Updating Cisco Switch to Support Encrypted SNMP v3

I realized I had an IOS image for my Cisco switch that supported crypto, as required for encrypted SNMP.

I decided to reflash my switch to add this support.

This is an example of a blog entry for my future reference. I don't expect any Cisco-ites to learn anything from this.

First I see what version of IOS is installed.

2950T-24#show ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000

ROM: Bootstrap program is CALHOUN boot loader

2950T-24 uptime is 3 hours, 20 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"

cisco WS-C2950T-24 (RC32300) processor (revision J0) with 20839K bytes of memory.
Processor board ID FHK0720Z0R3
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0D:28:6C:F5:40
Motherboard assembly number: 73-6114-08
Power supply part number: 34-0965-01
Motherboard serial number: FOC072008TY
Power supply serial number: PHI071404A8
Model revision number: J0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FHK0720Z0R3
Configuration register is 0xF

Next I look at available filesystems.

2950T-24#show file systems
File Systems:

Size(b) Free(b) Type Flags Prefixes
* 7741440 2867712 flash rw flash:
- - opaque ro bs:
7741440 2867712 unknown rw zflash:
32768 29934 nvram rw nvram:
- - opaque rw null:
- - opaque rw system:
- - network rw tftp:
- - opaque ro xmodem:
- - opaque ro ymodem:
- - network rw rcp:
- - network rw ftp:

You can move around IOS like a Unix box.

2950T-24#cd flash:
2950T-24#dir
Directory of flash:/

2 -rwx 2888547 Mar 01 1993 00:03:24 c2950-i6q4l2-mz.121-13.EA1.bin
3 -rwx 270 Jan 01 1970 00:02:09 env_vars
4 -rwx 47 Mar 01 1993 00:04:45 private-config.text
6 -rwx 676 May 19 1993 05:59:46 vlan.dat
7 drwx 832 Mar 01 1993 00:04:19 html
21 -rwx 109 Mar 01 1993 00:04:21 info
22 -rwx 109 Mar 01 1993 00:04:21 info.ver
24 -rwx 1711 Mar 01 1993 00:04:43 config.text

7741440 bytes total (2867712 bytes free)

The .bin file is my current IOS image. I can get the same directory listing this way:

2950T-24#show flash

Directory of flash:/

2 -rwx 2888547 Mar 01 1993 00:03:24 c2950-i6q4l2-mz.121-13.EA1.bin
3 -rwx 270 Jan 01 1970 00:02:09 env_vars
4 -rwx 47 Mar 01 1993 00:04:45 private-config.text
6 -rwx 676 May 19 1993 05:59:46 vlan.dat
7 drwx 832 Mar 01 1993 00:04:19 html
21 -rwx 109 Mar 01 1993 00:04:21 info
22 -rwx 109 Mar 01 1993 00:04:21 info.ver
24 -rwx 1711 Mar 01 1993 00:04:43 config.text

7741440 bytes total (2867712 bytes free)

Let's check out the html directory for fun.

2950T-24#cd html
2950T-24#dir
Directory of flash:/html/

8 -rwx 3994 Mar 01 1993 00:03:24 homepage.htm
9 -rwx 1392 Mar 01 1993 00:03:24 not_supported.html
10 -rwx 9529 Mar 01 1993 00:03:24 common.js
11 -rwx 22152 Mar 01 1993 00:03:25 cms_splash.gif
12 -rwx 1211 Mar 01 1993 00:03:25 cms_13.html
13 -rwx 2823 Mar 01 1993 00:03:25 cluster.html
14 -rwx 4195 Mar 01 1993 00:03:25 Redirect.jar
15 -rwx 15899 Mar 01 1993 00:03:25 mono_disc.sgz
16 -rwx 1344455 Mar 01 1993 00:04:05 CMS.sgz
17 -rwx 86918 Mar 01 1993 00:04:08 images.sgz
18 -rwx 287994 Mar 01 1993 00:04:16 help.sgz
19 -rwx 135599 Mar 01 1993 00:04:19 CiscoChartPanel.sgz
20 -rwx 58864 Mar 01 1993 00:04:21 cms_boot.jar

7741440 bytes total (2867712 bytes free)

2950T-24#pwd
flash:/html/
2950T-24#cd ..
2950T-24#pwd
flash:/

For one last command, check the current image file type.

