How Nectus selects Management interface for the discovered devices?

,

For each router or switch found during discovery Nectus has to select one interface that will be used as a primary monitoring

interface for basic reachibility checks, destination for SNMP  queries etc..

Here is the selection order logic that implemented in Nectus Discovery Service:

  1. Select Interface that has assigned IP address associated with current DNS record for device Hostname
  2. Select Interface that starts with “Mgmt” (for example: Mgmt0)
  3. Select Interface that starts with “Loopback” (Lowest number if preferred)
  4. Select Interface that starts with “VLAN”  (Lowest number of preferred)
  5. Select Interface with lowest IP Address

 

How to exclude specific subnets from Network Discovery?

,

To exclude specific subnet from Network  Discovery add it to “Excluded subnets” list  in “Settings -> Network Discovery Settings”

This will exclude this subnets from ICMP scan phase and subsequently prevent live devices in this subnets from being

queried  via SNMP.

 

Interface Utilization issues on Cisco GRE tunnels (IOS-XR)

By default when you create a GRE tunnel  (tunnel-ip1) on ASR9K routers it gets assigned default Bandwidth value of 8Kbps

which usually causes utilization monitoring confusion as Tunnel can carry as much traffic as its hardware parent interface

where tunnel is anchored to. You would see utilization values as high a 10,000% percent with default Bandwidth settings.

To fix this issue correct bandwidth value has to be assigned to Tunnel interface.

Ideally it has to match Bandwidth value from the parent hardware interface.

Example:

interface tunnel-ip1
description BBL-0000: INTERNET-VPN-TO-JP
bandwidth 10000000
ipv4 address xx.xx.xx.xx/30
load-interval 30
tunnel mode gre ipv4
tunnel source yy.yy.yy.yy
keepalive 10
tunnel destination zz.zz.zz.zz
tunnel dfbit disable

How to read Cisco device S/N via SNMP?

, ,

During network discovery phase Nectus collects S/N for each device that responds to basic SNMP queries.

One of the problem with Cisco  Devices is that different platforms uses different OID to store S/N.

Following OIDs are being used for Cisco:

.1.3.6.1.2.1.47.1.1.1.1.11.1

.1.3.6.1.2.1.47.1.1.1.1.11.2

.1.3.6.1.2.1.47.1.1.1.1.11.10

.1.3.6.1.2.1.47.1.1.1.1.11.22

.1.3.6.1.2.1.47.1.1.1.1.11.1001

.1.3.6.1.2.1.47.1.1.1.1.11.24555730

.1.3.6.1.4.1.14179.1.1.1.4.0

.1.3.6.1.4.1.2467.1.34.4.0

.1.3.6.1.4.1.437.1.1.3.1.22.0

.1.3.6.1.4.1.9.20.1.1.1.1.3.0.1.3.6.1.4.1.7505.1.1.1.0

.1.3.6.1.4.1.9.6.1.101.53.14.1.5.1

.1.3.6.1.4.1.9.9.92.1.1.1.2.1

.1.3.6.1.4.1.9.3.6.3.0

.1.3.6.1.4.1.3076.2.1.2.22.1.63.0

.1.3.6.1.4.1.9.5.1.2.19.0

.1.3.6.1.4.1.9.9.719.1.9.35.1.47.1

SNMPv3 AES Cipher bug in IOS-XR 5.3.4 (ASR9000)

Just run into a IOS-XR bug with running SNMP v3 with AES-128 cipher (as well as AES-192 and AES-256) on ASR 9000 Routers running 5.3.4 Code.

Apparently Cisco BUG ID CSCvd35831. Fixed in 6.2.xx code.

Upgrading ASR9K is fun that can take 4-5 hours per box but having SNMP communications secure is more important. Consider upgrading.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd35831

 

 

 

How to prevent specific network device types from being discovered?

,

Sometimes specific device categories (UPS units, Printers etc) must be excluded from network discovery due to their low importance

from the Network Monitoring prospective or due to security concerns or because of their impact on Nectus processing load.

This can be achieved with OID ignore list.

For example we want  to prevent all Xerox ApeosPort Series Printers from being discovered

SNMP Platform ID: .1.3.6.1.4.1.297.1.11.93.1.35.8.6.2
Category Name: Xerox ApeosPort Series Printers

We need to take this category’s SNMP platform OID and add it to “OID ignore” list located under “Settings -> Network Discovery settings”

How to get Interfaces’ ifIndex values via SNMP

,

To obtain list of ifIndex values for all interfaces for given device SNMP polling agent has to send

SNMP GET BULK request for the following OID:  .1.3.6.1.2.1.2.2.1.1

Response Example:

