Cisco IOS Router and Switch
Issue with Generic Serial Numbers in Older Versions of Cisco IOS Routers
FortiSIEM uses serial numbers to uniquely identify a device. For older routers, the serial number is obtained from the OID 1.3.6.1.4.1.9.3.6.3.0. However, this value is often incorrectly set by default to a generic value like MSFC 2A. If multiple routers have a common default value, then these routers will be merged into a single entry in the FortiSIEM CMDB.
You can check the current value for the serial number in a Cisco router by doing a SNMP walk of the OID.
snmpwalk -v2c -c <cred> <ip> 1.3.6.1.4.1.9.3.6.3.0
If the value is a generic value, then set it to the actual serial number.
Router(config)#snmp-server chassis-id
Router(config)#exit
Router#write memory
Run the snmpwalk again to verify that the serial number is updated, then perform discovery of your Cisco router.
What is Discovered and Monitored
|
Protocol |
Information Discovered |
Metrics collected |
Used for |
|---|---|---|---|
| SNMP (V1, V2c, V3) | Host name, IOS version, Hardware model, Memory size, Network interface details - name, address, mask and description | Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), | Availability and Performance Monitoring |
| SNMP (V1, V2c, V3) | Hardware component details: serial number, model, manufacturer, software firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc. | Hardware health: temperature, fan and power supply | Availability |
| SNMP (V1, V2c, V3) | Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association | Topology and end-host location | |
| SNMP (V1, V2c, V3) | BGP connectivity, neighbors, state, AS number | BGP state change | Routing Topology, Availability Monitoring |
| SNMP (V1, V2c, V3) | OSPF connectivity, neighbors, state, OSPF Area | OSPF state change | Routing Topology, Availability Monitoring |
| SNMP (V1, V2c, V3) | IP SLA and VoIP performance metrics: Max/Min/Avg Delay and Jitter - both overall and Source->Destination and Destination->Source, Packets Lost - both overall and Source->Destination and Destination->Source, Packets Missing in Action, Packets Late, Packets out of sequence, VoIP Mean Opinion Score (MOS), VoIP Calculated Planning Impairment Factor (ICPIF) score | VoIP Performance Monitoring | |
| SNMP (V1, V2c, V3) | Class based QoS metrics (from CISCO-CLASS-BASED-QOS-MIB): For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets | QoS performance monitoring | |
| SNMP (V1, V2c, V3) | NBAR metrics (from CISCO-NBAR-PROTOCOL-DISCOVERY-MIB): For each interface and application, sent/receive flows, sent/receive bytes, sent/receive bits/sec | Performance Monitoring | |
|
Telnet/SSH |
Running and startup configuration, Image file name, Flash memory size, Running processes | Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization | Performance Monitoring, Security and Compliance |
| Syslog | Device type | System logs and traffic logs matching acl statements | Availability, Security and Compliance |
Event Types
Syslog events
In ADMIN > Device Support > Event, search for "cisco_os" in the Description column to see the event types associated with this device.
Rules
Reports
Configuration
Telnet/SSH
FortiSIEM uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation for your device to enable SSH and Telnet.
These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.
show startup-configshow running-configshow versionshow flashshow ip routeshow mac-address-table orshow mac address-tableshow vlan briefshow process cpushow process memshow disk0enableterminal pager 0
SNMP
SNMP V1/V2c
- Log in to the Cisco IOS console or telnet to the device.
- Enter configuration mode.
-
Create an access list for FortiSIEM.
access-list 10 permit <FortiSIEM IP>
-
Set up community strings and access lists.
snmp-server community <community string> ro 10
- Exit configuration mode.
SNMP V3
- Log in to the Cisco IOS console or telnet to the device.
- Enter configuration mode.
-
Create an access list for FortiSIEM.
access-list 10 permit <FortiSIEM IP>
-
Set up SNMP credentials for Authentication only.
snmp-server group <grpName> v3 auth #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> access 10
-
Set up SNMP credentials for Authentication and Encryption.
snmp-server group <grpName> v3 priv #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server group <grpName> v3 priv context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> priv des56 <password> access 10
- Exit configuration mode.
Syslog
- Login to the Cisco IOS console or telnet to the device.
- Enter configuration mode.
-
Enable logging with these commands.
logging on logging trap informational logging <FortiSIEM IP>
-
Make sure that the timestamp in syslog message sent to FortiSIEM does not contain milliseconds.
no service timestamps log datetime msec service timestamps log datetime
-
To log traffic matching acl statements in stateless firewall scenarios, add the
logkeyword to the acl statements.access-list 102 deny udp any gt 0 any gt 0 log
-
To turn on logging from the IOS Firewall module, use this command.
ip inspect audit-trail
- Exit configuration mode.
