memory and is updated in real time.
The MIB is organized in a structured, hierarchical fashion, forming a
tree structure. In fact, the entire MIB is really a collection of variables
that are stored in individual, more granular MIBs that form the
branches of the tree.
Each MIB is based on the Abstract Syntax Notation 1 (ASN.1)
language. Each variable in the MIB is referenced by an object
identifier (OID), which is a long string of concatenated indexes that
follow the path from the root of the tree all the way to the variables
location. For example, a counter for the number of inbound bytes on
an interface can be found at OID 1.3.6.1.2.1.2.2.1.10 in the IF
(interface) MIB.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
35
SNMP Overview
To see any of the MIB data, an SNMP manager must send an SNMP
poll or query to the switch. The query contains the OID of the specific
variable being requested so that the agent running on the switch
knows what information to return. An SNMP manager can use the
following mechanisms to communicate with an SNMP agent, all over
UDP port 161:
Get request: The value of one specific MIB variable is needed.
Get next request: The next or subsequent value following an initial get
request is needed.
Get bulk request: Whole tables or lists of values in a MIB variable are
needed.
Set request: A specific MIB variable needs to be set to a value.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
36
SNMP Overview
SNMP polls or requests are usually sent by the SNMP manager at
periodic intervals. This makes real-time monitoring difficult because
changing variables will not be noticed until the next poll cycle.
However, SNMP agents can send unsolicited alerts to notify the
SNMP manager of real-time events at any time. Alerts can be sent
using the following mechanisms over UDP port 162:
SNMP trap: News of an event (interface state change, device failure,
and so on) is sent without any acknowledgment that the trap has
been received.
Inform request: News of an event is sent to an SNMP manager, and
the manager is required to acknowledge receipt by echoing the
request back to the agent.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
37
SNMP Overview
As network management has evolved, SNMP has developed into three distinct
versions. The original, SNMP Version 1 (SNMPv1), is defined in RFC 1157. It
uses simple one variable Get and Set requests, along with simple SNMP traps.
SNMP managers can gain access to SNMP agents by matching a simple
community text string.
The second version of SNMP, SNMPv2C (RFC 1901), was developed to address
some efficiency and security concerns. For example, SNMPv2C adds 64-bit
variable counters, extending the useful range of values over the 32-bit counters
used in SNMPv1. With 64-bit counters, a switch can keep track of very large
numbers, such as byte counters found on high-speed interfaces.
The third generation of SNMP, SNMPv3, is defined in RFCs 3410 through 3415. It
addresses the security features that are lacking in the earlier versions. SNMPv3
can authenticate SNMP managers through usernames. When usernames are
configured on the SNMP agent of a switch, they can be organized into SNMPv3
group names. In addition, access to MIB information can be controlled on a pergroup basis. You can configure a view that defines which MIB variable trees can
be read or written.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
38
SNMP V3
Each SNMPv3 group is defined with a security level that describes the
extent to which the SNMP data will be protected. Data packets can be
authenticated to preserve their integrity, encrypted to obscure their
contents, or both. The following security levels are available. The naming
scheme uses auth to represent packet authentication and priv to represent
data privacy or encryption:
noAuthNoPriv: SNMP packets are neither authenticated nor encrypted.
authNoPriv: SNMP packets are authenticated but not encrypted.
authPriv: SNMP packets are authenticated and encrypted.
As a best practice, you should use SNMPv3 to leverage its superior
security features whenever possible. If you must use SNMPv1 for a
device, you should configure the switch to limit SNMP access to a readonly role. Never permit read-write access because the simple community
string authentication can be exploited to make unexpected changes to a
switch configuration.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
39
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
40
Configuring SNMP
SNMP is normally available in three versions. As a best practice, though,
you should use SNMPv3. You can find information about configuring all
three versions in the sections that follow.
Switch(config)# access-list access-list-number permit ip-addr
Switch(config)#snmp-server community community- string [ ro | rw]
[ access-listnumber] !
