Maybe you have a dodgy router in the fleet, or a memory leak on one of them. This little snippet as bought me some time in some situations. Scheduling a reload is very simple. The below will reload the router every night at midnight.
event manager applet daily-reload
event timer cron name daily-reload cron-entry "0 0 * * *"
action 1.0 syslog msg "Automated Reload Triggered"
action 1.1 reload
Jordan's Cisco Blog
Monday 28 September 2015
Friday 18 September 2015
Configuring IPv6 Prefix Delegation on a Cisco router for Ethernet or Dialer interfaces
This post shows an example of how to configure IPv6 on Ethernet or Dialer delivered services. This might come in handy if you want to configure IPv6 on Telstra TBiz on the NBN or pretty much any IPv6 delivered service.
So let's say for example, your ISP has given you a PD (Prefix Delegation) of 2001:1111:2222:333::/56 and you'd like to give a couple of your attached VLAN's onsite their own /64 subnets for eating up the new IPv6 space in the internet.
It's actually pretty easy to do, but you're going to have to forget everything you ever knew about IPv4 because the game has changed slightly.
Firstly, let's pick up that nice new prefix delegation your ISP has given you. Login, enable and go to configuration terminal. Let's enable ipv6 routing and cisco express forwarding (cef).
router(config)# ipv6 cef
router(config)# ipv6 unicast-routing
First things first, the best thing to do is make a new IPv6 ACL to keep all the script kiddies out of your network. Everything on IPv6 is publicly routable. Goodbye NAT and sitting safely behind private IP addresses. This is no more. Once you're IPv6 configured, everything on your local LAN sits on the public internet, so security is a big player. Let's create an ACL to allow things to happen.
router(config)# ipv6 access-list IPV6-IN
router(config-ipv6-acl)# permit icmp any any
router(config-ipv6-acl)# permit tcp any any established
router(config-ipv6-acl)# permit udp any any eq 546
Note the udp port 546. This is used for autoconfiguration and will need to be allowed for your ISP to give you a prefix delegation. Once we have our new ACL, we're ready to configure our first interface.
Type in the interface facing your ISP. In this example, it's GigabitEthernet0/0. I'll assume you already have all the normal IPv4 things in here, so I won't show them in the below example.
I recommend that you configure a "link-local" address. It is normally generated from the interface's MAC address, however if you're using any subinterfaces or using port-channels, you can get duplicate link-local addresses and IPv6 simply won't work. For our internet facing interface, we'll give it a link-local address on FE80::1.
router(config)# interface GigabitEthernet0/0
router(config-if)# ! configure a link-local address
router(config-if)# ipv6 address FE80::1 link-local
router(config-if)# ! assign the first /64 of our new prefix delegation
router(config-if)# ipv6 address IPV6-PD ::1/64
router(config-if)# ! enable ipv6 on the interface
router(config-if)# ipv6 enable
router(config-if)# ! enable the router to find the default route
router(config-if)# ipv6 nd autoconfig default-route
router(config-if)# ! enable the DHCP client and assign a name of IPV6-PD to your prefix delegation
router(config-if)# ipv6 dhcp client pd IPV6-PD
router(config-if)# ! Assign our ACL to the interface
router(config-if)# ipv6 traffic-filter IPV6-IN in
Now is a good time to check whether or not you have received your prefix delegation. Because IPv6 is new, it's not uncommon for ISP's to stuff it up.
router# sh ipv6 dhcp int
You may be wondering by this point. What about a static default route? Well the good news is, you don't need one. It is learned from your ISP by the "ipv6 nd autoconfig default-route" command we entered earlier on your Internet facing interface.
Everything should now be good to go. A refresh of your local LAN adapter should mean you receive an IPv6 address. Yup, you don't even need to configure DHCP! Your clients will learn their IP's off the router. Pretty cool huh?
Note: Some Dialer interfaces fail to refresh their Prefix Delegations after the Dialer interface comes back up. Perhaps it's ADSL and it performs a resync, forcing the Dialer interface to reauthenticate.
