cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1352
Views
0
Helpful
11
Replies

newbie snmp question

shahin shahini
Level 1
Level 1

Hi,

We have a Catalyst 3560 Series switch in our data center, and we want our provider to send us a bandwidth graph of this switch and I have to enable the SNMP for this switch.

I have 2 question,

1. to enable and allow the provider access to our switch I will do these steps:

1. snmp-server community public RO
2. snmp-server host 192.168.1.23 version 1 public

is this enough to allow them to get bandwidth graph for this switch?

second question:

the switch has only privet IP of 10.0.10.10 and has no public IP, but we have a TMG server that is connected to the same switch, can I forward the udp ports 161 and 162 from TMG (firewall) to this switch? and give the public IP of the TMG to provider? that is becuse  our provider give us an public IP address that they use to read data from this switch.

Thanks

1 Accepted Solution

Accepted Solutions

If you want to test that way, you're going to need to add it to your list. You've locked snmp down to only accept queries from 62.x.x.230. You need to add the address of whatever host you tried to do this from. For example, try the following:

access-list 61 permit 62.x.x.x

access-list 61 permit 10.0.10.15

smp-server community public ro 61

Remove snmp-server host 62.XX.XX.230 public

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

11 Replies 11

John Blakley
VIP Alumni
VIP Alumni

Yes for question 1. Your're tying snmp to only be polled from 192.168.1.23. Is that what you're wanting? If not, you can remove line 2...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hi John,

Thank for your replay,

yes we want only from this IP 192.168.1.26 (this would be the public IP of the provider and really is 62.XX.XX.230) provider poll snmp info, to get a bandwidth graph.

Any answer on the second question? becuse otherwais I dont know how would provider get the snmp info from the switch?

Thanks

I'm not that familiar with TMG. You'll need some public presence for the switch to be polled from the outside, so you'd have to nat a public address to it. Then you could give the public address to your provider and they'd set up monitoring on their side. You'd then have to allow only their public address in via snmp ports. I'm not sure how you'd do that in TMG, but in concept it should work the same.

Since you're going over the internet with it, I'd recommend configuring snmp v3 instead of 1. 1 and 2 send everything in clear text:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swsnmp.html

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hi John,

Thanks again for the replay,

TMG is new version of ISA (microsoft firewall-web proxy/NAT device software), we can use the TMG to forwared all the incoming request on a single public IP to any devices behind it. should we open onlu udp port 160? or there are more ports that we should open?

Thanks

UDP/161 should be the only one that you need.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hi John,

Thanks for your replay,

I did enable the snmp with above command and add the ip address of provider 62.XX.XX.230 to the list and save the configuration with write memory
now when I go to a server that is in the same IP reng of switch 10.0.10.0 and use the portqyery to see if it listen to port udp 161 but I get this:

c:\Install\PortQryV2>portqry -n 10.0.10.17 -e 161

Querying target system called:

10.0.10.17

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 161 (unknown service): NOT LISTENING

is this means the snmp is not working?

I did also run the show-running-gonfig and see this:

!

no cdp advertise-v2

no cdp run

snmp-server community MyCommunity954 RO

snmp-server host 62.221.199.12 MyCommunity954

! !
no cdp advertise-v2
no cdp run
snmp-server community public RO
snmp-server host 62.XX.XX.230 public
!

Why it says port not listening?

Thanks

If you want to test that way, you're going to need to add it to your list. You've locked snmp down to only accept queries from 62.x.x.230. You need to add the address of whatever host you tried to do this from. For example, try the following:

access-list 61 permit 62.x.x.x

access-list 61 permit 10.0.10.15

smp-server community public ro 61

Remove snmp-server host 62.XX.XX.230 public

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hi,

It is not listening because SNMP is working over UDP not TCP. In your config I saw no ACL attached to SNMP so using SNMPWalker with correct community and MIB will give you the information you want to see confirming SNMP is correctly configured.Of course attaching an ACL to the SNMP config is better like John proposed.

What would be even more secure is to configure SNMPv3(if your NMS supports it) with views to only limit the polling of the MIB to the mandatory objects needed to get the bandwidth graph.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swsnmp.html#wp1021753

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi,

Thanks for the replay,

I want to let you know that I did test the configuration with power snmp manager and I can access the swith behind the NAT device. just one more question:

can we use the above confiuration to get  bandwidth graph of this switch right?

Thanks

Hi,

of course as you can access all the objects in the MIB but it won't tell you the bandwidth consumed by different protocols,only the total bandwidth consumed.To get a more granular graph you would need Netflow but it is not supported on the 3560 platform.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Cadet,

Thanks again for your replay,

Our provider has the correct software to read the bandwidth, and today I get a link from them that I can see the bandwidth that has been used on each of the switch ports.

Thanks again.

Shahin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: