Network Management | SNMP , AAA
1. SNMP
Nexus 7000 | BTM-DsSW-GA01-LT.3
snmp-server community 4n6k45a*puR41!rw RW
snmp-server community 4P1_r3ad0nlY RO
snmp-server location Graha Building, 3rd floor
snmp-server contact IT Support
snmp-server enable traps sysmgr cseFailSwCoreNotifyExtended
snmp-server enable traps snmp authentication
snmp-server enable traps link cisco-xcvr-mon-status-chg
snmp-server enable traps system Clock-change-notification
snmp-server host 172.16.220.49 version 2c 4n6k45a*puR41!rw
snmp-server host 10.87.10.241 version 2c 4n6k45a*puR41!rw
snmp ifmib ifalias long
1. SNMP
snmp-server community 4n6k45a*puR41!rw RW
snmp-server community 4P1_r3ad0nlY RO
snmp-server location Graha Building, 3rd floor
snmp-server contact IT Support
snmp-server enable traps sysmgr cseFailSwCoreNotifyExtended
snmp-server enable traps snmp authentication
snmp-server enable traps link cisco-xcvr-mon-status-chg
snmp-server enable traps system Clock-change-notification
snmp-server host 172.16.220.49 version 2c 4n6k45a*puR41!rw
snmp-server host 10.87.10.241 version 2c 4n6k45a*puR41!rw
snmp ifmib ifalias long
1. SNMP
Juniper MX150
set snmp location "Gedung Serba Bisa, 2nd floor"
set snmp contact "IT Support"
set snmp community "4n6k45apuR41!rw" authorization read-write
set snmp community 4P1_r3ad0nlY authorization read-only
set snmp trap-options
set snmp trap-group AP1 version v2
set snmp trap-group AP1 categories authentication
set snmp trap-group AP1 categories chassis
set snmp trap-group AP1 categories link
set snmp trap-group AP1 categories startup
set snmp trap-group AP1 targets 10.87.10.241
set snmp location "Gedung Serba Bisa, 2nd floor"
set snmp contact "IT Support"
set snmp community "4n6k45apuR41!rw" authorization read-write
set snmp community 4P1_r3ad0nlY authorization read-only
set snmp trap-options
set snmp trap-group AP1 version v2
set snmp trap-group AP1 categories authentication
set snmp trap-group AP1 categories chassis
set snmp trap-group AP1 categories link
set snmp trap-group AP1 categories startup
set snmp trap-group AP1 targets 10.87.10.241
2. NetFlow
a. Cisco Nexus 7000 | BTM-DsSW-GA01-LT.3
feature netflow
flow timeout active 60
flow timeout inactive 15
!
flow exporter NFTrackerExporter
description #Export NetFlow to NFTracker#
destination 10.16.10.241
transport udp 9996
source loopback0
version 9
template data timeout 300
option exporter-stats timeout 60
option sampler-table timeout 60
!
sampler NFAsampler
mode 1 out-of 100
flow monitor NFTrackerMonitor
record netflow-original
exporter NFTrackerExporter
!
interface Ethernet1/41
ip flow monitor NFTrackerMonitor input sampler NFAsampler
exit
!
interface Ethernet1/42
ip flow monitor NFTrackerMonitor input sampler NFAsampler
exit
feature netflow
flow timeout active 60
flow timeout inactive 15
!
flow exporter NFTrackerExporter
description #Export NetFlow to NFTracker#
destination 10.16.10.241
transport udp 9996
source loopback0
version 9
template data timeout 300
option exporter-stats timeout 60
option sampler-table timeout 60
!
sampler NFAsampler
mode 1 out-of 100
flow monitor NFTrackerMonitor
record netflow-original
exporter NFTrackerExporter
!
interface Ethernet1/41
ip flow monitor NFTrackerMonitor input sampler NFAsampler
exit
!
interface Ethernet1/42
ip flow monitor NFTrackerMonitor input sampler NFAsampler
exit
b. Cisco Nexus 9000 for Layer 2
feature netflow
flow timeout 60
vrf context management
ip route 0.0.0.0/0 10.1.0.1
!
flow exporter NFAExporter
description #Export NetFlow to NFTracker#
destination 172.16.10.241 use-vrf management
transport udp 9996
source mgmt0
version 9
template data timeout 300
option exporter-stats timeout 60
option interface-table timeout 60
!
flow record NFARecord
match datalink ethertype
match ipv4 source address
match ipv4 destination address
match ip protocol
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow monitor NFAmonitor
record NFARecord
exporter NFAExporter
!