The below is a workaround for the problem. I have not had this issue, however if you do, this could come in handy. Thanks to Internode for this gem.
event manager applet MONITOR-IPV6-DHCP-APP
event syslog pattern "DIALER-6-BIND"
action 1.0 cli command "enable"
! Replace the Dialer interface with the correct number...
action 1.1 cli command "clear ipv6 dhcp client Dialer1"
action 2.0 syslog priority debugging msg "Refreshed IPv6 DHCP PD lease (Dialer rebind)"
!
So let's say for example, your ISP has given you a PD (Prefix Delegation) of 2001:1111:2222:333::/56 and you'd like to give a couple of your attached VLAN's onsite their own /64 subnets for eating up the new IPv6 space in the internet.
It's actually pretty easy to do, but you're going to have to forget everything you ever knew about IPv4 because the game has changed slightly.
Firstly, let's pick up that nice new prefix delegation your ISP has given you. Login, enable and go to configuration terminal. Let's enable ipv6 routing and cisco express forwarding (cef).
router(config)# ipv6 cef
router(config)# ipv6 unicast-routing
First things first, the best thing to do is make a new IPv6 ACL to keep all the script kiddies out of your network. Everything on IPv6 is publicly routable. Goodbye NAT and sitting safely behind private IP addresses. This is no more. Once you're IPv6 configured, everything on your local LAN sits on the public internet, so security is a big player. Let's create an ACL to allow things to happen.
router(config)# ipv6 access-list IPV6-IN
router(config-ipv6-acl)# permit icmp any any
router(config-ipv6-acl)# permit tcp any any established
router(config-ipv6-acl)# permit udp any any eq 546
Note the udp port 546. This is used for autoconfiguration and will need to be allowed for your ISP to give you a prefix delegation. Once we have our new ACL, we're ready to configure our first interface.
Type in the interface facing your ISP. In this example, it's GigabitEthernet0/0. I'll assume you already have all the normal IPv4 things in here, so I won't show them in the below example.
I recommend that you configure a "link-local" address. It is normally generated from the interface's MAC address, however if you're using any subinterfaces or using port-channels, you can get duplicate link-local addresses and IPv6 simply won't work. For our internet facing interface, we'll give it a link-local address on FE80::1.
router(config)# interface GigabitEthernet0/0
router(config-if)# ! configure a link-local address
router(config-if)# ipv6 address FE80::1 link-local
router(config-if)# ! assign the first /64 of our new prefix delegation
router(config-if)# ipv6 address IPV6-PD ::1/64
router(config-if)# ! enable ipv6 on the interface
router(config-if)# ipv6 enable
router(config-if)# ! enable the router to find the default route
router(config-if)# ipv6 nd autoconfig default-route
router(config-if)# ! enable the DHCP client and assign a name of IPV6-PD to your prefix delegation
router(config-if)# ipv6 dhcp client pd IPV6-PD
router(config-if)# ! Assign our ACL to the interface
router(config-if)# ipv6 traffic-filter IPV6-IN in
Now is a good time to check whether or not you have received your prefix delegation. Because IPv6 is new, it's not uncommon for ISP's to stuff it up.
router# sh ipv6 dhcp int
It should output what your assigned prefix is. If this is all good, then carry on. Otherwise, something isn't right with your ISP.
In this example, I have two VLAN's which I want to divide up the next two /64's to. VLAN 2 is on GigabitEthernet0/1.2 and VLAN 3 is on GigabitEthernet0/1.3
Unfortunately there is an issue with how Windows processes ICMPv6 Router Advertisements (RA's) within its NDIS drivers. It's an issue which has long plagued many network administrators, and a quick Google search will show you that.
What happens is, for example you have two VLAN's, one is a General use VLAN and another might be for VOIP. Frames are tagged on the VOIP VLAN for example. If you want to enable IPv6 for both VLAN's, Windows (in its wisdom) will untag the RA frame from the router and pass it through to the operating system. What you essentially end up with is a Windows client with an IPv6 address and gateway on the tagged VLAN as well as the untagged causing weird disconnection issues with Windows clients.