2950T-24#show file information c2950-i6q4l2-mz.121-13.EA1.bin
flash:c2950-i6q4l2-mz.121-13.EA1.bin:
type is ebcdic text

I need to erase this image because I do not have enough room for the old and new images in flash. First I copy the image elsewhere using FTP.

2950T-24#copy flash:c2950-i6q4l2-mz.121-13.EA1.bin
ftp://cisco:cisco@192.168.2.5/c2950-i6q4l2-mz.121-13.EA1.bin
Address or name of remote host [192.168.2.5]?
Destination filename [c2950-i6q4l2-mz.121-13.EA1.bin]?
Writing c2950-i6q4l2-mz.121-13.EA1.bin
!!!
...edited...
2888547 bytes copied in 8.796 secs (328393 bytes/sec)

Now I ensure the running config is saved, and I copy that elsewhere.

2950T-24#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

2950T-24#copy startup-config ftp://cisco:cisco@192.168.2.5/startup-config
Address or name of remote host [192.168.2.5]?
Destination filename [startup-config]?
Writing startup-config !
1711 bytes copied in 0.296 secs (5780 bytes/sec)

Now I delete the existing image.

2950T-24#delete flash:c2950-i6q4l2-mz.121-13.EA1.bin
Delete filename [c2950-i6q4l2-mz.121-13.EA1.bin]?
Delete flash:c2950-i6q4l2-mz.121-13.EA1.bin? [confirm]
2950T-24#dir
Directory of flash:/

3 -rwx 270 Jan 01 1970 00:02:09 env_vars
4 -rwx 47 Mar 01 1993 00:04:45 private-config.text
6 -rwx 676 May 19 1993 05:59:46 vlan.dat
7 drwx 832 Mar 01 1993 00:04:19 html
21 -rwx 109 Mar 01 1993 00:04:21 info
22 -rwx 109 Mar 01 1993 00:04:21 info.ver
24 -rwx 1711 Mar 01 1993 00:04:43 config.text

7741440 bytes total (5756416 bytes free)

I can copy the new image to the switch.

2950T-24#copy ftp://cisco:cisco@192.168.2.5/c2950-i6k2l2q4-mz.121-22.EA8a.bin
flash:c2950-i6k2l2q4-mz.121-22.EA8a.bin
Destination filename [c2950-i6k2l2q4-mz.121-22.EA8a.bin]?
Accessing ftp://cisco:cisco@192.168.2.5/c2950-i6k2l2q4-mz.121-22.EA8a.bin...
Loading c2950-i6k2l2q4-mz.121-22.EA8a.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
...edited...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 3706442/1024 bytes]

3706442 bytes copied in 98.408 secs (37664 bytes/sec)

2950T-24#dir
Directory of flash:/

2 -rwx 3706442 Mar 01 1993 03:41:09 c2950-i6k2l2q4-mz.121-22.EA8a.bin
3 -rwx 270 Jan 01 1970 00:02:09 env_vars
5 -rwx 1880 Mar 01 1993 03:42:01 config.text
6 -rwx 676 May 19 1993 05:59:46 vlan.dat
7 drwx 832 Mar 01 1993 00:04:19 html
21 -rwx 109 Mar 01 1993 00:04:21 info
22 -rwx 109 Mar 01 1993 00:04:21 info.ver
23 -rwx 177 Mar 01 1993 03:42:01 private-config.text

7741440 bytes total (2049536 bytes free)

Time to reload.

