|
|
This section describes how to enable basic management protocols on a Cisco AS5800 and Cisco AS5300 as part of a dial access service.
The following sub sections are provided:
This section does not describe how to integrate the Cisco IOS with NT or UNIX servers. Management protocols are described only from the perspective of the Cisco IOS.
In this case study, Maui Onions and THEnet perform these same tasks to manage their network access servers (NAS).
Figure 7-1 shows a logical view of how management protocols interact between the Cisco IOS (client) and the network element management server. The dashed lines indicated different protocols and functions.
Table 7-1 provides the RFCs and URLs for the management protocols described in this section:
| Management Protocol | RFC | URL |
|---|---|---|
RFC 1157 | ||
For more information about system management, refer to Release 12.0 Configuration Fundamentals Configuration Guide and Command Reference at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/index.htm
The Network Time Protocol (NTP) provides a common time base for networked routers, servers, and other devices. A synchronized time enables you to correlate syslog and Cisco IOS debug output to specific events. For example, you can find call records for specific users within one millisecond.
Comparing logs from various networks is essential for:
Without precise time synchronization between all the various logging, management, and AAA functions, time comparisons are not possible.
An NTP enabled network usually gets its time from an authoritative time source, such as a Cisco router, radio clock, or an atomic clock attached to a timeserver. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another. NTP runs over UDP, which in turn runs over IP.
 |
Note For more information, refer to the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_c/fcprt3/fcgenral.htm |
Step 2 Specify the primary NTP server IP address and automatic calendar updates as shown below:
!ntp update-calendar ntp server 172.22.66.18 prefer!
Step 3 Verify that the clock is synchronized to the NTP server. Inspect the status and time association. Clock sources are identified by their stratum levels. The following example shows a stratum level five clock.
5300-NAS#show ntp status Clock is synchronized, stratum 5, reference is 172.22.66.18 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24 reference time is BB944312.4451C9E7 (23:11:30.266 PDT Wed Sep 22 1999) clock offset is 0.5343 msec, root delay is 13.26 msec root dispersion is 18.02 msec, peer dispersion is 0.09 msec 5300-NAS#
The following command identifies how often the NAS is polling and updating to the stratum clock. An asterisk (*) next to the NTP server's IP address indicates successful synchronization with the stratum clock.
5300-NAS#show ntp association
address ref clock st when poll reach delay offset disp
*~172.22.66.18 172.60.8.1 16 46 64 377 1.0 0.53 0.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
5300-NAS#
The Cisco IOS can send syslog messages to one or more element manager servers. Syslog messages are then collected by a standard UNIX or NT type syslog daemon.
Syslog enables you to:
Figure 7-2 shows the Cisco IOS sending syslog data to an element manager. Syslog data either stays in the Cisco IOS buffer or is pushed out and written to the element manager's hard disk.
Hard Disk
|
Note Cisco System's UNIX syslog format is compatible with 4.3 BSD UNIX. |
!service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone!
Step 2 Verify that console logging is disabled. If it is enabled, the NAS will intermittently freeze up as soon as the console port is overloaded with log messages. See the field "1 flushes." Increments on this number represents bad logging behavior.
5300-NAS#show logging
Syslog logging: enabled (0 messages dropped, 1 flushes, 0 overruns)
Console logging: level debugging, 1523 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 911 messages logged
Trap logging: level informational, 44 message lines logged
|
Note |
5300-NAS(config)#no logging console
5300-NAS(config)#^Z
5300-NAS#show logging
Syslog logging: enabled (0 messages dropped, 1 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 912 messages logged
Trap logging: level informational, 45 message lines logged
 |
Warning Not entering the no logging console command, might cause CPU interrupts, dropped packets, and denial of service events. The router might lock up. |
Step 3 Specify the logging configuration:
!logging 172.22.66.18 logging buffered 10000 debugging logging trap debugging!
Figure 7-2 describes the commands in the previous configuration fragment.
| Command | Purpose |
|---|---|
logging 172.22.66.18 | Specifies the syslog server's IP address. |
logging buffered 10000 debugging | Sets the internal log buffer to 10000 bytes for debug output (newer messages overwrite older messages). |
logging trap debugging | Allows logging up to the debug level (all 8 levels) for all messages sent to the syslog server. |
If you are working with multiple network access servers, assign a different logging facility tag to each server. Syslog information can be collected and sorted into different files on the syslog server.