There is a workaround, but it involves some hackery which the router will complain about, but I'll show you how here. What you need to do is set the same Link-Local address on each subinterface. This includes things like port-channels. To do this however, you'll need to disable a feature called Duplicate Address Detection, or "DAD" for short.
Under configuration terminal, type the following:
router(config)# ipv6 nd dad time 1
This makes duplicate address detections only last 1ms. Otherwise if it see's the same Link-Local address configured on different interfaces, it'll disable IPv6 on that interface.
So here's what we do....
router(config)# interface GigabitEthernet0/1.2
router(config-subif)# ! configure a link-local address of FE80::2 for VLAN 2
router(config-subif)# ipv6 address FE80::2 link-local
router(config-subif)# ! Delegate the second /64 increment to this VLAN
router(config-subif)# ipv6 address IPV6-PD ::2:0:0:0:1/64
router(config-subif)# ! enable IPv6 on this interface
router(config-subif)# ipv6 enable
router(config-subif)# !
router(config-subif)# interface GigabitEthernet0/1.3
router(config-subif)# ! configure a link-local address of FE80::2 for VLAN 3 as well
router(config-subif)# ipv6 address FE80::2 link-local
router(config-subif)# ! Delegate the third /64 increment in this VLAN
router(config-subif)# ipv6 address IPV6-PD ::3:0:0:0:1/64
router(config-subif)# ! enable IPv6 on this interface
router(config-subif)# ipv6 enable
You may be wondering by this point. What about a static default route? Well the good news is, you don't need one. It is learned from your ISP by the "ipv6 nd autoconfig default-route" command we entered earlier on your Internet facing interface.
Everything should now be good to go. A refresh of your local LAN adapter should mean you receive an IPv6 address. Yup, you don't even need to configure DHCP! Your clients will learn their IP's off the router. Pretty cool huh?
Note: Some Dialer interfaces fail to refresh their Prefix Delegations after the Dialer interface comes back up. Perhaps it's ADSL and it performs a resync, forcing the Dialer interface to reauthenticate.
The below is a workaround for the problem. I have not had this issue, however if you do, this could come in handy. Thanks to Internode for this gem.
event manager applet MONITOR-IPV6-DHCP-APP
event syslog pattern "DIALER-6-BIND"
action 1.0 cli command "enable"
! Replace the Dialer interface with the correct number...
action 1.1 cli command "clear ipv6 dhcp client Dialer1"
action 2.0 syslog priority debugging msg "Refreshed IPv6 DHCP PD lease (Dialer rebind)"
!
Saturday 7 September 2013
Configuring Conditional DNS forwarding on a Cisco router
For whatever reason, you may wish to use your Cisco router as a primary DNS server. If you're stuck in a situation where you need to send certain DNS domain names to different DNS servers then this post is for you!
Firstly we must set our default DNS servers:
ip name-server 203.50.2.71
ip name-server 139.130.4.4
Secondly, now we need to configure our different DNS servers as "views"
ip dns view default
dns forwarder 203.50.2.71
dns forwarder 139.130.4.4
ip dns view internal_dns
dns forwarder 192.168.0.10
dns forwarder 192.168.0.11
Now we match our DNS views into a "view-list"
ip dns view-list conditional
! give the internal_dns view a priority of 10 and bind it to name-group 1
view internal_dns 10
restrict name-group 1
! give the default view a highest priority
view default 99
Define the domains you wish to forward internally by "name-list"
ip dns name-list 1 permit 10\.IN-ADDR
ip dns name-list 1 permit .*.LOCAL
Enable the DNS server to the view-group "conditional"
ip dns server view-group conditional
Lastly, enable the DNS server
ip dns server
Firstly we must set our default DNS servers:
ip name-server 203.50.2.71
ip name-server 139.130.4.4
Secondly, now we need to configure our different DNS servers as "views"
ip dns view default
dns forwarder 203.50.2.71
dns forwarder 139.130.4.4
ip dns view internal_dns
dns forwarder 192.168.0.10
dns forwarder 192.168.0.11
Now we match our DNS views into a "view-list"
ip dns view-list conditional
! give the internal_dns view a priority of 10 and bind it to name-group 1
view internal_dns 10
restrict name-group 1
! give the default view a highest priority
view default 99
Define the domains you wish to forward internally by "name-list"
ip dns name-list 1 permit 10\.IN-ADDR
ip dns name-list 1 permit .*.LOCAL
Enable the DNS server to the view-group "conditional"
ip dns server view-group conditional
Lastly, enable the DNS server
ip dns server
Sunday 30 June 2013
Capturing Packets from a Cisco Router for Wireshark pcap
In case you wish to troubleshoot issues and view specific packet flow traversing your routers, you will need a tftp server setup so that you can export your captures.