Switch(config)# snmp-server host host-address community-string [ traptype]
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
41
Configuring SNMPv1
Switch(config)# access-list 10 permit 192.168.3.99
Switch(config)# access-list 10 permit 192.168.100.4
Switch(config)# snmp-server community MonitorIt ro 10
Switch(config)# snmp-server host 192.168.3.99 MonitorIt
First, define a standard IP access list that permits only the IP addresses of your
SNMP agent machines. Then apply that access list to the SNMPv1 community
string with the snmp-server community command. Use the ro keyword to allow
read-only access by the SNMP manager; otherwise, you can use the rw keyword to
allow both read and write access.
Finally, use the snmp-server host command to identify the IP address of the SNMP
manager where SNMP traps will be sent. By default, all types of traps are sent. You
can use the ? key in place of trap-type to see a list of the available trap types. In
Example 14-1 , the switch is configured to allow SNMP polling from network
management stations at 192.168.3.99 and 192.168.100.4 only. The community
string MonitorIt is used to authenticate the SNMP requests. All possible SNMP
traps are sent to 192.168.3.99
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
42
Configuring SNMPv2
Configuring SNMPv2C is similar to configuring SNMPv1. The only difference is with
SNMP trap or inform configuration. You can use the following commands to
configure basic SNMPv2C operation:
Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community string [ ro | rw] [ access-list-number]
!
Switch(config)# snmp-server host host-address [ informs] version 2c community string
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
43
Configuring SNMPv3
SNMPv3 configuration is a bit more involved than versions 1 or 2C, due mainly to
the additional security features. You can use the following steps to configure
SNMPv3 on a switch:
Step 1. You can limit which hosts can access the switch via SNMP by defining a
named or numbered IP access list. Permitted addresses will be given SNMPv3
access.
Step 2. You can use the snmp-server view command to define a specific view for
the users. Only the MIB variables located under the OID name given as oid-tree
will be visible to the user group. For example, ifAdminStatus contains the interface
administrative status, ifDescr contains the interface description, and so on. You can
repeat the snmp-server view command to add additional OID names to the view:
Switch(config)# snmp-server view view-name oid-tree
If no view is configured, all MIB variables are visible to the users.
Step 3. Use the snmp-server group command to configure a group name that will
set the security level policies for SNMPv3 users that are assigned to the group.
The security level is defined by the noauth (no packet authentication or encryption),
auth (packets are authenticated but not encrypted), or priv (packets are both
Chapter 7
Cisco Public
44
Configuring SNMPv3
SNMPv3 configuration is a bit more involved than versions 1 or 2C, due mainly to
the additional security features. You can use the following steps to configure
SNMPv3 on a switch:
Step 4. Define a username that an SNMP manager will use to communicate with
the switch. Use the snmp-server user command to define the user-name and
associate it with the SNMPv3 group-name . The v3 keyword configures the user to
use SNMPv3.
The SNMPv3 user must also have some specifics added to its security policy. Use
the auth keyword to define either message digest 5 (MD5) authentication or the
secure hash algorithm (SHA) as the packet authentication method, along with the
auth-password text string that will be used in the hash computation. The priv
keyword defines the encryption method (DES, 3DES, or AES 128/192/256-bit) and
the priv-password text string that will be used in the encryption algorithm.
Switch(config)# snmp-server user user-name group-name v3 auth {md5 | sha} auth-password
priv { des | 3des | aes { 128 | 192 | 256} privpassword [ access-list-number]
Chapter 7
Cisco Public
45
Configuring SNMPv3
SNMPv3 configuration is a bit more involved than versions 1 or 2C, due mainly to
the additional security features. You can use the following steps to configure
SNMPv3 on a switch:
Step 5. You can use the snmp-server host command to identify the SNMP
manager that will receive either traps or informs. The switch can use SNMPv3 to
send traps and informs, using the security parameters that are defined for the
SNMPv3 username :
Switch(config)# snmp-server host host-address [ informs] version 3 { noauth | auth
| priv} username [ trap-type]
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
46
Configuring SNMPv3
A switch is configured for SNMPv3 operation. Access list 10 permits only stations
at 192.168.3.99 and 192.168.100.4 with SNMP access. SNMPv3 access is defined
for a group named NetOps using the priv (authentication and encryption) security
level. One SNMPv3, a user named mymonitor, is defined; the network
management station will use that username when it polls the switch for information.