For example:
Assigning a different tag to each device enables you to intelligently sort and view syslog messages:
!logging facility local7!
Step 4 Verify that local buffered logging is working:
5300-NAS#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 2 messages logged
Trap logging: level debugging, 53 message lines logged
Logging to 172.22.66.18, 2 message lines logged
Log Buffer (10000 bytes):
Sep 26 16:32:02.848 PDT: %SYS-5-CONFIG_I: Configured from console by admin on console
Sep 26 16:33:16.069 PDT: %SYS-5-CONFIG_I: Configured from console by admin on console
5300-NAS#
The SNMP traps generated by Cisco routers provide useful information:
The Cisco IOS generates SNMP traps based on the features that the Cisco IOS supports.
Figure 7-3 shows the interactions and timing of the SNMP protocol between the EM (SNMP manager) and the NAS (SNMP agent). Traps are unsolicited messages sent from the NAS to the EM. There are four functions of SNMP: trap, get request, get next, and set request.
Event Interaction and Timing
|
Note For a listing of all SNMP traps supported by Cisco, refer to the following URL: http://www.cisco.com/public/mibs/traps/ |
!snmp-server contact admin dude@mauionions.com snmp-server location 5300-NAS-Maui snmp-server community poptarts RO 8 snmp-server community pixysticks RW 5 snmp-server host 172.22.66.18 maddog snmp-server trap-source Loopback0 snmp-server enable traps snmp!access-list 5 permit 172.22.67.1 access-list 5 permit 0.0.0.1 172.22.68.20 access-list 8 permit 172.22.67.1 access-list 8 permit 0.0.0.1 172.22.68.20!
Table 7-3 describes commands in the previous configuration fragment.
| Command | Purpose |
|---|---|
snmp-server contact admin dude@mauionions.com | Specifies a contact name to notify whenever a MIB problems occurs. |
snmp-server location 5300-NAS-Maui | Specifies a geographic location name for the router. |
snmp-server community poptarts RO 8 | Assigns a read only (RO) community string. Only queries and get requests can be performed. The community string (poptarts) allows polling but no configuration changes. Without the correct community string on both machines, SNMP will not let you do the authorization to get or set the request. |
snmp-server community pixysticks RW 5 | Assigns a read write (RW) community string. This community string (pixysticks) enables configuration changes to be performed. For example, you can shut down an interface, download a configuration file, or change a password. |
snmp-server host 172.22.66.18 maddog | Identifies the IP address of the SNMP host followed by a password. |
snmp-server trap-source Loopback0 | Associates SNMP traps with a loopback interface. In this way, an Ethernet shutdown will not disrupt SNMP management flow. |
snmp-server enable traps | Enables traps for unsolicited notifications for configuration changes, environmental variables, and device conditions. |
access-list 5 permit 172.22.67.1 access-list 8 permit 172.22.67.1 | Permits access from a single element management server. |
access-list 5 permit 0.0.0.1 172.22.68.20 access-list 8 permit 0.0.0.1 172.22.68.20 | Permits access from a block of addresses at your network operations center. |
Step 2 Monitor SNMP input and output statistics. For example, display a real-time view of who is polling the NAS for statistics and how often.
Excessive polling will:
5300-NAS#show snmp
Chassis: 11811596
Contact: admin dude@mauionions.com
Location: 5300-NAS-Maui
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP logging: enabled
Logging to 172.22.66.18.162, 0/10, 0 sent, 0 dropped.
5300-NAS#
Limit the amount of output that is logged from the group-async interface and ISDN D channels. Carefully choose the data sources for system management purposes. AAA accounting and the modem-call record terse feature provides the best data set for analyzing ISDN remote node device activity.
Link status up-down events and SNMP trap signals:
The following configuration fragment disables logging on access interfaces:
!interface Serial 0:23 no logging event link-status no snmp trap link-status!interface Serial 1:23 no logging event link-status no snmp trap link-status!interface Serial 2:23 no logging event link-status no snmp trap link-status!interface Serial 3:23 no logging event link-status no snmp trap link-status!interface Group-Async 1 no logging event link-status no snmp trap link-status!