I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows: http://www.jounin.net/tftpd32.html
In this example, my tftp server is on 10.0.0.55.
First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 32.55.55.32
Router(config)# access-list 140 permit ip host 32.55.55.32 any
Router(config)# access-list 140 permit ip any host 32.55.55.32
This ACL will capture all traffic to and from this IP address.
Next we need to enable the Cisco packet monitoring service:
Router# monitor capture buffer holdpackets
Now we can filter the monitored traffic by filtering it through our access-list:
Router# monitor capture buffer holdpackets filter access-list 140
Now for some tweaks so that we actually get complete packet data for inspection in Wireshark
Router# monitor capture buffer holdpackets size 10240 max-size 9500
Now we need to name our particular packet capture. I have called mine "testcap"
Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets
Now we can start our capture!
Router# monitor capture point start testcap
Once you think you have acquired enough packets, to stop the capture, type:
Router# monitor capture point stop testcap
Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing
Router# monitor capture buffer holdpackets export tftp://10.0.0.55/testcap.pcap
Once uploaded you can clear your capture buffer by typing the following:
Router# no monitor capture buffer holdpackets
Router# no monitor capture point ip cef testcap all both
To check if there are any current captures or parameters configured, you can use the following command:
Router# sh monitor capture point all
I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows: http://www.jounin.net/tftpd32.html
In this example, my tftp server is on 10.0.0.55.
First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 32.55.55.32
Router(config)# access-list 140 permit ip host 32.55.55.32 any
Router(config)# access-list 140 permit ip any host 32.55.55.32
This ACL will capture all traffic to and from this IP address.
Next we need to enable the Cisco packet monitoring service:
Router# monitor capture buffer holdpackets
Now we can filter the monitored traffic by filtering it through our access-list:
Router# monitor capture buffer holdpackets filter access-list 140
Now for some tweaks so that we actually get complete packet data for inspection in Wireshark
Router# monitor capture buffer holdpackets size 10240 max-size 9500
Now we need to name our particular packet capture. I have called mine "testcap"
Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets
Now we can start our capture!
Router# monitor capture point start testcap
Once you think you have acquired enough packets, to stop the capture, type:
Router# monitor capture point stop testcap
Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing
Router# monitor capture buffer holdpackets export tftp://10.0.0.55/testcap.pcap
Once uploaded you can clear your capture buffer by typing the following:
Router# no monitor capture buffer holdpackets
Router# no monitor capture point ip cef testcap all both
To check if there are any current captures or parameters configured, you can use the following command:
Router# sh monitor capture point all
Wednesday 19 June 2013
Example of CBWFQ QoS and Shaping
Shaping to 30mbps Maximum:
ip access-list extended ShapeMepermit ip 172.16.0.0 0.0.0.255 any
permit ip any 172.16.0.0 0.0.0.255
!class-map match-any ShapeMe
match access-group name ShapeMe
!
policy-map ShapeMe
class ShapeMe
shape average 30m
! Will shape at 30mbps maximum
!
int g0/0
service-policy output ShapeMe
! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces
Priority for SQL Traffic?
ip access-list extended SQL
permit tcp 10.113.32.0 0.0.3.255 10.113.176.0 0.0.3.255 range 1433 1434
permit tcp 10.113.176.0 0.0.3.255 10.113.32.0 0.0.3.255 range 1433 1434
class-map match-any SQL
match access-group name SQL
policy-map SQL
class SQL
priority 1024
! Guarantees 1mbps at all times
int g0/0
service-policy output SQL
! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces
What is I just want to shape traffic by the interface that it enters? Eg an internet or WAN interface?
