Setting static routes via SNMP

Hi,

I'm working on a script that needs to feed static routes to Cisco
routers using SNMPv3 in a secure way. I have done a lot of research and
have found some discussion on this issue, but nothing really
conclusive, so here I am...

Before doing the coding I'm trying to get it done using command line
SNMP functions on a Linux box (I'm using Net-SNMP v5.2.1.2).

This is what I issue on the Linux box:

[email protected] ~ $ snmpset -v3 -n "" -u xxxxxx -l authPriv -a md5 -A
xxxxxxxx -x DES -X xxxxxxxx x.x.x.x ipRouteDest a 192.168.108.0
ipRouteMetric1 i 0 ipRouteNextHop a 192.168.20.15 ipRouteType i 4
ipRouteProto i 2 ipRouteMask a 255.255.255.0
Error in packet.
Reason: noCreation (That table does not support row creation or that
object can not ever be created)
Failed object: RFC1213-MIB::ipRouteDest

If I turn on "snmp packets" debugging on the router (Cisco 2651XM
running IOS Version 12.3(11)T7) this is what I see:

Router2-2651XM#
*May 31 00:46:20.060 UTC: SNMP: Packet received via UDP from z.z.z.z on
FastEthernet0/0
*May 31 00:46:20.060 UTC: SNMP: Report, reqid 186108404, errstat 0,
erridx 0
internet.6.3.15.1.1.4.0 = 119
*May 31 00:46:20.076 UTC: SNMP: Packet sent via UDP to z.z.z.z
*May 31 00:46:20.268 UTC: SNMP: Packet received via UDP from z.z.z.z on
FastEthernet0/0
*May 31 00:46:20.280 UTC: SNMP: Set request, reqid 186108405, errstat
0, erridx 0
ipRouteEntry.1 = 192.168.108.0
ipRouteEntry.3 = 0
ipRouteEntry.7 = 192.168.20.15
ipRouteEntry.8 = 4
ipRouteEntry.9 = 2
ipRouteEntry.11 = 255.255.255.0
*May 31 00:46:20.356 UTC: SNMP: Response, reqid 186108405, errstat 11,
erridx 1
ipRouteEntry.1 = 192.168.108.0
ipRouteEntry.3 = 0
ipRouteEntry.7 = 192.168.20.15
ipRouteEntry.8 = 4
ipRouteEntry.9 = 2
ipRouteEntry.11 = 255.255.255.0
*May 31 00:46:20.440 UTC: SNMP: Packet sent via UDP to z.z.z.z
Router2-2651XM#

I believe that I need to "word" my command in a different way... maybe
using specific instances or indexes for the ipRoutexxx OIDs? I'm
lacking some conceptual knowledge about the use of tables here, since I
was able to set scalar values using the snmpset command (for example,
the sysContact string).

Anybody done this before? I really need to get this tool working, so
any help will be HIGHLY APPRECIATED!!!!

Thanks,

James

 

Hi James,

The following should do the trick:

snmpset -v3 -n "" -u xxxxxx -l authPriv -a md5 -A
xxxxxxxx -x DES -X xxxxxxxx x.x.x.x ipRouteDest.192.168.108.0 a
192.168.108.0
ipRouteMetric1.192.168.108.0 i 0 ipRouteNextHop.192.168.108.0 a
192.168.20.15 ipRouteType.192.168.108.0 i 4
ipRouteProto.192.168.108.0 i 2 ipRouteMask.192.168.108.0 a 255.255.255.0

You were right with the assumption that you needed to provide
an index value along with each column OID.

Regards,
Frank Fock

 

I found snmplink.org MIB browser useful if you want to understand the
table structures.
Goto MIBS, then cisco, online viewer.. you can search a OID
number/name/or MIB description

 

Frank,

Thanks a lot for your help... I had already tried that with no luck,
but I went ahead and tried it again, carefully checking syntax just in
case, and here's what I get:

[email protected] ~ $ snmpset -v3 -n "" -u xxxxx -l authPriv -a md5 -A
xxxxxxxx -x DES -X xxxxxxxx x.x.x.x ipRouteDest.192.168.108.0 a
192.168.108.0 ipRouteMetric1.192.168.108.0 i 0
ipRouteNextHop.192.168.108.0 a 192.168.20.15 ipRouteType.192.168.108.0
i 4 ipRouteProto.192.168.108.0 i 2 ipRouteMask.192.168.108.0 a
255.255.255.0
Error in packet.
Reason: noCreation (That table does not support row creation or that
object can not ever be created)
Failed object: RFC1213-MIB::ipRouteDest.192.168.108.0

