Configuring Syslog

The Cisco 67x has a built-in syslog facility, but it has limited memory and can be cumbersome to access. The Cisco has the capability to send syslog messages to a central syslog server, and I just happen to maintain such a server on my network. My syslog server currently runs Ubuntu Server 12.04.2 LTS (Precise Pangolin) and I use the provided rsyslogd (5.8.6). To configure it, edit /etc/rsyslog.conf and ensure UDP support is enabled (I had to uncomment the following lines).

$ModLoad imudp
$UDPServerRun 514

I also had to add a firewall rule to allow the traffic.

iptables -A INPUT -i eth1 -s <cisco ip>/32 -p udp --dport 514 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -d <cisco ip>/32 -p udp --sport 514 -m state --state RELATED,ESTABLISHED -j ACCEPT

Next, configure the Cisco to send its syslog messages to the remote server. This consists of connecting to the Cisco, configuring syslog, writing the config, rebooting, and testing.

User Access Verification
Password:********

cbos>enable
Password:********

cbos#set syslog enabled
SYSLOG is enabled

cbos#set syslog remote <syslog server ip>
SYSLOG will now send messages to <syslog server ip>

cbos#set syslog port 514
SYSLOG will now use port 514

cbos#write
Warning: traffic may pause while NVRAM is being modified
NVRAM written.

cbos#reboot

Obviously, you need to replace <syslog server ip> with an actual IP. Adjust the port if necessary. Once the reboot is complete, you can test it.

cbos#set syslog test testing syslog from cisco 678
Message: "testing syslog from cisco 678" sent via syslog

You should see the message appear in your logs on the central syslog server.

user@syslog$ tail /var/log/syslog.log
May 24 18:29:11 <cisco ip> "testing sysylog from cisco 678"

If the message doesn’t appear in the syslog logs, check for errors on the Cisco.

cbos#show errors
- Current Error Messages -
## Ticks Module Level Message
 0 000:00:00:00 SYSLOG Alarm Could not send message

If the error “Could not send message” appears, verify that the Cisco was configured correctly. Note: the Cisco will probably fail until the config is written and the device is rebooted.

Messages from the Cisco should now be appearing in your central syslog logs.

Configuring SNMP

The Cisco 678 has built-in support for SNMP, and it’s fairly straight-forward to enable. My goal is to use Net-SNMP to monitor the performance and general health of the Cisco. To setup the 678 to support SNMP, add a ‘manager’ (use “set snmp manager” for details). In my example, <client ip> is the IP of the machine generating SNMP requests, and “internal” is the name of my SNMP ‘community’.

cbos#set snmp manager <client ip> internal read enable all
Added SNMP Manager

cbos#set snmp enable
SNMP enabled

cbos#write
Warning: traffic may pause while NVRAM is being modified
NVRAM written.

cbos#reboot

The Cisco should now respond to SNMP requests originating from <client ip>. Net-SNMP includes several tools, such as snmpwalk, that can be used to test the setup. This can be done on an Ubuntu client as follows.

user$ sudo apt-get install -y snmp
user$ snmpwalk -r 0 -v1 -c internal <cisco ip>

The output of both commands has been omitted, but the system information for the Cisco should look similar to the following.

user$ snmpwalk -r0 -v1 -c internal <cisco ip> system
SNMPv2-MIB::sysDescr.0 = STRING: Cisco CPE SNMPv3 Agent
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.10.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8835020) 1 day, 0:32:30.20
SNMPv2-MIB::sysContact.0 = STRING: Cisco Systems, Inc
SNMPv2-MIB::sysName.0 = STRING: CBOS675
SNMPv2-MIB::sysLocation.0 = STRING: Irvine
SNMPv2-MIB::sysServices.0 = INTEGER: 72

Note: Net-SNMP 5.4.3 was having problems translating OID numbers into more human-friendly strings. Eventually, Google led me to several articles explaining a bug in 5.4 that caused Net-SNMP to fail when reading MIB files to translate the OID numbers. It was necessary for me to build and install 5.7.1 to resolve this problem. If you’re using 5.4.3, then you may need to change your command, and the result will be different (and more cryptic).

