Discovering enabled & configured router features via SNMP

Hi,

Does anyone know how to discover if a particular featureset for a router has been configured and activated?

I have been able to locate a list of available features for a given router, from the OID .1.3.6.1.4.1.9.9.25.1.1.1.2 (image string CW_FEATURE, ex. CW_FEATURE$IP|FIREWALL|VOICE|PLUS|SSH|3DES$), but I am unable to dermine which of these listed features have been configured and activated, as opposed to simply being available.

This is for an SNMP scan of a client site with many Cisco routers, not my own router(s), so I only have SNMP Read access to the machines, and nothing else, so I cannot rely on accessing the console, or web interface, etc.

Thanks.

Reply to
Brad Navarro
Loading thread data ...

"a client site " "I only have SNMP Read access"

You have been stitched up.

If the client wants your help they will give you what you need.

If they won't give you what you need they have a different agenda from the one that they are making public.

It is impossible to determine "which of these listed features have been

configured and activated" with only snmp read access.

Additionally, it seems to me that you do not have the experience necessary to do this work. No one with any cisco knowledge would use the phrase "which of these listed features have been configured and activated".

As always, I wish you good luck.

On the other hand, maybe it's not actually impossible to find out some stuff. Hard though, and there will always be uncertainties. Why bother?

The thing that I can't figure out is what your agenda might be? Weird one.

Poitics is always such fun!! As long as it is someone else's problem.

Reply to
anybody43

Simple. My company is doing an electronic discovery & inventory of their computers -- for their routers, I am using SNMP. You would be surprised at what you can discover with SNMP for inventory purposes, so I thought maybe I could discover configured settings as well, since I did discover "available features".

This is a large client. We are talking thousands of Cisco routers. Anything other than SNMP is highly impractical -- no way could I walk up to each machine and access the console. One of the client's requirements is to determine what has been configured and activated on each of their Cisco boxes. I am not doing Network Management for them, they have people for that, they need an asset inventory solution, which is what my company provides. Unfortunately, SNMP is a real maze when it comes to trying to find stuff, and Cisco's dozens of proprtietary MIBS doesn't make things any easier.

I was just hoping that someone here might have run across a Cisco MIB or 2 that enumerates router features like SSH, FIREWALL, and DES3 that have been configured & activated.

Reply to
Brad Navarro

Any company with that many routers is going to have mechanisms to access the routers remotely, such as via ssh or SDM.

Not a chance, because simply knowing that a firewall feature is "configured and activated" is nearly meaningless.

If I put an access control in place that explicitly allows all traffic, then that level of security is "configured and activated", but the functional result is identical to not having configured the access control. For security features, what you need is an analysis of the access policies, not a binary "Yes it was turned on".

Similarily, it does not help you to know that there is a IPSec transform set configured that permits 3DES unless you analyze the crypto map access controls in order to determine whether it is possible to -reach- that crypto map entry -- since higher priority entry might turn out to match all of that traffic and the higher priority entry might not permit 3DES.

But since you seem to insist on SNMP, the answer is that Yes, you can do it via SNMP, but only if you have SNMP write access. I don't recall at the moment whether you need to have preconfigured a "service policy" statement for this to work, but what you do is use SNMP SET on one OID to configure a TFTP URI, and then you SNMP SET a different OID to trigger copying the configuration to the TFTP URI (you get to chose whether you want the current or the startup configuration, by the way.) And then, having collected the text configurations from each of the devices, you use some tool to analyze the configurations and figure out what is active and what is not. If you only have SNMP read-only access then you cannot use this approach.

Their Nework Management people *ought* to be archiving device configurations already, and those configurations could be analyzed. Unfortunately in a large distributed organization, there might be numerous local network management people, some of whom might not yet have recognized the value of archiving the configurations.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.