The username will require SHA packet authentication and AES-128 encryption,
using the s3cr3tauth and s3cr3tpr1v passwords, respectively. Finally, SNMPv3
informs will be used to send alerts to station 192.168.3.99 using the priv security
level and username mymonitor.
Switch(config)# access-list 10 permit 192.168.3.99
Switch(config)# access-list 10 permit 192.168.100.4
Switch(config)# snmp-server group NetOps v3 priv
Switch(config)# snmp-server user mymonitor NetOps v3 auth sha s3cr3tauth priv
aes 128 s3cr3tpr1v 10
Switch(config)# snmp-server host 192.168.3.99 informs version 3 priv mymonitor
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
47
Configuring SNMPv3
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
48
AAA
(Authentication,
Authorization,
Accounting)
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
49
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
50
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
51
Cisco Public
52
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
53
Configuring Authentication
Switch access can be granted only after a users identity has been
validated. User authentication is commonly used on switches and
routers to permit remote access to the network administration staff
only. In this case, when someone uses Telnet or Secure Shell (SSH)
to log in to a switch, that individual is challenged to provide a
username and password. The individuals credentials are then
submitted to a device that can grant the user access. User
authentication can be handled by several methods:
Usernames and passwords configured locally on the switch
One or more external Remote Authentication Dial-In User Service (RADIUS) servers
One or more external Terminal Access Controller Access Control System+ (TACACS+)
servers
Cisco Public
54
Configuring Authentication
Step 1. Enable AAA on the switch
Switch(config)# aaa new-model
Step 2. Define the source of authentication.
Switch(config)# radius-server host { hostname| ip-address } [ key string]
Switch(config)# tacacs-server host { hostname | ip-address} [ key string]
Then define a group name that will contain a list of servers, using the following
global configuration command:
Switch(config)# aaa group server { radius | tacacs+} group-name
Define each server of the group type with the following server-group
configuration command:
Switch(config-sg)# server ip-address
You can define multiple RADIUS or TACACS+ servers by repeating the
commands in this step.
Step 3. Define a list of authentication methods to try.
Switch(config)#aaa authentication login { default | list-name} method1
[ method2 ...]
Step 4. Apply a method list to a switch line.
Switch(config-line)# login authentication { default | list-name}
Step 5. After authentication is configured on a switch, it is a good idea to stay
logged in on one session so that the authentication can be tested.
Chapter 7
Cisco Public
55
Configuring Authentication
Example, lists the commands necessary to configure a switch to use two
TACACS+ servers to authenticate management users. The servers are
192.168.10.10 and 192.168.10.11, also known as the AAA group named
myauthservers. AAA authentication group myauth is configured to try the
TACACS+ server group; if none of the servers is available, local authentication
will be used instead. Notice that a username lastresort is configured for that
case. Finally, the myauth method is used to authenticate users on lines vty 0
through 15 for Telnet or SSH access.
An Example AAA Authentication Configuration
Switch(config)# aaa new-model
Switch(config)# username lastresort password MySecretP@ssw0rd
Switch(config)# tacacs-server host 192.168.10.10 key t@c@csk3y
Switch(config)# tacacs-server host 192.168.10.11 key t@c@csk3y
Switch(config)# aaa group server tacacs+ myauthservers Switch(config-sg)# server
192.168.10.10
Switch(config-sg)# server 192.168.10.11
Switch(config-sg)# exit
Switch(config)# aaa authentication login myauth group myauthservers local
Switch(config)# line vty 0 15
Switch(config-line)# login authentication myauth
Chapter 7
Cisco Public
56
Configuring Authorization
After a user is authenticated, the switch allows access to certain services
or switch commands based on the users privilege level. Authenticated
users are put at the EXEC level by default. Certain commands, such as
show interface , are available at the EXEC level. Other commands, such
as configure terminal , are accessible only if the user is able to move
into the privileged EXEC or enable mode.
Switch(config)# aaa authorization { commands | config-commands |
configuration | exec | network | reverse-access} { default | list-name}
method1 [ method2 ...]
