Wednesday, 7 May 2014

AAA configuration on Cisco Router


Basic AAA configuration on Cisco Router
AAA stands for Authentication, Authorization and Accounting. It is a framework which controls the user access on the devices.

Authentication: It is used to check the identity of an user. It helps us in identifying the users and accordingly we can give access to them
Authorization: It controls the device access as per the user skill level. What access is given to which user. With this we can control access level of different users.  
Accounting: It is primarily used to log the activity of the users. This is very useful in auditing and billing purpose.
  Below are the AAA configuration on Cisco router and switches using Tacacs server. It doesn’t include the ACS configuration, it just explains the configuration required on the router and switches.
Step 1: Configure the Backup credentials. AAA doesn’t mean that we don’t require local credential. It is mandatory to have backdoor credentials so that we can access the devices when our AAA servers are down or unreachable.

 
Router(config)#username Admin password PowerKey
 

 Step 2: Configure Tacacs servers. We can configure multiple Tacacs server.
 
Router (config)#tacacs-server host 192.168.1.10 key mySecretkey1
Router (config)#tacacs-server host 192.168.1.11 key mySecretkey2
 

Step 3: Choose the correct interface to be a source of Tacacs packet. It may create problem if we have multiple interface configured on a router. Choose the interface which has the same IP as in AAA server.

 
Router (config)#ip tacacs source-interface loopback 0
 

Step 4: Check reachability of Tacacs server from router. If there is a firewall between the router and tacacs server then make sure that TCP port 49 is opened to allow tacacs traffic.
Router #ping 192.168.1.10
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Step 5: Enable AAA on router globally.
 
Router (config)#aaa new-model
 

Step 6: Configure the Authentication methods. Below command is applying authentication on router login. Default keyword applies the method on all lines.
Group tacacs+ sending the authentication request to all configured AAA servers.

LOCAL keyword specifies that in case all of the configured tacacs servers become unreachable, user will be authenticated using local user database. This fail back mechanism is not applicable if the TACACS server is reachable via ping but not handling the request may be because of wrong KEY configured on device or due to internal ACS problem.

 
ROUTER(config)#aaa authentication login default group tacacs+ local
 

Step 7: It authorize all the commands entered in Config mode.

 
Router(config)# aaa authorization config-commands
 

Step 8: It checks the privilege level of the user from AAA server. Without this command user will login in user mode only.
 
Router (config)# aaa authorization exec default group tacacs+ local if-authenticated
 

Step 9: Below command provides authorization to the privilege 1 user.
 
Router (config)# aaa authorization commands 1 default group TACACS+ if-authenticated

Step 10: Below command authorize the Level 15 users. Each time user run a command, switch send the query to Tacacs server to check if the user is authorize for it.
 
Router (config)# aaa authorization commands 15 default group TACACS+ local if-authenticated

Step 11: It enable the accounting on all lines.
 
Router(config)# aaa accounting exec default start-stop group tacacs+
 

Step 12: It logs all the activity of level 1 user.

 
Router(config)# aaa accounting commands 1 default start-stop group tacacs+
 

Step 13: It logs all the activity of level 15 users.
 
Router(config)# aaa accounting commands 15 default start-stop group tacacs+
 

Step 14: Applying AAA authentication on VTY lines.

 
Router(config)# line vty 0 15
Router(config-line)# login authentication default
 

Step15. Verification: Try to access the device using Tacacs credential

 

 

How to Configure SNMP on H3C Switches (SNMPv2c & SNMPv3) – Complete Step-by-Step Guide

How to Configure SNMP on H3C Switches (SNMPv2c & SNMPv3)

Simple Network Management Protocol (SNMP) is one of the most widely used protocols for monitoring and managing network devices such as switches, routers, firewalls, and wireless controllers. Whether you use SolarWinds, PRTG, Zabbix, ManageEngine OpManager, or another Network Management System (NMS), SNMP enables these tools to collect performance statistics, monitor device health, and receive alerts.

This guide explains how to configure SNMP on H3C switches using both SNMPv2c and SNMPv3. While SNMPv2c is still common in many production environments, SNMPv3 is recommended for new deployments because it offers authentication and encryption for improved security.


Table of Contents

  • What is SNMP?
  • Why Configure SNMP?
  • SNMP Versions Explained
  • Prerequisites
  • SNMPv2c Configuration
  • SNMPv3 Configuration
  • Configure SNMP Traps
  • Verification Commands
  • Troubleshooting
  • Security Best Practices
  • Frequently Asked Questions
  • Conclusion
  • Related Articles

What is SNMP?

SNMP (Simple Network Management Protocol) is a standard protocol used to monitor and manage network devices remotely.

It allows administrators to:

  • Monitor CPU utilization
  • Monitor memory usage
  • View interface bandwidth
  • Monitor link status
  • Receive fault notifications (Traps)
  • Collect historical performance statistics
  • Integrate devices with Network Monitoring Systems

Without SNMP, network administrators would need to manually log into each switch to check its health and performance.


Why Configure SNMP?

Configuring SNMP provides several operational benefits:

  • Centralized monitoring
  • Faster troubleshooting
  • Automatic alert generation
  • Capacity planning
  • Performance monitoring
  • Reduced downtime
  • Better network visibility

SNMP Versions Explained

VersionAuthenticationEncryptionRecommended
SNMPv1NoNoNo
SNMPv2cCommunity StringNoExisting Networks
SNMPv3Username + PasswordYesYes

Recommendation: Use SNMPv3 whenever possible because it provides authentication and encryption, making it significantly more secure than SNMPv1 or SNMPv2c.


Prerequisites

Before configuring SNMP, ensure that:

  • You have administrator privileges.
  • The switch IP address is reachable.
  • The monitoring server IP address is known.
  • Firewall rules permit UDP ports 161 and 162.
  • ACLs are planned to restrict SNMP access.

Example Network

+----------------------+
| Monitoring Server    |
| 192.168.1.100        |
+----------+-----------+
           |
           |
      UDP 161 / UDP 162
           |
+----------+-----------+
| H3C Switch           |
| 192.168.1.10         |
+----------------------+

Step 1: Configure an ACL

Restricting SNMP access using an Access Control List (ACL) prevents unauthorized systems from querying the switch.

acl number 2091

rule 5 permit source 192.168.1.100 0

Explanation

Only the monitoring server at 192.168.1.100 is allowed to communicate with the switch using SNMP.


Step 2: Configure the SNMP Community

Create a read-only SNMP community.

snmp-agent community read Cisco acl 2091

Explanation

  • Creates a Read-Only community
  • Community name: Cisco
  • Access restricted using ACL 2091

Read-only access is recommended because monitoring systems generally do not need configuration privileges.


Step 3: Configure Contact Information

snmp-agent sys-info contact Network Administrator

This helps identify the administrator responsible for the switch.


Step 4: Configure Device Location

snmp-agent sys-info location Data Center Rack 12

Useful for large organizations managing hundreds of devices.


Step 5: Enable SNMP

snmp-agent

This command activates the SNMP service on the switch.


Step 6: Configure Trap Receiver

snmp-agent target-host trap address udp-domain 192.168.1.100 params securityname Cisco

This enables the switch to send SNMP traps to the monitoring server.

Examples of SNMP traps include:

  • Interface down
  • Interface up
  • Power failure
  • Fan failure
  • Authentication failure
  • Temperature alarm

SNMPv3 Configuration (Recommended)

Configure an SNMPv3 user with authentication and privacy.

snmp-agent

snmp-agent group v3 NetworkGroup privacy

snmp-agent usm-user v3 NetAdmin

authentication-mode sha StrongPassword123

privacy-mode aes128 SecurePassword123

snmp-agent usm-user v3 NetAdmin group NetworkGroup

SNMPv3 provides:

  • User authentication
  • Message integrity
  • Data encryption
  • Better protection against unauthorized access

Verify the Configuration

Run the following commands:

display current-configuration | include snmp

Displays all configured SNMP settings.

display snmp-agent

Displays SNMP operational information.

display acl 2091

Confirms that the ACL is configured correctly.

You should also test polling from your Network Management System to verify successful communication.


Common Troubleshooting

Unable to Poll the Switch

Possible causes:

  • Incorrect community string
  • ACL blocking access
  • SNMP service disabled
  • Wrong SNMP version
  • Firewall blocking UDP 161

SNMP Traps Not Received

Check:

  • UDP Port 162
  • Trap destination IP
  • Monitoring software configuration
  • Firewall rules
  • Routing between devices

Authentication Failure

Verify:

  • Community string
  • Username (SNMPv3)
  • Password
  • Authentication method
  • Encryption settings

Security Best Practices

Follow these recommendations to secure your SNMP deployment:

  • Prefer SNMPv3 instead of SNMPv2c.
  • Restrict SNMP using ACLs.
  • Avoid default community names such as public and private.
  • Use strong authentication passwords.
  • Enable encryption when using SNMPv3.
  • Allow only trusted monitoring servers.
  • Periodically review SNMP logs.
  • Disable SNMP if it is not required.

Frequently Asked Questions

Which UDP ports does SNMP use?

  • UDP 161 for polling
  • UDP 162 for traps

What is a Community String?

A community string acts like a password for SNMPv1 and SNMPv2c devices.


What is the difference between Read-Only and Read-Write communities?

Read-Only communities allow monitoring only.

Read-Write communities permit configuration changes and should be used only when absolutely necessary.


Should I use SNMPv2c or SNMPv3?

SNMPv3 is recommended because it provides authentication, encryption, and significantly better security.


Can I configure multiple SNMP managers?

Yes. Multiple monitoring servers can receive SNMP data and traps if configured appropriately.Conclusion

SNMP remains one of the most effective methods for monitoring enterprise networks. By configuring SNMP correctly on H3C switches, administrators can integrate their devices with popular Network Management Systems, automate monitoring, receive alerts, and improve network visibility.

Although many organizations continue to use SNMPv2c for compatibility, SNMPv3 should be the preferred choice for new deployments because it provides strong authentication and encrypted communication. Always protect SNMP access with ACLs, use secure credentials, and verify the configuration after deployment to ensure reliable monitoring.


Related Articles on Networklearner

If you found this guide useful, you may also like these networking tutorials available on Networklearner:

AI Related Articles

Networklearner: Generative AI Fundamentals Explained for Beginners (With IT & Network Engineering Examples)

 https://netterrene.blogspot.com/2026/06/generative-ai-quiz-beginners-mcq-answers.html

Network Management & SNMP

High Availability (HSRP)

Cisco ACI & Data Center

Security Best Practices


📚 Looking for more networking tutorials? Browse the complete collection on Networklearner:
https://netterrene.blogspot.com/

Port channel configuration on H3C switches


This document explains the port-channel configuration on H3c 5920 switch.

To explain the configuration we have  configured two interfaces Ten-GigabitEthernet1/0/1 and Ten-GigabitEthernet1/0/2 in port-channel 1.

Step1.  Login to Switch with admin access.

< H3C-Switch>

Step2. To make configuration changes you must enter in Systemview.

<H3C-Switch>system-view
System View: return to User View with Ctrl+Z.
[H3C-Switch]

Step3. Go to interface Ten-GigabitEthernet1/0/1. Make sure that member port and bridge port (if already exist) will have same configuration. 

[H3C-Switch]interface Ten-GigabitEthernet1/0/1
[H3C-Switch-Ten-GigabitEthernet1/0/1]port link-aggregation group 1
[H3C-Switch-Ten-GigabitEthernet1/0/1]quit
[H3C-Switch]

 Step4. Configure the link-aggregation command in Ten-GigabitEthernet1/0/2 as well. 

[H3C-Switch]interface Ten-GigabitEthernet1/0/2
[H3C-Switch-Ten-GigabitEthernet1/0/2]port link-aggregation group 1
[H3C-Switch-Ten-GigabitEthernet1/0/2]quit
[H3C-Switch]

Step5. It will create an interface Bridge-Aggregation1 automatically. All the configuration command done in bridge aggregation port will be reflected in member ports.  

Configuration will vary as per the requirement. Configuration done on the Bridge aggregation will be replicated on the member ports automatically.

Note: Description command will not replicated to member ports. It has to be separately configured on member ports.

[H3C-Switch]interface Bridge-Aggregation11
[H3C-Switch-Bridge-Aggregation1]description  Node1
[H3C-Switch-Bridge-Aggregation1]port access vlan 100
[H3C-Switch-Bridge-Aggregation1]link-aggregation mode dynamic
[H3C-Switch-Bridge-Aggregation1]stp edged-port
[H3C-Switch-Bridge-Aggregation2]quit

[H3C-Switch]quit
<H3C-Switch>

Step6. Check the Bridge-Aggregation port status. 

<H3C-Switch>display interface Bridge-Aggregation1
Bridge-Aggregation1 current state: UP  ------<<<<<<<<<<<<<<<<<<<<<<<<
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: b8af-67b0-62df
Description: ### c-r15-04-01 prod ###
20Gbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
PVID: 44
Port link-type: access
 Tagged Vlan:   none
 UnTagged Vlan: 44      ------<<<<<<<<<<<<<<<<<<<<<<<<
Last clearing of counters: Never
Last 300 seconds input:  0 packets/sec 483 bytes/sec    0%
Last 300 seconds output:  15 packets/sec 13967 bytes/sec    0%
Input (total):  5593180175 packets, 3023094095318 bytes
            5589605028 unicasts, 435264 broadcasts, 3139675 multicasts
Input (normal):  5593179967 packets, - bytes
            5589605028 unicasts, 435264 broadcasts, 3139675 multicasts
Input:  0 input errors, 0 runts, 0 giants, 0 throttles
            0 CRC, 0 frame, - overruns, 0 aborts
            - ignored, - parity errors
Output (total): 9287004120 packets, 12729511609083 bytes
            9222258418 unicasts, 23921148 broadcasts, 40824554 multicasts, 0 pauses
Output (normal): 9287004120 packets, - bytes
        9222258418 unicasts, 23921148 broadcasts, 40824554 multicasts, 0 pauses
Output: 0 output errors, - underruns, - buffer failures
            0 aborts, 0 deferred, 0 collisions, 0 late collisions
            0 lost carrier, - no carrier
<H3C-Switch>display interface Bridge-Aggregation1 brief ---<<<<<<<<<<<<<<<<<
The brief information of interface(s) under bridge mode:
Link: ADM - administratively down; Stby - standby
Speed or Duplex: (a)/A - auto; H - half; F - full
Type: A - access; T - trunk; H - hybrid
Interface            Link Speed   Duplex Type PVID Description               
BAGG1                UP   20G(a)  F(a)   A    44   Node1 ### 

