August 2019 ~ #Buzzing ...

Thursday, August 8, 2019

Run SNMPWALK on CISCO Switch from Ubuntu Desktop

August 08, 2019 / by Kushan Sharma / with No comments /

To check the SNMP agent status of the targeted switch. A remote connection or terminal session is required for the Switch to configure SNMP.

Switch# show snmp

When the SNMP agent is not enabled.

Switch# configure terminal
Switch (Config)# snmp-server enable traps
Switch (Config)# snmp-server community public ro    //ro - read-only
Switch (Config)# snmp-server community private rw    //rw - read-write
Switch (Config)# snmp-server location myoffice-location
Switch (Config)# snmp-server contact myoffice-contact
Switch (Config)# end
Switch# show snmp                     //display the current configuration

Lets do a SNMPWALK to snmp configuration (SNMPv1 or SNMPv2). This was tested using ubuntu
First to install snmp
# apt install snmp

Then to run a snmpwalk
#snmpwalk -v 1 -c public 192.168.10.1 1.3.6.1.2.1.2

For more information on snmpwalk attributes refer the man page

For more information on SMP MIBs, refer the below guide.

Base OID for MIB-2 defined SNMP variables

Superior references

    1.3.6.1.2 - IETF Management
    1.3.6.1 - OID assignments from 1.3.6.1 - Internet
    1.3.6 - US Department of Defense
    1.3 - ISO Identified Organization
    1 - ISO assigned OIDs
    Top of OID tree

Subsidiary references (single level)

    1.3.6.1.2.1.1 - SNMP MIB-2 System
    1.3.6.1.2.1.2 - SNMP MIB-2 Interfaces
    1.3.6.1.2.1.3 - at
    1.3.6.1.2.1.4 - ip
    1.3.6.1.2.1.5 - icmp
    1.3.6.1.2.1.6 - tcp
    1.3.6.1.2.1.7 - udp
    1.3.6.1.2.1.8 - egp
    1.3.6.1.2.1.9 - cmot
    1.3.6.1.2.1.10 - transmission
    1.3.6.1.2.1.11 - snmp
    1.3.6.1.2.1.14 - OSPF Version 2 MIB
    1.3.6.1.2.1.15 - BGPv4
    1.3.6.1.2.1.16 - Managed Objects for Bridges
    1.3.6.1.2.1.17 - Bridge Mib
    1.3.6.1.2.1.22 - rptrHealth
    1.3.6.1.2.1.25 - HOST-RESOURCES-MIB, from RFC 1514
    1.3.6.1.2.1.26 - Ethernet MAU mib
    1.3.6.1.2.1.27 - Application MIB module
    1.3.6.1.2.1.28 - MTA MIB module
    1.3.6.1.2.1.29 - X.500 Directory MIB module
    1.3.6.1.2.1.31 - ifMib
    1.3.6.1.2.1.33 - upsMIB
    1.3.6.1.2.1.34 - snaNode
    1.3.6.1.2.1.38 - mdmMib
    1.3.6.1.2.1.41 - sdlcStatus
    1.3.6.1.2.1.43 - Printer-MIB
    1.3.6.1.2.1.47 - entity-mib
    1.3.6.1.2.1.69 - docsDev
    1.3.6.1.2.1.92 - notificationLogMIB

Wednesday, August 7, 2019

CISCO Switch Port Mirroring to Capture Traffic

August 07, 2019 / by Kushan Sharma / with No comments /

Network traffic passing through ports can be analyzed by using Switched Port Analyzer (SPAN). This sends a copy of the traffic to another port on the switch that has been connected to a SwitchProbe device, another Remote Monitoring (RMON) probe or security device. SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis.

To display the details of available interfaces
Switch# show interface status

To display the details of configured vlans
Switch# show vlan

If the switch needs to be accessed over the network, IP address needs to be assigned.

Switch# enable
Switch# configure terminal
Switch(config)# interface vlan 1
Switch(config if)# ip address 192.168.10.1 255.255.255.0
Switch(config if)# no shutdown
Switch(config if)# exit
Switch(config)# exit
Switch#

This example shows how to set up a SPAN session (session 1) for monitoring source port traffic to a destination port.

Check for up and running interfaces of the Switch
Switch# show ip interface brief

Check if any already configured monitoring sessions are available
Switch# show monitor session 1

If any monitoring sessions are available. Need to remove them first. To remove that, switch to configuration mode.
Switch# configure terminal
Switch(config)# no monitor session 1

To configure monitoring sessions. Interface 1/1 to 1/5 is going to be monitored from the interface 1/15.

Switch(config)# monitor session 1 source interface fastEthernet 1/1 - 5
Switch(config)# monitor session 1 destination interface fastEthernet 1/15 encapsulation replicate
Switch(config)# exit

Further you can also configure to monitor traffic on a VLAN traffic. In order to monitor traffic for a particular vlan:

Switch(config)# monitor session 1 source vlan 1

Switch(config)# monitor session 1 destination interface fastEthernet 1/15 encapsulation replicate
Switch(config)# exit

Copy running config to startup config:
Switch# copy running-config startup-config

When a PC, which is running a network traffic capturing solution such as wireshark, connected to interface 1/15, network traffic can be captured.