09-05-2013 06:46 AM - edited 03-07-2019 03:18 PM
Hi,
We have a Catalyst 3560 Series switch in our data center, and we want our provider to send us a bandwidth graph of this switch and I have to enable the SNMP for this switch.
I have 2 question,
1. to enable and allow the provider access to our switch I will do these steps:
1. snmp-server community public RO
2. snmp-server host 192.168.1.23 version 1 public
is this enough to allow them to get bandwidth graph for this switch?
second question:
the switch has only privet IP of 10.0.10.10 and has no public IP, but we have a TMG server that is connected to the same switch, can I forward the udp ports 161 and 162 from TMG (firewall) to this switch? and give the public IP of the TMG to provider? that is becuse our provider give us an public IP address that they use to read data from this switch.
Thanks
Solved! Go to Solution.
09-06-2013 05:04 AM
If you want to test that way, you're going to need to add it to your list. You've locked snmp down to only accept queries from 62.x.x.230. You need to add the address of whatever host you tried to do this from. For example, try the following:
access-list 61 permit 62.x.x.x
access-list 61 permit 10.0.10.15
smp-server community public ro 61
Remove snmp-server host 62.XX.XX.230 public
HTH,
John
*** Please rate all useful posts ***
09-05-2013 07:03 AM
Yes for question 1. Your're tying snmp to only be polled from 192.168.1.23. Is that what you're wanting? If not, you can remove line 2...
HTH,
John
*** Please rate all useful posts ***
09-05-2013 07:18 AM
Hi John,
Thank for your replay,
yes we want only from this IP 192.168.1.26 (this would be the public IP of the provider and really is 62.XX.XX.230) provider poll snmp info, to get a bandwidth graph.
Any answer on the second question? becuse otherwais I dont know how would provider get the snmp info from the switch?
Thanks
09-05-2013 08:55 AM
I'm not that familiar with TMG. You'll need some public presence for the switch to be polled from the outside, so you'd have to nat a public address to it. Then you could give the public address to your provider and they'd set up monitoring on their side. You'd then have to allow only their public address in via snmp ports. I'm not sure how you'd do that in TMG, but in concept it should work the same.
Since you're going over the internet with it, I'd recommend configuring snmp v3 instead of 1. 1 and 2 send everything in clear text:
HTH,
John
*** Please rate all useful posts ***
09-06-2013 12:16 AM
Hi John,
Thanks again for the replay,
TMG is new version of ISA (microsoft firewall-web proxy/NAT device software), we can use the TMG to forwared all the incoming request on a single public IP to any devices behind it. should we open onlu udp port 160? or there are more ports that we should open?
Thanks
09-06-2013 04:29 AM
UDP/161 should be the only one that you need.
HTH,
John
*** Please rate all useful posts ***
09-06-2013 04:52 AM
Hi John,
Thanks for your replay,
I did enable the snmp with above command and add the ip address of provider 62.XX.XX.230 to the list and save the configuration with write memory
now when I go to a server that is in the same IP reng of switch 10.0.10.0 and use the portqyery to see if it listen to port udp 161 but I get this:
c:\Install\PortQryV2>portqry -n 10.0.10.17 -e 161
Querying target system called:
10.0.10.17
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 161 (unknown service): NOT LISTENING
is this means the snmp is not working?
I did also run the show-running-gonfig and see this:
!
no cdp advertise-v2
no cdp run
snmp-server community MyCommunity954 RO
snmp-server host 62.221.199.12 MyCommunity954
! !
no cdp advertise-v2
no cdp run
snmp-server community public RO
snmp-server host 62.XX.XX.230 public
!
Why it says port not listening?
Thanks
09-06-2013 05:04 AM
If you want to test that way, you're going to need to add it to your list. You've locked snmp down to only accept queries from 62.x.x.230. You need to add the address of whatever host you tried to do this from. For example, try the following:
access-list 61 permit 62.x.x.x
access-list 61 permit 10.0.10.15
smp-server community public ro 61
Remove snmp-server host 62.XX.XX.230 public
HTH,
John
*** Please rate all useful posts ***
09-06-2013 05:23 AM
Hi,
It is not listening because SNMP is working over UDP not TCP. In your config I saw no ACL attached to SNMP so using SNMPWalker with correct community and MIB will give you the information you want to see confirming SNMP is correctly configured.Of course attaching an ACL to the SNMP config is better like John proposed.
What would be even more secure is to configure SNMPv3(if your NMS supports it) with views to only limit the polling of the MIB to the mandatory objects needed to get the bandwidth graph.
Regards
Alain
Don't forget to rate helpful posts.
09-06-2013 06:06 AM
Hi,
Thanks for the replay,
I want to let you know that I did test the configuration with power snmp manager and I can access the swith behind the NAT device. just one more question:
can we use the above confiuration to get bandwidth graph of this switch right?
Thanks
09-06-2013 06:18 AM
Hi,
of course as you can access all the objects in the MIB but it won't tell you the bandwidth consumed by different protocols,only the total bandwidth consumed.To get a more granular graph you would need Netflow but it is not supported on the 3560 platform.
Regards
Alain
Don't forget to rate helpful posts.
09-09-2013 03:27 AM
Hi Cadet,
Thanks again for your replay,
Our provider has the correct software to read the bandwidth, and today I get a link from them that I can see the bandwidth that has been used on each of the switch ports.
Thanks again.
Shahin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide