PRTG monitors PPS on Cisco routers using SNMP

In this post i will explain how to monitors PPS (Packet Per-Second) on Cisco routers using SNMP on PRTG Network Monitor.

First login into the router and get the interface index table:

RTR#show snmp mib ifmib ifindex FastEthernet1/1: Ifindex = 2 GigabitEthernet0/3: Ifindex = 6 GigabitEthernet0/1: Ifindex = 3 VoIP-Null0: Ifindex = 7 Loopback0: Ifindex = 10 Null0: Ifindex = 9 FastEthernet1/0: Ifindex = 1 GigabitEthernet0/2: Ifindex = 5 Tunnel1: Ifindex = 11 NVI0: Ifindex = 12 FastEthernet0/2: Ifindex = 4 SSLVPN-VIF0: Ifindex = 8 RTR#

Then open the PRTG console and add new sensor to the device, search SNMP Custom and choose SNMP Custom (not SNMP Custom String!)

Type a name for the sensor – something like interface name with packet direction (for example: Gi0/1 PPS in)

Enter the correct OID:

Use:

1.3.6.1.4.1.9.2.2.1.1.9 for output packets

1.3.6.1.4.1.9.2.2.1.1.7 for input packets

Don’t forget to add the interface index number after the OID, for example if I would like to monitor GigabitEthernet0/3 input packet per-second the correct OID will be: 1.3.6.1.4.1.9.2.2.1.1.7.6

also add "/s" on the unit string to show that this unit is per-second.

click Continue and that's it.

 

CheckPoint shell setting

In order to check which shell options we have use the following command:

FW1> expert Enter expert password: Warning! All configuration should be done through clish You are in expert mode now. [Expert@FW1]# cat /etc/shells /bin/sh /bin/bash /sbin/nologin /usr/bin/scponly /bin/tcsh /bin/csh /etc/cli.sh

To check which shell is determined for your account type:

[Expert@FW1]# cat /etc/passwd

To change the shell for a user from GAIA CLI:

FW1> set user john shell /bin/bash FW1>save config

This will allow John to SSH login in directly to expert shell (Bash) without the need to enter the expert password.

To change back to GAIA CLI shell mode:

FW1> set user john shell /etc/cli.sh FW1>save config

To change the shell from bash:

[Expert@FW1]# chsh -s /etc/cli.sh john Changing shell for john. Shell changed.

Cisco IOS change Destination NAT

In the following lab I will demonstrate how to change the packet destination using NAT.

This is the topology I used (please ignore SERVER2 and SERVER3):

Let’s say that SERVER1 (192.168.10.1) need to access HOST1 but he is not allowed to use HOST1 real IP - which is 192.168.20.1, so in this case we will have to change the destination IP. Also HOST1 doesn’t know SERVER1 IP so we will have to do source NAT as well.

HOST1 relevant configuration:

interface FastEthernet0/0  ip address 192.168.20.1 255.255.255.0  speed 100  full-duplex ! ip route 0.0.0.0 0.0.0.0 192.168.20.254

R2 relevant configuration:

interface FastEthernet0/0  ip address 10.1.0.2 255.255.255.0  speed 100  full-duplex ! interface FastEthernet0/1  ip address 192.168.20.254 255.255.255.0  speed 100  full-duplex

Note that even R2 doesn’t know network 192.168.10.0/24!

SERVER1 relevant configuration:

interface FastEthernet0/0  ip address 192.168.10.1 255.255.255.0  speed 100  full-duplex ! ip route 0.0.0.0 0.0.0.0 192.168.10.254

And R1 relevant configuration:

interface FastEthernet0/0  ip address 192.168.10.254 255.255.255.0  ip virtual-reassembly   speed 100  full-duplex ! interface FastEthernet0/1  ip address 10.1.0.1 255.255.255.0  ip virtual-reassembly  speed 100  full-duplex

So first let’s configure R1 interfaces according to their part in the NAT topology, Fa0/0 is the INSIDE while Fa0/1 is the OUTSIDE:

interface FastEthernet0/0  ip nat inside ! interface FastEthernet0/1  ip nat outside

Then we will configure the NAT statement:

ip nat outside source static 192.168.20.1 2.2.2.2 add-route

Whenever a packet goes through the OUTSIDE NAT interface with destination IP of 2.2.2.2 R1 will change the destination to 192.168.20.1 and will add a static route to 2.2.2.2 in his routing table.

Now we need to change also the source IP – 192.168.10.1 to something that R2 and HOST1 will know like 10.1.0.1 (R1 outside interface)

ip access-list standard ACL_LAN  permit 192.168.10.0 0.0.0.255 ! ip nat inside source list ACL_LAN interface FastEthernet0/1 overload

Now let’s verify SERVER1 can ping HOST1 IP:

SERVER1#ping 2.2.2.2       Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 132/192/280 ms SERVER1#

And the process in R1 (debug ip packet and ip nat detailed with no ip route-cache):

*Mar  1 01:28:01.287: IP: tableid=0, s=192.168.10.1 (FastEthernet0/0), d=2.2.2.2 (FastEthernet0/1), routed via FIB *Mar  1 01:28:01.291: NAT: [0] Allocated Port for 192.168.10.1 -> 10.1.0.1: wanted 20 got 20 *Mar  1 01:28:01.291: NAT: setting up outside mapping 2.2.2.2->192.168.20.1, with mapping-id 0 *Mar  1 01:28:01.291: NAT: i: icmp (192.168.10.1, 20) -> (2.2.2.2, 20) [96]     *Mar  1 01:28:01.295: NAT: s=192.168.10.1->10.1.0.1, d=2.2.2.2 [96] *Mar  1 01:28:01.295: NAT: s=10.1.0.1, d=2.2.2.2->192.168.20.1 [96] *Mar  1 01:28:01.295: IP: s=10.1.0.1 (FastEthernet0/0), d=192.168.20.1 (FastEthernet0/1), g=10.1.0.2, len 100, forward

Note how R1 do outside mapping from 2.2.2.2 to 192.168.20.1 and allocate port to 192.168.10.1 from 10.1.0.1 as part of the PAT (Port Address Translation).

R1 routing table:

R1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route Gateway of last resort is not set      2.0.0.0/32 is subnetted, 1 subnets S       2.2.2.2 [1/0] via 192.168.20.1 C    192.168.10.0/24 is directly connected, FastEthernet0/0 S    192.168.20.0/24 [1/0] via 10.1.0.2      10.0.0.0/24 is subnetted, 1 subnets C       10.1.0.0 is directly connected, FastEthernet0/1