‘.1.3.6.1.2.1.2.2.1.1.1’ => “1”
‘.1.3.6.1.2.1.2.2.1.1.2’ => “2”
‘.1.3.6.1.2.1.2.2.1.1.3’ => “3”
‘.1.3.6.1.2.1.2.2.1.1.4’ => “4”
‘.1.3.6.1.2.1.2.2.1.1.5’ => “5”
‘.1.3.6.1.2.1.2.2.1.1.6’ => “6”
‘.1.3.6.1.2.1.2.2.1.1.7’ => “7”
‘.1.3.6.1.2.1.2.2.1.1.8’ => “8”
‘.1.3.6.1.2.1.2.2.1.1.9’ => “9”
‘.1.3.6.1.2.1.2.2.1.1.10’ => “10”
‘.1.3.6.1.2.1.2.2.1.1.11’ => “11”
‘.1.3.6.1.2.1.2.2.1.1.12’ => “12”
‘.1.3.6.1.2.1.2.2.1.1.13’ => “13”
‘.1.3.6.1.2.1.2.2.1.1.14’ => “14”
‘.1.3.6.1.2.1.2.2.1.1.15’ => “15”
‘.1.3.6.1.2.1.2.2.1.1.17’ => “17”

Next Step is to get Interface names by sending SNMP GET BULK request for the following OID:  .1.3.6.1.2.1.2.2.1.2

Response Example:

‘.1.3.6.1.2.1.2.2.1.2.1’ => “TenGigabitEthernet0/0/0”
‘.1.3.6.1.2.1.2.2.1.2.2’ => “TenGigabitEthernet0/0/1”
‘.1.3.6.1.2.1.2.2.1.2.3’ => “GigabitEthernet0/0/0”
‘.1.3.6.1.2.1.2.2.1.2.4’ => “GigabitEthernet0/0/1”
‘.1.3.6.1.2.1.2.2.1.2.5’ => “GigabitEthernet0/0/2”
‘.1.3.6.1.2.1.2.2.1.2.6’ => “GigabitEthernet0/0/3”
‘.1.3.6.1.2.1.2.2.1.2.7’ => “GigabitEthernet0/0/4”
‘.1.3.6.1.2.1.2.2.1.2.8’ => “GigabitEthernet0/0/5”
‘.1.3.6.1.2.1.2.2.1.2.9’ => “Crypto-Engine0/0/8”
‘.1.3.6.1.2.1.2.2.1.2.10’ => “GigabitEthernet0”
‘.1.3.6.1.2.1.2.2.1.2.11’ => “Null0”
‘.1.3.6.1.2.1.2.2.1.2.12’ => “Port-channel1”
‘.1.3.6.1.2.1.2.2.1.2.13’ => “Port-channel2”
‘.1.3.6.1.2.1.2.2.1.2.14’ => “Port-channel2.599”
‘.1.3.6.1.2.1.2.2.1.2.15’ => “Port-channel2.11”
‘.1.3.6.1.2.1.2.2.1.2.17’ => “Port-channel2.3213”

Now we are able to match Interface name to an ifIndex value.

Please note unless ifIndex persistence is enabled router (or switch) may assign different ifIndex value to the same interface after reboot.

To enable consistent ifIndex-to-Interface mapping ifIndex persistence must be enabled.

Configuration example for Catalyst 6500

Router(config)# snmp-server ifindex persist

Globally enables SNMP ifIndex persistence.

 

Generating Site level network topology with Nectus

,

This short video shows basic steps to generate site level network topology

Nectus Logo

SNMPv3 Configuration example for IOS-XR (ASR9k)

,

IOS-XR SNMP v3 configuration example for username “user_des”

 

  1. snmp-server group admins v3 priv
  2. snmp-server user user-des admins v3 auth md5 “authpass” priv des56 “privpass” SystemOwner

 

this configuration will use MD5 hash for authentication and DES cipher (DES56) for encryption.

IOS-XR (as of 5.3.4 code) also supports

3DES  – 168 bit 3DES algorithm for encryption
AES – 128 bit AES algorithm for encryption

How does Nectus discover your network?

,

During Nectus installation user can define up to 10 IPv4 subnets that will be used

as initial seed subnets for ICMP scan. Immediately after Installation is completed Nectus

starts ICMP scan of provided subnets and builds a list of live IP addresses that responded to Ping.

Read more

Submitting unknown SNMP devices for classification in Nectus

,

When Nectus discovers a new device it uses its SNMP sysObjectID (1.3.6.1.2.1.1.2) value to classify device by manufacturer,

by major platform category and by model number.

For example sysObjectID value of 1.3.6.1.4.1.9.1.1018

Defined as:

Manufacturer Value: Cisco Systems (9)

Major Category: Cisco ASR 9000 Aggregation Services Routers

Model: Cisco ASR 9006 Routers Read more

Can I see your network diagram?

,

What is the first question you ask when you start a new network project or start a new job as a network engineer?”:

– Can I see your network diagram?

Lucky you if you get it right away and in the “right” format (Visio?) but in my past I remember places where it took me weeks to find the right person who

had that diagram, which was very often not up to date or did not contain information I needed or was only showing application layer components and

I still had to spend hours doing “show cdp nei” and re-creating drawings the way I like it with the information I needed. Read more