Lab 14
Cisco IOS Syslog and SNMP Configuration
Lab Objective:
The objective of this lab exercise is for you to learn and understand how configure Syslog and SNMP reporting on Cisco IOS routers.
Lab Purpose:
Syslog and SNMP are tools that can be used to provide security-related information, such as access breaches, configuration changes and high processor utilization, for example. As a CCNA Security administrator, you are expected to demonstrate a solid understanding of the basic Syslog and SNMP configuration in Cisco IOS routers.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use any single switch to complete this lab:
Lab 14 Configuration Tasks
Task 1:
Configure the hostname on R1 and IP addressing as illustrated in the diagram. In addition, configure Host 1 with the IP address specified and a default gateway of 172.16.1.1.
| NOTE:
If you do not have a Host in your lab, you can simply substitute Host 1 for another router with an Ethernet interface and a default static route pointing to 172.16.1.1.
|
Task 2:
Configure the following Loopback interfaces on R1:
| Interface | Address | Mask |
| Loopback 10 | 10.1.1.1 | /24 |
| Loopback 20 | 20.1.1.1 | /28 |
| Loopback 30 | 30.1.1.1 | /20 |
Task 3:
Configure an extended ACL on R1 that provides the most detailed logging on all traffic to the Loopback10, Loopback20 and Loopback30 subnets. This ACL should deny all IP traffic to these subnets. Apply this ACL inbound on the FastEthernet0/0 interface of R1.
Task 4:
Configure the local time on R1 as 20:00 GMT/UTC using today’s date for the clock date.
Task 5:
Configure Syslog on R1 as follows:
- Log all debugging messages to the local router buffer
- Configure a buffer size of 10,000
- Log all informational messages to SYSLOG server 172.16.1.254
In addition to this, configure the logs to show the date and time, as well as the time zone. And, finally, configure R1 so that all logs include sequence numbers for easier identification.
Task 6:
Configure SNMP on R1 as follows:
- Configure R1 to send all configuration traps to server 172.16.1.254
- Configure R1 so that server 172.16.1.254 has read and write access to the router
- Server 172.16.1.254 will use the SNMP Community string secret to manage R1
Task 7:
Clear your logs and verify your configuration by pinging from Host 1 to any of the Loopback interfaces on R1. There should be entries that provided detailed information in the local router buffer. You can also Telnet from Host 1 to any of the Loopback interfaces on R1.
Verify your SNMP configuration by entering/exiting configuration mode on R1. If you have configured this correctly, you will see SNMP traps being sent by R1.
Lab 14 Configuration and Verification
Task 1:
| Router(config)#hostname R1
R1(config)#interface f0/0 R1(config-if)#ip address 172.16.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#exit R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.1 YES NVRAM up up Serial0/0 unassigned YES manual administratively down down |
Task 2:
| R1(config)#int lo 10
R1(config-if)#ip address 10.1.1.1 255.255.255.0 R1(config-if)#exit R1(config)#int lo 20 R1(config-if)#ip address 20.1.1.1 255.255.255.240 R1(config-if)#exit R1(config)#int lo 30 R1(config-if)#ip address 30.1.1.1 255.255.240.0 R1(config-if)#exit R1(config)#exit R1# R1# R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.1 YES NVRAM up up Serial0/0 unassigned YES manual administratively down down Loopback10 10.1.1.1 YES manual up up Loopback20 20.1.1.1 YES manual up up Loopback30 30.1.1.1 YES manual up up |
Task 3:
To complete this Task, do not forget that there is an implicit deny all statement at the end of ACLS; therefore ensure that you permit all other traffic once your deny statements are done.