user$ snmpwalk -r0 -v1 -c internal <cisco ip> .1.3.6.1.2.1.1
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco CPE SNMPv3 Agent"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.10.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (8887560) 1 day, 0:41:15.60
iso.3.6.1.2.1.1.4.0 = STRING: "Cisco Systems, Inc"
iso.3.6.1.2.1.1.5.0 = STRING: "CBOS675"
iso.3.6.1.2.1.1.6.0 = STRING: "Irvine"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72

Most of the examples I found online use mrtg (along with Apache, cron, and rrdtool) to generate web-accessible graphs of  data collected via SNMP. This isn’t the model I’m using, but Google can lead you to the answer; I’m using a custom tool to record specific parameters as part of my overall network monitoring.

A Final Thought

Between syslog and SNMP, it should be relatively easy to keep an eye on a Cisco 678 or 675. It’s worth noting that there are some security trade offs to consider when enabling SNMP. In my setup, I was able to disable my 678’s telnet server, but end up exposing its SNMP functionality. This may or may not be advisable in your environment.

Connecting

The 678 can be reset and configured using the LAN port, but connecting to the management port using the provided management cable is safer. If you don’t have a management cable, Cisco is kind enough to tell you how (basically, a DB9 to RJ45 cable). If you’re stuck using the LAN, then do your homework, double check your work, and be prepared to accept defeat. I use telnet when connecting over the LAN and screen, tip, or cu when connecting with the management cable.

When the connection is initially opened, the router should prompted for the exec password. If the router/modem is already running when the connection is opened, then it may be necessary to hit enter to trigger the prompt.

If you don’t know the exec or enable passwords for your router/modem, then check out the Password Recovery Procedure for the Cisco 6xx.

Resetting

Start by resetting the router/modem to a known state. If the current state is a complete disaster, then it can be completely reset using RMON. See Erase the Configuration from the Password Recovery Procedure for details. Typically, the router/modem can be reset by connecting and erasing the configuration in normal mode (shown below).

This is where working with the LAN can be tricky. If the configuration is erased and written, but the connection is dropped before a new configuration is written, the router could be left in an unknown/undesirable state. If you’re connected using the LAN, skip the reboot step at the end. And, good luck!

User Access Verification
Password: <your password>

cbos>enable
Password: <your password>

cbos#set nvram erase
Erasing Running Configuration.
You must use "write" for changes to be permanent.

cbos#write 
Warning: traffic may pause while NVRAM is being modified
NVRAM written.

cbos#reboot

The router/modem will reboot into a “clean” state with no configuration (including blank passwords).

Configuring

My configuration is fairly straight forward. I have a single external IP and a handful of devices that use network address translation (NAT) to access the outside world. Most of my internal network is assigned static IPs, but I maintain a small pool of IPs for (mostly wireless) DHCP devices. In my setup, my Cisco 678 acts as the modem and router, but it’s possible to configure the 678 as a simple modem bridged to another device that handles PPP, NAT, DHCP, etc. For details, see the RFC 1483 Routing section in the Cisco 600 Series Installation and Operation Guide.

I start by connecting and setting the passwords for exec and enable.

User Access Verification
Password:<your password; blank after reset>

cbos>enable
Password:<your password; blank after reset>

cbos#set password exec <new password>
Exec Password Change Successful!

cbos#set password enable <new password>
Enable Password Change Successful!

Next, configure the PPP connection.

cbos#set ppp wan0-0 ipcp 0.0.0.0
PPP wan0-0 IPCP Address set to 0.0.0.0

cbos#set ppp wan0-0 dns 0.0.0.0
PPP wan0-0 DNS Server Addresses set to 0.0.0.0

cbos#set ppp wan0-0 authentication enable
PAP and CHAP Authentication is now enabled on specified port

cbos#set ppp wan0-0 login <your login>
User name for wan0-0 has been set to <your login>

cbos#set ppp wan0-0 password <your password>
Password for wan0-0 has been set to <your password>.

cbos#set ppp restart enabled
CPE Remote Restart is now enabled...

Next, enable network address translation (NAT).

cbos#set nat enabled
NAT is now enabled
You must use "write" then reboot for changes to take effect.

Next, configure the internal/local network. The LAN port is eth0, and the following example sets the router/modem’s IP to 10.0.0.1.

cbos#set interface eth0 address 10.0.0.1
eth0 ip address changed from 10.0.0.1 to 10.0.0.1

Next, setup a DHCP server for the internal/local network. The following example allocates a pool of 16 IPs starting at 10.0.0.200, sets a DNS server to pass to DHCP clients, and a gateway that points to the router.

cbos#set dhcp server enabled
DHCP Server enabled

cbos#set dhcp server pool 0 ip 10.0.0.200 size 16 netmask 255.255.255.0
Pool 0 IP parameter is now 10.0.0.200

cbos#set dhcp server pool 0 dns <dns server IP>
Pool 0 DNS parameter is now <dns server IP>

cbos#set dhcp server pool 0 gateway 10.0.0.1
Pool 0 gateway parameter is now 10.0.0.1

cbos#set dhcp server pool 0 enabled
DHCP Server Pool 0 now enabled

Next, configure the WAN port. Before executing the following steps, disconnect the phone line. Once the configuration is complete and written, the phone line can be reconnected.

cbos#set interface wan0-0 close
Closing connection wan0-0

cbos#set interface wan0-0 vpi 0
Change completed.

cbos#set interface wan0-0 vci 32
Change completed.

cbos#set interface wan0-0 open
Opening connection wan0-0

Finally, write the configuration and reboot.

cbos#write
Warning: traffic may pause while NVRAM is being modified
NVRAM written.

cbos#reboot

Validating

At this point, I like to connect over the LAN and issue a few commands to validate that the running configuration was persisted correctly, the DSL line is trained and authenticated, and the connection’s upstream and downstream data rates are correct (verify you’re getting what you pay for).

User Access Verification
Password: <your password>

cbos>enable
Password: <your password>

cbos#show nvram
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Enable Password = <omitted>
NSOS Remote Restart = enabled
NSOS MD5 Root Password = <omitted>
NSOS MD5 Commander Password = <omitted>
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation Not Required,Negotiable,IP,0.0.0.0
PPP Port Option = 00, IPCP,Primary DNS Server,129,Auto,Negotiation Not Required,Negotiable,IP,0.0.0.0
PPP Port Option = 00, IPCP,Secondary DNS Server,131,Auto,Negotiation Not Required,Negotiable,IP,0.0.0.0
PPP Port User Name = 00, <omitted>
PPP Port User Password = 00, ****
[[ IP Routing = Section Start ]]
IP NAT = enabled
[[ DHCP = Section Start ]]
DHCP Server = enabled
DHCP Server Pool IP = 00, 10.0.0.200
DHCP Server Pool DNS = 00, <omitted>
[[ ATM WAN Device Driver = Section Start ]]
ATM WAN Virtual Connection Parms = 00, 0, 32, 0

cbos#show interface wan0
wan0 ADSL Physical Port
 Line Trained
Actual Configuration:
 Overhead Framing: 3
 Trellis Coding: Enabled
 Standard Compliance: T1.413
 Downstream Data Rate: 6144 Kbps
 Upstream Data Rate: 896 Kbps
<omitted the rest... but there's lots more!>

cbos#show interface wan0-0
WAN0-0 ATM Logical Port
 PVC (VPI 0, VCI 32) is open.
 ScalaRate set to Auto
 AAL 5 UBR Traffic
 PPP LCP State: Opened
 PPP NCP State (IP Routing): Opened
 PPP MRU: 2048 HDLC Framing: disabled MPOA Mode: VC Mux
 PPP Login: <your login>
 Authentication Type: Autodetecting/PAP
 RADIUS: disabled
 PPP Tx: 113997 Rx: 387171 
 Dest IP: <omitted>
 Dest Mask: 255.255.255.255
 IP Port Enabled

If there are any problems, check out the Cisco 600 Series Installation and Operation Guide – Troubleshooting.