Here you specify the function or service needing authorization with one of
the following keywords:
commands: The server must return permission to use any switch
command at any privilege level.
config-commands: The server must return permission to use any switch
configuration command.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
57
Configuring Authorization
After a user is authenticated, the switch allows access to certain services
or switch commands based on the users privilege level. Authenticated
users are put at the EXEC level by default. Certain commands, such as
show interface , are available at the EXEC level. Other commands, such
as configure terminal , are accessible only if the user is able to move
into the privileged EXEC or enable mode.
Switch(config)# aaa authorization { commands | config-commands |
configuration | exec | network | reverse-access} { default | list-name}
method1 [ method2 ...]
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
58
Configuring Authorization
Here you specify the function or service needing authorization with one of
the following keywords:
commands: The server must return permission to use any switch
command at any privilege level.
config-commands: The server must return permission to use any switch
configuration command.
configuration: The server must return permission to enter the switch
configuration mode.
exec: The server must return permission for the user to run a switch
EXEC session. The server also can return the privilege level for the user
so that the user immediately can be put into privileged EXEC (enable)
mode without having to type in the enable command.
network: The server must return permission to use network-related
services.
reverse-access: The server must return permission for the user to
access a reverse Telnet session on the switch.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
59
Configuring Authorization
You can apply an authorization method list to a specific line on the switch.
Users accessing the switch through that line will be subject to
authorization. Use the following line configuration command:
Switch(config-line)# authorization { commands level | exec | reverseaccess} { default | list-name}
If you do not use this command, the default group is used for all lines. To
configure a switch to use AAA authorization for all lines, you enter the
following:
Switch(config)# aaa authorization exec default group myauthservers none
The AAA servers contained in the group myauthservers (configured
previously in Example 22-1 ) are used as a default method to allow
authenticated users into the EXEC mode or any other privilege level
granted.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
60
Configuring Accounting
Catalyst switches also support the capability to use AAA for producing
accounting information of user activity. This accounting information can
be collected by RADIUS and TACACS+ servers. Again, the RADIUS
and TACACS+ servers must already be configured and grouped as part
of the authentication configuration.
As usual, you must define a method list giving a sequence of accounting
methods by using the following global configuration command:
Switch(config)# aaa accounting { system | exec | commands level}
{ default | list-name} { start-stop | stop-only | wait-start | none} method1
[ method2 ...]
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
61
Configuring Accounting
The function triggering the accounting can be one of the following
keywords:
system: Major switch events such as a reload are recorded.
exec: User authentication into an EXEC session is recorded, along with
information about the users address and the time and duration of the
session.
commands level : Information about any command running at a
specific privilege level is recorded, along with the user who issued the
command. You can specify that certain types of accounting records be
sent to the accounting server using the following keywords:
start-stop: Events are recorded when they start and stop.
stop-only: Events are recorded only when they stop.
none: No events are recorded.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
62
Configuring Accounting
you can apply an accounting method list to a specific line (console or vty)
on the switch. Users accessing the switch through that line will have
their activity recorded. Use the following line-configuration command to
accomplish this:
Switch(config-line)# accounting { commands level | connection | exec}
{ default | list-name}
If you do not use this command, the default group will be used for all lines.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
63
Configuring Accounting
In Example, AAA accounting is configured for all lines on the switch, using
the AAA servers contained in the myauthservers group. User EXEC
sessions will be recorded as they start and stop, along with user
information. Any commands that are entered while a user is in privilege
level 15 (enable mode) will be recorded, too. Example configuring AAA
Accounting
Switch(config)# aaa
myauthservers
accounting
exec
default
start-stop
group
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
64
Configuring Accounting
In Example, AAA accounting is configured for all lines on the switch, using
the AAA servers contained in the myauthservers group. User EXEC
sessions will be recorded as they start and stop, along with user
information. Any commands that are entered while a user is in privilege
level 15 (enable mode) will be recorded, too. Example configuring AAA
Accounting
Switch(config)# aaa
myauthservers
accounting
exec
default
start-stop
group
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
65
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
66