| R1(config)#ip access-list extended DETAILED-LOGGING
R1(config-ext-nacl)#deny ip any 10.1.1.0 0.0.0.255 log-input R1(config-ext-nacl)#deny ip any 20.1.1.0 0.0.0.15 log-input R1(config-ext-nacl)#deny ip any 30.1.1.0 0.0.15.255 log-input R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#exit R1(config)#int fast0/0 R1(config-if)#ip access-group DETAILED-LOGGING in R1(config-if)#exit R1(config)#exit R1# R1#show ip interface fast0/0 FastEthernet0/0 is up, line protocol is up Internet address is 172.16.1.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is DETAILED-LOGGING Proxy ARP is enabled —-[Truncated Output]—- |
Task 4:
| R1(config)#clock timezone UTC -0
R1(config)#exit R1#clock set 20:00:00 28 July 2009 R1# R1#show clock 20:00:03.545 UTC Tue Jul 28 2009 |
Task 5:
| R1(config)#logging on
R1(config)#logging buffered debugging R1(config)#logging buffered 10000 R1(config)#logging trap informational R1(config)#logging host 172.16.1.254 R1(config)#service timestamps log datetime show-timezone R1(config)#service sequence-numbers R1(config)#exit R1# R1#show logging Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 3 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled Trap logging: level informational, 38 message lines logged Logging to 172.16.1.254 (udp port 514, audit disabled, authentication disabled, encryption disabled, link up), 3 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled
Log Buffer (10000 bytes):
000035: Jul 28 20:03:17 UTC: %SYS-5-CONFIG_I: Configured from console by console 000036: Jul 28 20:13:17 UTC: %SYS-5-CONFIG_I: Configured from console by console 000037: Jul 28 20:14:07 UTC: %SYS-5-CONFIG_I: Configured from console by console |
Task 6:
| R1(config)#access-list 5 permit host 172.16.1.254
R1(config)#snmp-server community secret RW 5 R1(config)#snmp-server host 172.16.1.254 traps secret config R1(config)#snmp-server enable traps config R1(config)#exit R1# R1# R1#show snmp Chassis: FTX0915A2V4 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 Input queue packet drops (Maximum queue size 1000) 2 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 2 Trap PDUs
SNMP logging: enabled Logging to 172.16.1.254.162, 2/10, 0 sent, 0 dropped. |
Task 7:
| R1#clear log
Clear logging buffer [confirm] R1# R1#show logging Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 1 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 7 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled Trap logging: level informational, 42 message lines logged Logging to 172.16.1.254 (udp port 514, audit disabled, authentication disabled, encryption disabled, link up), 7 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled
Log Buffer (10000 bytes): R1# |
Now, perform a ping from Host 1 to any Loopback interface on R1 and verify the logs:
| R1#show logging
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 126 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 132 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled Trap logging: level informational, 44 message lines logged Logging to 172.16.1.254 (udp port 514, audit disabled, authentication disabled, encryption disabled, link up), 9 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled
Log Buffer (10000 bytes):
000116: Jul 28 20:30:40 UTC: %SEC-6-IPACCESSLOGDP: list DETAILED-LOGGING denied icmp 172.16.1.254 (FastEthernet0/0 001d.09d4.0238) -> 20.1.1.1 (0/0), 1 packet |
To validate SNMP, use the debug snmp packets command and then access configuration mode. You will see SNMP traps being sent by R1 to the SNMP server 172.16.1.254
| R1#debug snmp packets
SNMP packet debugging is on R1# R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)# 000119: Jul 28 20:33:22.727: SNMP: Queuing packet to 172.16.1.254 000120: Jul 28 20:33:22.727: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr 172.16.1.1, gentrap 6, spectrap 1 ccmHistoryEventEntry.3.32 = 1 ccmHistoryEventEntry.4.32 = 2 ccmHistoryEventEntry.5.32 = 3 000121: Jul 28 20:33:22.979: SNMP: Packet sent via UDP to 172.16.1.254 R1(config)#exit R1# R1#conf 000122: Jul 28 20:33:31 UTC: %SYS-5-CONFIG_I: Configured from console by console Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CNTL/Z. R1(config)# 000123: Jul 28 20:33:39.975: SNMP: Queuing packet to 172.16.1.254 000124: Jul 28 20:33:39.975: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr 172.16.1.1, gentrap 6, spectrap 1 ccmHistoryEventEntry.3.33 = 1 ccmHistoryEventEntry.4.33 = 2 ccmHistoryEventEntry.5.33 = 3 000125: Jul 28 20:33:40.227: SNMP: Packet sent via UDP to 172.16.1.254 R1(config)#exit R1# 000126: Jul 28 20:33:44 UTC: %SYS-5-CONFIG_I: Configured from console by console R1#undebug all All possible debugging has been turned off
|
Lab 14 Configurations
R1 Configuration
| R1#show running-config
Building configuration…
Current configuration : 1458 bytes ! ! Last configuration change at 20:33:44 UTC Tue Jul 28 2009 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime show-timezone no service password-encryption service sequence-numbers ! hostname R1 ! boot-start-marker boot-end-marker ! no logging message-counter syslog logging buffered 10000 ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ! ! interface Loopback10 ip address 10.1.1.1 255.255.255.0 ! interface Loopback20 ip address 20.1.1.1 255.255.255.240 ! interface Loopback30 ip address 30.1.1.1 255.255.240.0 ! interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 ip access-group DETAILED-LOGGING in duplex auto speed auto ! interface Serial0/0 no ip address shutdown ! ip forward-protocol nd ! ! ip http server ip http secure-server ! ip access-list extended DETAILED-LOGGING deny ip any 10.1.1.0 0.0.0.255 log-input deny ip any 20.1.1.0 0.0.0.15 log-input deny ip any 30.1.0.0 0.0.15.255 log-input permit ip any any ! logging 172.16.1.254 access-list 5 permit 172.16.1.254 snmp-server community secret RW 5 snmp-server enable traps config snmp-server enable traps cpu threshold snmp-server host 172.16.1.254 secret config ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 password cisco login ! ! end |