After completing the tasks in this section, the Cisco AS5300's final-running configuration looks like this:
5300-NAS#show running-config Building configuration... Current configuration: ! ! Last configuration change at 05:59:00 UTC Mon Nov 1 1999 by admin ! NVRAM config last updated at 05:59:02 UTC Mon Nov 1 1999 by admin ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname 5300-NAS ! logging buffered 10000 debugging no logging console aaa new-model aaa authentication login default local aaa authentication ppp default if-needed local enable secret 5 $1$Ec9Q$KsERiSHdKGL/rGaewXeIz. ! username admin password 7 045802150C2E username dude password 7 070C285F4D06 spe 1/0 1/7 firmware location bootflash:mica-modem-pw.2.7.1.0.bin spe 2/0 2/7 firmware location bootflash:mica-modem-pw.2.7.1.0.bin ! resource-pool disable ! ip subnet-zero no ip source-route ip host guessme 172.22.100.9 ip domain-name mauionions.com ip name-server 172.22.11.10 ip name-server 172.22.12.11 ! async-bootp dns-server 172.30.10.1 172.30.10.2 isdn switch-type primary-5ess mta receive maximum-recipients 0 ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary 1 linecode b8zs pri-group timeslots 1-24 ! controller T1 2 framing esf linecode b8zs pri-group timeslots 1-24 ! controller T1 3 framing esf linecode b8zs pri-group timeslots 1-24 ! process-max-time 200 ! interface Loopback0 ip address 172.22.99.1 255.255.255.255 no ip directed-broadcast ! interface Loopback1 ip address 172.22.90.1 255.255.255.0 no ip directed-broadcast ! interface Ethernet0 ip address 172.22.66.23 255.255.255.0 no ip directed-broadcast ! interface Serial0:23 no ip address no ip directed-broadcast no logging event link-status no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem fair-queue 64 256 0 no cdp enable ! interface Serial1:23 no ip address no ip directed-broadcast no logging event link-status no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem fair-queue 64 256 0 no cdp enable ! interface Serial2:23 no ip address no ip directed-broadcast no logging event link-status no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem fair-queue 64 256 0 no cdp enable ! interface Serial3:23 no ip address no ip directed-broadcast no logging event link-status no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem fair-queue 64 256 0 no cdp enable ! interface FastEthernet0 no ip address no ip directed-broadcast shutdown ! interface Group-Async1 ip unnumbered Ethernet0 no ip directed-broadcast encapsulation ppp no logging event link-status async mode interactive no snmp trap link-status peer default ip address pool addr-pool no cdp enable ppp authentication pap chap group-range 1 96 ! ip local pool addr-pool 172.22.90.2 172.22.90.97 no ip http server ip classless ip route 0.0.0.0 0.0.0.0 172.22.66.1 ! logging trap debugging logging 172.22.66.18 access-list 5 permit 172.22.67.1 access-list 5 permit 0.0.0.1 172.22.68.20 access-list 8 permit 172.22.67.1 access-list 8 permit 0.0.0.1 172.22.68.20 snmp-server engineID local 00000009020000107BE641BC snmp-server community poptarts RO 8 snmp-server community pixysticks RW 5 snmp-server community maddog view v1default RO snmp-server trap-source Loopback0 snmp-server location 5300-NAS-Maui snmp-server contact admin dude@mauionions.com snmp-server enable traps snmp snmp-server enable traps isdn call-information snmp-server enable traps hsrp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps envmon snmp-server enable traps bgp snmp-server enable traps rsvp snmp-server enable traps frame-relay snmp-server enable traps rtr snmp-server enable traps syslog snmp-server enable traps dlsw snmp-server enable traps dial snmp-server enable traps dsp card-status snmp-server enable traps voice poor-qov snmp-server host 172.22.66.18 maddog banner login ^CThis is a secured device.Unauthorized use is prohibited by law.^C ! line con 0 transport input none line 1 96 autoselect during-login autoselect ppp modem InOut line aux 0 line vty 0 4 ! ntp clock-period 17179891 ntp update-calendar ntp server 172.22.66.18 prefer ! end
Inspect the final-running configuration as described in the section "Inspecting the Final Running Configuration for the Cisco AS5300 and AS5800."
Posted: Mon May 22 13:04:27 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.