On the router side, having added debug snmp options "headers",
"sessions" and "requests" ("packets" was on already), I get:

Router2-2651XM#
*May 31 22:19:48.226 UTC: SNMP: Packet received via UDP from z.z.z.z on
FastEthernet0/0
*May 31 22:19:48.226 UTC:
Incoming SNMP packet
*May 31 22:19:48.230 UTC: v3 packet security model: v3
security level: noauth
*May 31 22:19:48.230 UTC: username:
*May 31 22:19:48.230 UTC: snmpEngineID: 8000000903000014A990C3E0
*May 31 22:19:48.230 UTC: snmpEngineBoots: 0 snmpEngineTime: 0
*May 31 22:19:48.230 UTC: SNMP: Report, reqid 28602275, errstat 0,
erridx 0
internet.6.3.15.1.1.4.0 = 124
*May 31 22:19:48.242 UTC: SNMP: Packet sent via UDP to z.z.z.z
*May 31 22:19:48.454 UTC: SNMP: Packet received via UDP from z.z.z.z on
FastEthernet0/0
*May 31 22:19:48.462 UTC: SNMP: Set request, reqid 28602276, errstat 0,
erridx 0
ipRouteEntry.1.192.168.108.0 = 192.168.108.0
ipRouteEntry.3.192.168.108.0 = 0
ipRouteEntry.7.192.168.108.0 = 192.168.20.15
ipRouteEntry.8.192.168.108.0 = 4
ipRouteEntry.9.192.168.108.0 = 2
ipRouteEntry.11.192.168.108.0 = 255.255.255.0
*May 31 22:19:48.538 UTC:
Incoming SNMP packet
*May 31 22:19:48.538 UTC: v3 packet security model: v3
security level: priv
*May 31 22:19:48.542 UTC: username: xxxxx
*May 31 22:19:48.542 UTC: snmpEngineID: 8000000903000014A990C3E0
*May 31 22:19:48.542 UTC: snmpEngineBoots: 4 snmpEngineTime: 2917897
*May 31 22:19:48.542 UTC: SNMP: Response, reqid 28602276, errstat 11,
erridx 1
ipRouteEntry.1.192.168.108.0 = 192.168.108.0
ipRouteEntry.3.192.168.108.0 = 0
ipRouteEntry.7.192.168.108.0 = 192.168.20.15
ipRouteEntry.8.192.168.108.0 = 4
ipRouteEntry.9.192.168.108.0 = 2
ipRouteEntry.11.192.168.108.0 = 255.255.255.0
*May 31 22:19:48.630 UTC: SNMP: Packet sent via UDP to z.z.z.z
Router2-2651XM#

Maybe if we knew what the error codes in line "*May 31 22:19:48.542
UTC: SNMP: Response, reqid 28602276, errstat 11, erridx 1" mean...

Any more ideas, anybody?

James

 

Well, I can't think of any ideas specific to this, but I do have a
question - what and how will you be using this? There may be a much
simpler way to accomplish this than writing this script.

 

I'm with a large service provider installing VPN managed services,
using a VPN deployment tool for this. For a specific reason we're not
able to use the template feature of this tool which is what would allow
to add non-VPN specifics to each customer VPN router configuration
(like some static routes needed in many of the customer scenarios).

So I'm building a script that will allow the people turning up these
routers to automate the verification and addition of static routes in a
secure way (SNMP v3 with authentication & encryption).

I'm kind of getting to a dead-end here now, so if anybody can think of
anything I'll be glad to hear it!!!

Thanks,

J.

 

If the customer VPN router is configured with SSH ( and in a VPN
environment it should be), then a simple SSH script to add the statics
via IOS CLI should work with no problem

 

Agreed, but that raises some internal issues (mostly non-technical) so
I really need to do this via SNMP...
J.

 

The objects you are trying to use are hopelessly outdated. The table
indexing in the ipRouteTable does not allow to represent classless
forwarding table entries, something we are all going for more than
a decade now.

The IETF has developed better forwarding tables to address the
shortcomings of the RFC1213 objects. The latest version of the IETF
blessed forwarding table can be found in RFC 4292. Note that this
document also explains the historic evolution, namely

ipRouteTable -> ipForwardTable -> ipCidrRouteTable -> inetCidrRouteTable

Please check whether your target device supports the ipCidrRouteTable.
This table supports a RowStatus column (ipCidrRouteStatus) which can
be used to do proper row creation. If your target device does not
support a writable ipCidrRouteTable, you should consider to find a
way to get out of the project.

/js