! Since you can only shape on output, not input, in this example I will shape the Upstream and Downstream CIR rate to 100mbps down and 40mbps up. The inbound or internet interface is GigabitEthernet0/1. GigabitEthernet0/0 is the LAN side.
match input-interface GigabitEthernet0/1
class-map match-any QoS_UP
match any
policy-map QoS_DOWN
class QoS_DOWN
shape average 100m
policy-map QoS_UP
class QoS_UP
shape average 40m
interface GigabitEthernet0/0
description LAN Interface
service-policy output QoS_DOWN
interface GigabitEthernet0/1
description Internet Interface
service-policy output QoS_UP
Sunday 19 May 2013
Configuration Example for Cisco 857/877W Config for Bigpond or Telstra Internet Direct
This config is straight out of a Cisco 857W router running on Bigpond. It has Wifi enabled with WPA2 AES encription. The Cisco is running IOS version 12.4.
service
password-encryption
service
internal
!
hostname
<hostname>
!
enable
secret <your enable password>
!
no
aaa new-model
!
dot11
ssid <Your SSID>
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii <Your Wireless Key>
!
no
ip dhcp use vrf connected
ip
dhcp excluded-address 10.0.0.138 10.0.0.254
!
ip
dhcp pool LocalNet
network 10.0.0.0 255.255.255.0
default-router 10.0.0.138
domain-name internet.local
dns-server 10.0.0.138
lease 365
!
ip
cef
ip
domain name internet.local
ip
name-server <nameserver 1>
ip
name-server <nameserver 2>
!
username
admin secret <admin password>
!
bridge
irb
!
interface
ATM0
no shutdown
no shutdown
no
ip address
atm
ilmi-keepalive
pvc
8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl
operating-mode auto
!
interface
FastEthernet0
no shutdown
no shutdown
!
interface
FastEthernet1
no shutdown
!
!
interface
FastEthernet2
no shutdown
!
!
interface
FastEthernet3
no shutdown
!
!
interface
Dot11Radio0
no shutdown
no shutdown
no
ip address
!
encryption
vlan 1 mode ciphers aes-ccm
!
ssid
<Your SSID>
!
speed
basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel
2462
station-role
root
world-mode
dot11d country AU both
!
interface
Dot11Radio0.1
encapsulation
dot1Q 1 native
ip
virtual-reassembly
no
cdp enable
bridge-group
1
bridge-group
1 subscriber-loop-control
bridge-group
1 spanning-disabled
bridge-group
1 block-unknown-source
no
bridge-group 1 source-learning
no
bridge-group 1 unicast-flooding
!
interface
Vlan1
no
ip address
bridge-group
1
bridge-group
1 spanning-disabled
!
interface
Dialer1
ip
address negotiated
ip
nat outside
ip
virtual-reassembly
encapsulation
ppp
dialer
pool 1
dialer-group
1
ppp
authentication chap callin
ppp
chap hostname <ISP Username>
ppp
chap password <ISP Password>
!
interface
BVI1
description
LAN & WLAN Bridge
ip
address 10.0.0.138 255.255.255.0
ip
nat inside
ip
virtual-reassembly
!
no
ip forward-protocol nd
ip
route 0.0.0.0 0.0.0.0 Dialer1
!
no
ip http server
no
ip http secure-server
ip
dns server
ip
nat inside source list 1 interface Dialer1 overload
!
access-list
1 permit 10.0.0.0 0.0.0.255
access-list
23 permit 10.0.0.0 0.0.0.255
dialer-list
1 protocol ip permit
!
control-plane
!
bridge
1 protocol ieee
bridge
1 route ip
!
line
vty 0 4
access-class
23 in
privilege
level 15
login
local
transport
input telnet ssh
!
end
Wednesday 15 May 2013
Enabling SNMP and Netflow for Solarwinds NPM and NTA on Cisco ISR, ASR and ASA firewalls
This assumes that your Solarwinds collector and Netflow analyser are on 192.168.0.55.
ip access-list standard Solarwinds
permit host 192.168.0.55
!
