Monday, June 22, 2015

Configuring SNMP based LI

The required MIBS are attached.
 
Below are the Steps:
 
To allow SNMP to use Object Names rather than OID's on your CentOS server:
 
Create /etc/snmp/snmp.conf with the following lines
mibs +CISCO-SMI
mibs +CISCO-TAP2-MIB
mibs +CISCO-IP-TAP-MIB
mibs +CISCO-USER-CONNECTION-TAP-MIB
 
Please add the attached MIB files to /usr/share/snmp/mibs
 
i.e.
SNMPv2-SMI-V1SMI
SNMPv2-TC-V1SMI
SNMPv2-SMI
SNMPv2-TC
CISCO-SMI
CISCO-USER-CONNECTION-TAP-MIB
CISCO-TAP2-MIB
CISCO-IP-TAP-MIB
CISCO-USER-CONNECTION-TAP-MIB
 
For configuring taps:
 
Aspects which need to be changed once:
Device IP
SNMP Username
SNMP Password
MD IP (aka cTap2MediationDestAddress)
MD Source Interface on ASR (aka cTap2MediationSrcInterface. Use show snmp mib ifmib ifindex <interface> to get value)
 
Aspects which will need to be potentially changed for different customer taps:
citapStreamSourceAddress and citapStreamDestinationAddress, aka the subscriber IP. They can all be the same value as one matches on /0 mask the other /32 in each direction.
citapStreamVRF aka the customer VRF in use for that subscriber.
 
You must each time check the timeout of the tap. After the timeout date, the tap deactivates itself. Note on reload of ASR taps are also removed and must be reprovisioned:
 
Date format for cTap2MediationTimeout:
#07 db a 0f 00 00 00 00
#^---^ ^ ^  ^---------^
#  |   | |      |------ Hours, minutes and seconds(4 bytes), generally we give all 0s here
#  |   | |
#  |   | |------------- Date in hex (one byte), 0f = 15
#  |   |--------------- Month in hex (one byte), 0a = 10 (October)
#  |
#  |------------------- Year in hex (07dbx = 2011)
 
#### DATE MUST BE WITHIN NEXT 20 DAYS, otherwise intercept will NOT WORK
 
If you need multiple customer taps, you will need to change the indexing
 
For the SNMP set commands related to MD, replace the .2 on the end of each with a different number not used by another tap
e.g. cTap2MediationStatus.2 becomes cTap2MediationStatus.3
 
That same number also needs to replace .2 on the end of the other SNMP set commands
You also need to choose new stream indexes that are not used by another tap for all the other commands
 
e.g. citapStreamAddrType.2.5 becomes citapStreamAddrType.3.10, citapStreamAddrType.2.6 becomes citapStreamAddrType.3.11
 
 
#Provision Commands
 
#MD
snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2MediationStatus.2 i 4 cTap2MediationDestAddressType.2 i 1 cTap2MediationDestAddress.2 d "10 66 76 120" cTap2MediationDestPort.2 u 9995 cTap2MediationTransport.2 i 1 cTap2MediationTimeout.2 x "07DE 02 1C 00 00 00 00" cTap2MediationSrcInterface.2 i 0
 
#IP Details for Sub
snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 citapStreamAddrType.2.5 i 1 citapStreamDestinationAddress.2.5 d "10 66 76 77" citapStreamDestinationLength.2.5 u 0 citapStreamDestL4PortMin.2.5 u 0  citapStreamDestL4PortMax.2.5 u 65535 citapStreamSourceAddress.2.5 d "10 66 76 77" citapStreamSourceLength.2.5 u 32 citapStreamSourceL4PortMin.2.5 u 0  citapStreamSourceL4PortMax.2.5 u 65535 citapStreamFlowId.2.5 i -1 citapStreamProtocol.2.5 i -1 citapStreamTosByte.2.5 i 0 citapStreamTosByteMask.2.5 i 0 citapStreamInterface.2.5 i -1 citapStreamVRF.2.5 s "" citapStreamStatus.2.5 i 4
 
snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 citapStreamAddrType.2.6 i 1 citapStreamDestinationAddress.2.6 d "10 66 76 77" citapStreamDestinationLength.2.6 u 32 citapStreamDestL4PortMin.2.6 u 0  citapStreamDestL4PortMax.2.6 u 65535 citapStreamSourceAddress.2.6 d "10 66 76 77" citapStreamSourceLength.2.6 u 0 citapStreamSourceL4PortMin.2.6 u 0  citapStreamSourceL4PortMax.2.6 u 65535 citapStreamFlowId.2.6 i -1 citapStreamProtocol.2.6 i -1 citapStreamTosByte.2.6 i 0 citapStreamTosByteMask.2.6 i 0 citapStreamInterface.2.6 i -1 citapStreamVRF.2.6 s "" citapStreamStatus.2.6 i 4
 
#Generic Stream for Sub, turns on Tap
snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2StreamType.2.5 i 1 cTap2StreamInterceptEnable.2.5 i 1 cTap2StreamStatus.2.5 i 4
snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2StreamType.2.6 i 1 cTap2StreamInterceptEnable.2.6 i 1 cTap2StreamStatus.2.6 i 4
 
#Remove Tap
snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 citapStreamStatus.2.5 i 6 citapStreamStatus.2.6 i 6 
snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2StreamStatus.2.5 i 6 cTap2StreamStatus.2.6 i 6 
snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2MediationStatus.2 i 6
 
#Check if tap is intercepting packets
snmpget -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2StreamInterceptedHCPackets.2.5 cTap2StreamInterceptedHCPackets.2.6 
 
 
Source: Mark Fisher (markfis) <markfis@cisco.com>

No comments:

Post a Comment