AI Related Articles

Networklearner: Generative AI Fundamentals Explained for Beginners (With IT & Network Engineering Examples)

 

https://netterrene.blogspot.com/2026/06/generative-ai-quiz-beginners-mcq-answers.html


Enable SSH on CISCO router and switches


Configure SSH on Cisco Routers and Switches

The Secure Shell (SSH) is a protocol for secure remote login services over an insecure network. This document explains the procedure to configure SSH on Cisco Router and Switches. SSH is preferred over TELNET as it encrypts the communication between server and client and vice versa.

 Before enabling SSH, please make sure that you are able to access the device using telnet. It confirms that authentication credentials either via local username or AAA have been configured correctly.

 Step 1: Configure hostname of the router:

Router(config)#hostname R1

Step 2: Verify IOS for support SSH. Device should have a k9(crypto) software image as shown below:


R1 # show version
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 26-Jan-07 14:35 by kellythw
Image text-base: 0x10000000, data-base: 0x115C5630
ROM: 12.2(20r)EW1
Dagobah Revision 95, Swamp Revision 29
R1 uptime is 4 years, 15 weeks, 1 day, 22 hours, 33 minutes
System returned to ROM by power-on
System restarted at 15:30:21 met Fri Feb 6 2009
System image file is "bootflash:cat4500-ipbasek9-mz.122-31.SGA1.bin" ----<<<<<

 You can also use the below command to check if router supports SSH or not:

 R1#sh ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH.  ----------------<<<<<<<<<<<<<<<<
Authentication timeout: 120 secs; Authentication retries: 3

 Step 3: Configure Domain name. It is required to generate the key. Use the ip domain-name command to configure the domain name.

 R1 (config)# ip domain-name lab.local

Step 4: Generate the RSA key using below command:

R1(config)#crypto key generate rsa
The name for the keys will be: R1.lab.local
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 1024 ---<<< Key length should be 1024 or 2048
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Switch(config)# May 25 11:50:29.631: %SSH-5-ENABLED: SSH 1.99 has been enabled ---<<<<< You will get this message if you are generating the key for the first time

 You can see the generated key using the below command:

R1#show crypto key mypubkey rsa
% Key pair was generated at: 12:04:12 UTC May 25 2013
Key name: R1.lab.local
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B1953A
  7EDD950E BE52B486 646FCA59 4EFC4652 7DC277A8 400B14EE 8B72E51D C003218B
  FD57E400 069EEA52 F3FDBE69 CD1C6EC2 9055F11E 5F09D35A EE003292 A22AD9CA
  E23FA548 FA53E757 4C0EC4F8 80D71E01 A5EB29C9 083B0A8F 5C3E8BF8 C9CA6C1D
  83C64769 0C57BF12 E13D76E0 63D826CE F0A8B42D FB77455A A4115D48 67020301 0001
% Key pair was generated at: 12:04:12 UTC May 25 2013
Key name: R1.lab.local.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C57E1D 6B07B8B8
  4E0647E0 E210473A D92F99EB F264B9D1 BC2AE04D BFF59126 55FE58F0 8561E998
  1045D4F4 591E7032 4EC6A0A5 BA20B0A2 FF0D1269 76FEF992 41C24342 AFFB8838
  CEE5F80A B6540AEC 75F7D0A9 2A6A18F0 BDDA9683 A7FF58E6 1D020301 0001

 Note: You must have hostname and domain name configured before generating the rsa key.

 If you try to generate RSA key without configuring the hostname, you will get the below error:

Router(config)#crypto key generate rsa
% Please define a hostname other than Router.  -----<<<<<<<<<<<<<<<<<<<<<

If you try to generate RSA key without configuring the domain name, you will get the below error:

R1 (config)#crypto key generate rsa
% Please define a domain-name first. -----<<<<<<<<<<<<<<<<<<<<<

Step 5 : Verify SSH status:

R1#sh ip ssh
ssh Enabled - version 1.99 ---------<<<<<<<<<<<<<<<<<<<<
Authentication timeout: 120 secs; Authentication retries: 3

Step 6: Use IP SSH version command to change the SSH version:

R1(config)# ip SSH version 2

Step 7: Test the SSH access. If SSH access is successful then follow Step 8

Step 8: Enable SSH access only.

R1(config)#line vty 0 4 
R1(config-line)#transport input ssh