Sample Cisco IOS Syslog Messages
<190>109219: Jan 9 18:03:35.281: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (192.168.20.33:1876) -- responder (192.168.0.10:445) <190>263951: 2w6d: %SEC-6-IPACCESSLOGP: list permit-any permitted udp 192.168.20.35(0) -> 192.168.23.255(0), 1 packet <188>84354: Dec 6 08:15:20: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Source: 192.168.135.125] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at 08:15:20 PST Mon Dec 6 2010 <189>217: May 12 13:57:23.720: %SYS-5-CONFIG_I: Configured from console by vty1 (192.168.29.8) <189>Oct 27 20:18:43.254 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host 192.168.2.98
NetFlow
Enable NetFlow on the Router
- Enter configuration mode.
-
For every interface, run this command.
interface <interface> <interface_number>ip route-cache flow exit
Set Up NetFlow Export
- Enter configuration mode.
-
Run these commands.
ip flow-export version 5|9 ip flow-export destination <Accelops IP> 2055 ip flow-export source <interface> <interface_number>ip flow-cache timeout active 1 ip flow-cache timeout inactive 15 snmp-server ifindex persist
On MLS switches, such as the 6500 or 7200 models, also run these commands.
mls netflow mls nde sender mls aging long 64 mls flow ip full Exit configuration mode
You can verify that you have set up NetFlow correctly by running these commands.
#shows the current NetFlow configuration show ip flow export #summarizes the active flows and gives an indication of how much NetFlow data the device is exporting show ip cache flow or show ip cache verbose flow
Sample Flexible Netflow Configuration in IOS
flow exporter e1
! destination is the collector address, default port needs to be changed to 2055
destination <accelopsIp> transport udp 2055
!
flow record r1
! record specifies packet fields to collect
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
!
flow monitor m1
! monitor refers record configuration and exporter configuration.
record r1
exporter e1
cache timeout active 60
cache timeout inactive 30
cache entries 1000
!
interface GigabitEthernet 2/48
ip flow monitor m1 input
IP SLA
IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic statistics. This enables network administrators to get performance reports between sites without depending on end-host instrumentation.
Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.
A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect, HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router. However, only these IP SLA tests are exported via RTT-MON SNMP MIB.
- UDP Jitter (reported by FortiSIEM event type PH_DEV_MON_IPSLA_MET)
- UDP Jitter for VoIP (reported by FortiSIEM event type PH_DEV_MON_IPSLA_VOIP_MET)
- HTTP performance (reported by FortiSIEM event type PH_DEV_MON_IPSLA_HTTP_MET)
- ICMP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_ICMP_MET)
- UDP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_UDP_MET)
These are the only IP SLA tests monitored by FortiSIEM.
Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bi-directional traffic statistics are also reported by the initiating router, so you don't need to set up a reverse test between the original initiating and responding routers. FortiSIEM automatically detects the presence of the IP SLA SNMP MIB (CISCO-RTTMON-MIB) and starts collecting the statistics.
Configuring IP SLA Initiator for UDP Jitter
ipsla-init>enable ipsla-init#config terminal ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port>ipsla-init(config-sla-monitor-jitter)#frequency default ipsla-init(config-sla-monitor-jitter)#exit ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for UDP Jitter for VoIP
ipsla-init>enable ipsla-init#config terminal ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port> codec <codec type> advantage-factor 0 ipsla-init(config-sla-monitor-jitter)#frequency default ipsla-init(config-sla-monitor-jitter)#exit ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for ICMP Echo Operation
Router> enable Router# configure terminal Router(config)# ip sla monitor 15 Router(config-sla-monitor)# type echo protocol ipIcmpEcho <destination-ip-address>Router(config-sla-monitor-echo)# frequency 30 Router(config-sla-monitor-echo)# exit Router(config)# ip sla monitor schedule 10 start-time now life forever Router(config)# exit
Configuring the IP SLA Responder for All Cases
ipsla-resp>enable ipsla-resp#config terminal ipsla-resp(config)#ip sla monitor responder
Class-Based QoS
CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that important traffic such as VoIP and mission critical applications get their allocated network resources.
Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.
The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs. FortiSIEM detects the presence of valid CBQoS MIBs and starts monitoring them.
NBAR
Cisco provides protocol discovery via NBAR configuration guide.
Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled.
Sample event generated by FortiSIEM
[PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceCisco.cpp,[lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10.1.20.59,[intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752,[recvFlows]=3168,[sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277614,[sentBytes64]=232513,[totBitsPerSec]=22528.000000,[recvBitsPerSec]=12288.000000,[sentBitsPerSec]=10240.000000,[phLogDetail]=
Settings for Access Credentials
SNMP Access Credentials for All Devices
These are the generic settings for providing SNMP access to your device from FortiSIEM.
| Setting | Value |
|---|---|
| Name | <set name> |
| Device Type | Generic |
| Access Protocol | SNMP |
| Community String | <your own> |
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
| Setting | Value |
|---|---|
| Name | Telnet-generic |
| Device Type | generic |
| Access Protocol | Telnet |
| Port | 23 |
| User Name | A user who has access credentials for your device over Telnet |
| Password | The password associated with the user |
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
| Setting | Value |
|---|---|
| Name | ssh-generic |
| Device Type | Generic |
| Access Protocol | SSH |
| Port | 22 |
| User Name | A user who has access credentials for your device over SSH |
| Password | The password associated with the user |