2950T-24#reload
Proceed with reload? [confirm]

03:44:29: %SYS-5-RELOAD: Reload requested
C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(11r)EA1, RELEASE SOFTWARE (fc1)
Compiled Mon 22-Jul-02 17:18 by antonino
WS-C2950T-24 starting...
Base ethernet MAC Address: 00:0d:28:6c:f5:40
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 20 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 5691904
flashfs[0]: Bytes available: 2049536
flashfs[0]: flashfs fsck took 8 seconds.
...done initializing flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
Loading "flash:/c2950-i6k2l2q4-mz.121-22.EA8a.bin"...####...0x80010000
executing...
...edited...
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 28-Jul-06 17:00 by weiliu
Image text-base: 0x80010000, data-base: 0x8067A000


Initializing flashfs...
flashfs[1]: 20 files, 2 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 7741440
flashfs[1]: Bytes used: 5691904
flashfs[1]: Bytes available: 2049536
flashfs[1]: flashfs fsck took 8 seconds.
flashfs[1]: Initialization complete.
Done initializing flashfs.
POST: System Board Test : Passed
POST: Ethernet Controller Test : Passed
ASIC Initialization Passed

POST: FRONT-END LOOPBACK TEST : Passed
...edited...
cisco WS-C2950T-24 (RC32300) processor (revision J0) with 19959K bytes of memory.
Processor board ID FHK0720Z0R3
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0D:28:6C:F5:40
Motherboard assembly number: 73-6114-08
Power supply part number: 34-0965-01
Motherboard serial number: FOC072008TY
Power supply serial number: PHI071404A8
Model revision number: J0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FHK0720Z0R3
Building configuration...
[OK]
Building configuration...
[OK]
00:00:16: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:21: %SYS-5-CONFIG_I: Configured from memory by console
00:00:22: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
00:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:23: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 28-Jul-06 17:00 by weiliu
00:00:23: %SNMP-5-COLDSTART: SNMP agent on host 2950T-24 is undergoing a cold start

So far so good. Now I need to add SNMP v3 encrytion support.

2950T-24(config)#snmp-server group readonly v3 priv read readview
2950T-24(config)#snmp-server user richard readonly v3 auth md5 bejtlichpass
priv des56 bejtlichpass

I run 'sh run' to see if those entries are there.

snmp-server group readonly v3 priv read readview
snmp-server view readview internet included

I look like I am ready to perform snmpget using encrypted SNMP v3.

orr:/home/richard$ snmpget -v 3 -u richard -l authPriv -a MD5 -A bejtlichpass
-x DES -X bejtlichpass 192.168.2.2 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING:

It worked. Here is the get.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1661458003
msgMaxSize: 65507
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 800000090300000D286CF541
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: cisco (9)
Engine ID Format: MAC address (3)

msgAuthoritativeEngineBoots: 2
msgAuthoritativeEngineTime: 1148
msgUserName: richard
msgAuthenticationParameters: 5D732660B4962FB94C3857F6
msgPrivacyParameters: 0000000187F9C1A5
msgData: encryptedPDU (1)
encryptedPDU: A2747E0A41B3198E50974E9B436A4D2AE105FDDB0DECABB3...

Here is the response.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1661458003
msgMaxSize: 1500
msgFlags: 03
.... .0.. = Reportable: Not set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 800000090300000D286CF541
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: cisco (9)
Engine ID Format: MAC address (3)

msgAuthoritativeEngineBoots: 2
msgAuthoritativeEngineTime: 1148
msgUserName: richard
msgAuthenticationParameters: 58D2406E940462CA945D1265
msgPrivacyParameters: 00000002B05B3948
msgData: encryptedPDU (1)
encryptedPDU: 1A6F31989187318B38BC5D90068B7EE847D3FE4716984CA8...

Not bad!

Comments

Anonymous said…
hi richard

your work looks good; i cant get it to work for me though,..

i did the ios upgrade.
is it the way i am entering the string???
thanks
dave


C:\>
C:\>
C:\>snmpget -v 3 -u richard -l authPriv -a MD5 -A bejtlichpass -x DES -X bejtlic
hpass 192.168.0.106 sysLocation.0 SNMPv2-MIB::sysLocation.0 = STRING:
=: (Sub-id not found: (top) -> =)
Cannot find module (STRING): At line 1 in (none)
STRING::

C:\>

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics