Discovering enabled & configured router features via SNMP

Discussion in 'Cisco' started by Brad Navarro, Aug 14, 2006.

  1. Brad  Navarro

    Brad Navarro Guest

    Hi,

    Does anyone know how to discover if a particular featureset for a
    router has been configured and activated?

    I have been able to locate a list of available features for a given
    router, from the OID .1.3.6.1.4.1.9.9.25.1.1.1.2 (image string
    CW_FEATURE, ex. CW_FEATURE$IP|FIREWALL|VOICE|PLUS|SSH|3DES$), but I am
    unable to dermine which of these listed features have been configured
    and activated, as opposed to simply being available.

    This is for an SNMP scan of a client site with many Cisco routers, not
    my own router(s), so I only have SNMP Read access to the machines, and
    nothing else, so I cannot rely on accessing the console, or web
    interface, etc.

    Thanks.
     
    Brad Navarro, Aug 14, 2006
    #1
    1. Advertising

  2. Brad  Navarro

    Guest

    Brad Navarro wrote:
    > Hi,
    >
    > Does anyone know how to discover if a particular featureset for a
    > router has been configured and activated?
    >
    > I have been able to locate a list of available features for a given
    > router, from the OID .1.3.6.1.4.1.9.9.25.1.1.1.2 (image string
    > CW_FEATURE, ex. CW_FEATURE$IP|FIREWALL|VOICE|PLUS|SSH|3DES$), but I am
    > unable to dermine which of these listed features have been configured
    > and activated, as opposed to simply being available.
    >
    > This is for an SNMP scan of a client site with many Cisco routers, not
    > my own router(s), so I only have SNMP Read access to the machines, and
    > nothing else, so I cannot rely on accessing the console, or web
    > interface, etc.


    "a client site "
    "I only have SNMP Read access"

    You have been stitched up.

    If the client wants your help they will give you what you need.

    If they won't give you what you need they have a different
    agenda from the one that they are making public.

    It is impossible to determine "which of these listed features have been

    configured and activated" with only snmp read access.

    Additionally, it seems to me that you do not have the experience
    necessary to do this work. No one with any cisco knowledge
    would use the phrase "which of these listed features have been
    configured and activated".

    As always, I wish you good luck.

    On the other hand, maybe it's not actually impossible to find
    out some stuff. Hard though, and there will always be uncertainties.
    Why bother?


    The thing that I can't figure out is what your agenda might be?
    Weird one.

    Poitics is always such fun!! As long as it is someone else's problem.
     
    , Aug 15, 2006
    #2
    1. Advertising

  3. Brad  Navarro

    Brad Navarro Guest

    wrote:

    > "a client site "
    > "I only have SNMP Read access"
    >
    > You have been stitched up.
    >
    > If the client wants your help they will give you what you need.
    >
    > If they won't give you what you need they have a different
    > agenda from the one that they are making public.
    >
    > It is impossible to determine "which of these listed features have been
    >
    > configured and activated" with only snmp read access.
    >
    > Additionally, it seems to me that you do not have the experience
    > necessary to do this work. No one with any cisco knowledge
    > would use the phrase "which of these listed features have been
    > configured and activated".
    >
    > As always, I wish you good luck.
    >
    > On the other hand, maybe it's not actually impossible to find
    > out some stuff. Hard though, and there will always be uncertainties.
    > Why bother?
    >
    >
    > The thing that I can't figure out is what your agenda might be?
    > Weird one.
    >

    Simple. My company is doing an electronic discovery & inventory of
    their computers -- for their routers, I am using SNMP. You would be
    surprised at what you can discover with SNMP for inventory purposes, so
    I thought maybe I could discover configured settings as well, since I
    did discover "available features".

    This is a large client. We are talking thousands of Cisco routers.
    Anything other than SNMP is highly impractical -- no way could I walk
    up to each machine and access the console. One of the client's
    requirements is to determine what has been configured and activated on
    each of their Cisco boxes. I am not doing Network Management for them,
    they have people for that, they need an asset inventory solution, which
    is what my company provides. Unfortunately, SNMP is a real maze when
    it comes to trying to find stuff, and Cisco's dozens of proprtietary
    MIBS doesn't make things any easier.

    I was just hoping that someone here might have run across a Cisco MIB
    or 2 that enumerates router features like SSH, FIREWALL, and DES3 that
    have been configured & activated.
     
    Brad Navarro, Aug 15, 2006
    #3
  4. In article <>,
    Brad Navarro <> wrote:

    >This is a large client. We are talking thousands of Cisco routers.
    >Anything other than SNMP is highly impractical -- no way could I walk
    >up to each machine and access the console.


    Any company with that many routers is going to have mechanisms to
    access the routers remotely, such as via ssh or SDM.

    >One of the client's
    >requirements is to determine what has been configured and activated on
    >each of their Cisco boxes. I am not doing Network Management for them,
    >they have people for that, they need an asset inventory solution, which
    >is what my company provides. Unfortunately, SNMP is a real maze when
    >it comes to trying to find stuff, and Cisco's dozens of proprtietary
    >MIBS doesn't make things any easier.


    >I was just hoping that someone here might have run across a Cisco MIB
    >or 2 that enumerates router features like SSH, FIREWALL, and DES3 that
    >have been configured & activated.


    Not a chance, because simply knowing that a firewall feature is
    "configured and activated" is nearly meaningless.

    If I put an access control in place that explicitly allows all traffic,
    then that level of security is "configured and activated", but the
    functional result is identical to not having configured the access
    control. For security features, what you need is an analysis of the
    access policies, not a binary "Yes it was turned on".

    Similarily, it does not help you to know that there is a IPSec
    transform set configured that permits 3DES unless you analyze the
    crypto map access controls in order to determine whether it is possible
    to -reach- that crypto map entry -- since higher priority entry might
    turn out to match all of that traffic and the higher priority entry
    might not permit 3DES.


    But since you seem to insist on SNMP, the answer is that Yes, you
    can do it via SNMP, but only if you have SNMP write access. I don't recall
    at the moment whether you need to have preconfigured a "service policy"
    statement for this to work, but what you do is use SNMP SET on one
    OID to configure a TFTP URI, and then you SNMP SET a different OID
    to trigger copying the configuration to the TFTP URI (you get to
    chose whether you want the current or the startup configuration,
    by the way.) And then, having collected the text configurations
    from each of the devices, you use some tool to analyze the
    configurations and figure out what is active and what is not.
    If you only have SNMP read-only access then you cannot use this
    approach.


    >each of their Cisco boxes. I am not doing Network Management for them,
    >they have people for that, they need an asset inventory solution, which


    Their Nework Management people *ought* to be archiving device
    configurations already, and those configurations could be analyzed.
    Unfortunately in a large distributed organization, there might be
    numerous local network management people, some of whom might not
    yet have recognized the value of archiving the configurations.
     
    Walter Roberson, Aug 15, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Walbert
    Replies:
    1
    Views:
    4,014
    Walter Roberson
    Jan 5, 2005
  2. DVD Verdict
    Replies:
    0
    Views:
    485
    DVD Verdict
    Aug 12, 2004
  3. Unleash Networks Info
    Replies:
    0
    Views:
    433
    Unleash Networks Info
    Feb 25, 2007
  4. Replies:
    2
    Views:
    1,074
  5. Replies:
    0
    Views:
    975
Loading...

Share This Page