interface port-channel Po 21
switchport
mac packet-classify
layer2-switched flow monitor NFAmonitor input
ip flow monitor NFAmonitor input
feature netflow
flow timeout 60
vrf context management
ip route 0.0.0.0/0 10.1.0.1
!
flow exporter NFAExporter
description #Export NetFlow to NFTracker#
destination 172.16.10.241 use-vrf management
transport udp 9996
source mgmt0
version 9
template data timeout 300
option exporter-stats timeout 60
option interface-table timeout 60
!
flow record NFARecord
match datalink ethertype
match ipv4 source address
match ipv4 destination address
match ip protocol
match transport source-port
match transport destination-port
collect counter bytes
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow monitor NFAmonitor
record NFARecord
exporter NFAExporter
!
interface port-channel Po 21
switchport
mac packet-classify
layer2-switched flow monitor NFAmonitor input
ip flow monitor NFAmonitor input
exit
!
interface port-channel Po 22
switchport
mac packet-classify
layer2-switched flow monitor NFAmonitor input
ip flow monitor NFAmonitor input
interface mgmt0
vrf member management
ip address 10.1.0.6/24
!
c. Cisco Switch Catalyst C9500
flow record NFARecordinput
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
!
flow record NFARecordoutput
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
!
flow exporter NFAExporter
destination 172.16.10.241
source Loopback0
transport udp 9996
template data timeout 60
!
flow monitor NFAMonitorinput
exporter NFAExporter
record NFARecordinput
cache timeout active 60
!
flow monitor NFAMonitoroutput
exporter NFAExporter
record NFARecordoutput
cache timeout active 60
!
interface Te1/1/1
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
!
interface Te1/1/2
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
!
interface Te2/1/1
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
!
interface Te2/1/2
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
!
switchport
mac packet-classify
layer2-switched flow monitor NFAmonitor input
ip flow monitor NFAmonitor input
exit
!interface mgmt0
vrf member management
ip address 10.1.0.6/24
!
c. Cisco Switch Catalyst C9500
flow record NFARecordinput
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
!
flow record NFARecordoutput
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
!
flow exporter NFAExporter
destination 172.16.10.241
source Loopback0
transport udp 9996
template data timeout 60
!
flow monitor NFAMonitorinput
exporter NFAExporter
record NFARecordinput
cache timeout active 60
!
flow monitor NFAMonitoroutput
exporter NFAExporter
record NFARecordoutput
cache timeout active 60
!
interface Te1/1/1
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
!
interface Te1/1/2
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
!
interface Te2/1/1
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
!
interface Te2/1/2
ip flow monitor NFAMonitorinput input
ip flow monitor NFAMonitoroutput output
!
2. Tacacs+ AAA
a. Switch C9300-48P
|
b. Switch C9200-48P
| aaa new-model |
| aaa group server tacacs+ PST |
| server-private 10.1.50.40 key 7 batamsgp@123 |
| ip tacacs source-interface Vlan 210 |
| ! |
| aaa authentication login default group PST local |
| aaa authentication enable default group PST enable |
| ! |
| aaa accounting update newinfo |
| aaa accounting exec default start-stop group PST |
| aaa accounting commands 0 default start-stop group PST |
| aaa accounting commands 1 default start-stop group PST |
| aaa accounting commands 15 default start-stop group PST |
| aaa session-id common |
| ! |
| aaa authorization config-commands |
| aaa authorization exec default group PST local if-authenticated |
| aaa authorization commands 0 default group PST local if-authenticated |
| aaa authorization commands 1 default group PST local if-authenticated |
| aaa authorization commands 15 default group PST local if-authenticated |
| ! C. Switch C2960-24P aaa new-model aaa group server tacacs+ PST server-private 10.1.50.40 key batamsgp@123 ip tacacs source-interface Vlan 210 ! aaa authentication login default group PST local aaa authentication enable default group PST enable ! aaa accounting update newinfo aaa accounting exec default start-stop group PST aaa accounting commands 0 default start-stop group PST aaa accounting commands 1 default start-stop group PST aaa accounting commands 15 default start-stop group PST aaa session-id common ! aaa authorization config-commands aaa authorization exec default group PST local if-authenticated aaa authorization commands 0 default group PST local if-authenticated aaa authorization commands 1 default group PST local if-authenticated aaa authorization commands 15 default group PST local if-authenticated ! |
***
Noted: interface vlan 210 adalah IP Mgmt swith, dimana harus reachable antar IP ini dengan server tacacs
Noted: interface vlan 210 adalah IP Mgmt swith, dimana harus reachable antar IP ini dengan server tacacs
#########..SELESAI...##########
Keywoprd:
tacass
tacass+
ise
snmp
netflow
flow
login
vty
Posting Komentar untuk "Network Management | SNMP , AAA"