Now we can enable SNMP:
snmp-server community public RO Solarwinds
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
Now to enable NetFlow:
ip flow-export version 9
ip flow-export destination 192.168.0.55 2055
To check if all is working as expected, you can type the following command:
sh ip cache flow
If you just want to use Netflow without the export to a Netflow collector, just negate the "ip flow-export" commands.
For Cisco ASR's or ISR's with Flexible Netflow:
Firstly, lets create an ACL for our Solarwinds Server:
ip access-list standard Solarwinds
permit host 192.168.0.55
!
Now we can enable SNMP:
snmp-server community tceo RO Solarwinds
snmp-server location Mario's Pizza Shop
snmp-server contact Mario Bros
Now to enable NetFlow:
flow record NETFLOW_RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets
!
flow exporter NETFLOW_EXPORT
destination 192.168.0.55
transport udp 2055
!
flow monitor NETFLOW_MONITOR
exporter NETFLOW_EXPORT
record NETFLOW_RECORD
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking GigabitEthernet0/0/0
interface GigabitEthernet0/0/0
ip flow monitor NETFLOW_MONITOR input
ip flow monitor NETFLOW_MONITOR output
!
To check if all is working as expected, you can type the following command:
sh flow monitor
For Cisco ISR's without Flexible Netflow:
Firstly, lets create an ACL for our Solarwinds Server:
ip access-list standard Solarwinds
permit host 192.168.0.55
!
Now we can enable SNMP:
snmp-server community tceo RO Solarwinds
snmp-server location Mario's Pizza Shop
snmp-server contact Mario Bros
Now to enable NetFlow:
flow record NETFLOW_RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets
!
flow exporter NETFLOW_EXPORT
destination 192.168.0.55
transport udp 2055
!
flow monitor NETFLOW_MONITOR
exporter NETFLOW_EXPORT
record NETFLOW_RECORD
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking GigabitEthernet0/0/0
interface GigabitEthernet0/0/0
ip flow monitor NETFLOW_MONITOR input
ip flow monitor NETFLOW_MONITOR output
ip flow monitor NETFLOW_MONITOR output
!
To check if all is working as expected, you can type the following command:
sh flow monitor
For Cisco ISR's without Flexible Netflow:
Firstly, lets create an ACL for our Solarwinds Server:
ip access-list standard Solarwinds
permit host 192.168.0.55
!
Now we can enable SNMP:
snmp-server community public RO Solarwinds
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
Now to enable NetFlow:
ip flow-export version 9
ip flow-export destination 192.168.0.55 2055
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking Gi0/0
interface GigabitEthernet0/0
ip flow ingress
ip flow egress
!
To check if all is working as expected, you can type the following command:
sh ip cache flow
If you just want to use Netflow without the export to a Netflow collector, just negate the "ip flow-export" commands.
For ASA Firewalls:
This process is a bit more complicated on a Cisco ASA firewall that the above Cisco configuration.
Firstly we name our Solarwinds Server:
name 192.168.0.55 Solarwinds
Enable SNMP:
snmp-server host dmz Solarwinds community public
snmp-server location Marios Pizza Shop
snmp-server contact Mario Bros
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
Now to enable Netflow - first we create an ACL for what traffic you wish to monitor - typically everything:
access-list netflow-export extended permit ip any any
Now we set the Netflow parameters:
flow-export destination <output interface name> Solarwinds 2055
flow-export template timeout-rate 3
flow-export delay flow-create 10
Configure our Netflow Classes:
class-map netflow-export-class
match access-list netflow-export
!
!
Configure our Policies:
policy-map global_policy
class netflow-export-class
flow-export event-type all destination Solarwinds
!
Subscribe to:
Posts (Atom)