SNMP Interface Index Persistence
A reader who wishes to remain anonymous recently suggested a post on an IOS feature known as SNMP interface index persistence.
Network monitoring systems like MRTG or Cacti use SNMP polling to record throughput and other statistics of various interfaces. Each interface is referenced by its unique index number as assigned by IOS. The index of each interface can be determined with the command show snmp mib ifmib ifindex:
Router# show snmp mib ifmib ifindex detail Description ifIndex Active Persistent ---------------------------------------------------------------- FastEthernet0/0 1 yes disabled Null0 4 yes disabled VoIP-Null0 3 yes disabled FastEthernet0/1 2 yes disabled
There is a problem lurking here, however. By default, interface indexes are assigned dynamically at boot time. Observe what happens when a new WIC is installed and the router is reloaded:
Router# show snmp mib ifmib ifindex detail Description ifIndex Active Persistent ---------------------------------------------------------------- FastEthernet0/0 1 yes disabled Null0 5 yes disabled Serial0/0 2 yes disabled VoIP-Null0 4 yes disabled Async1 6 no disabled FastEthernet0/1 3 yes disabledSerial0/0 was assigned the interface index 2 this time, forcing a new number for FastEthernet0/1 and the remaining interfaces. This behavior can very easily break network monitoring systems, as the interface indexes they request can be dynamically assigned to different interfaces during a reboot.
This is where SNMP interface index persistence can help. The feature is enabled globally:
Router(config)# snmp-server ifindex persist
Now when the running configuration is saved to NVRAM, the table of current interface index assignments is also recorded:
Router# dir nvram:
Directory of nvram:/
124 -rw- 953 <no date> startup-config
125 ---- 46 <no date> private-config
1 -rw- 180 <no date> ifIndex-table
If we remove the WIC and reload our router to restore it to its original state, enable interface index persistence, and then reinsert the WIC and reload the router, we can see that our interface index for FastEthernet0/1 is now preserved across the reboot:
Router# show snmp mib ifmib ifindex detail Description ifIndex Active Persistent ---------------------------------------------------------------- FastEthernet0/0 1 yes enabled Null0 4 yes enabled Serial0/0 5 yes enabled VoIP-Null0 3 yes enabled Async1 6 no enabled FastEthernet0/1 2 yes enabled
About the Author
Jeremy Stretch is a freelance networking engineer, instructor, and the maintainer of PacketLife.net. He currently lives in Fairfax, Virginia, on the edge of the Washington, DC metro area. Although primarily an R&S guy, he likes to get into everything, and runs a free network training lab out of his basement for fun. You can contact him by email or follow him on Twitter.
Comments
Just yesterday I was going on about this on the Linux side of things when someone pointed out this feature of IOS. Quite nifty. Now if only I wouldn't have to write my own method for this for snmpd at the moment..
Hi,
Do you know if this is possible with virtual-access interfaces too ?
thanks to your lesson~^^
One word of caution if you are polling statistics on policy-maps. The snmp oid used to poll the statistics will change at reboot every time, regardless of the "snmp-server ifindex persist" command.
Any way to put ingress/egress ACL's on SNMP traffic?
@nola..
I'm not sure about ingress/egress, however you can put an ACL on the snmp community string pretty easily..
eg.
snmp-server community BLABLA RO 10
where 10 is your ACL.
One can also apply access lists to the control plane.
Regarding polling statistics on policy-maps. At least for Cacti, theres the possibility of using its PHP Script Server (or an input method that uses indexes) and use the policy-maps custom name as an index instead of the OID index. Since a policy-maps name is pretty static (unless you remove it and re-add it with a new name) its a very safe method. It takes a little more checks to use, you do have to link the name to the oid, but in the script.
Thank you :). It was easy to understand the purpose ifindex.
Yeah, good one.
@ my workplace there is a special "trap" if you forget to put ifindex persist on a L3 interface: one of the big bosses that stay all day watching mrtg graphs will complain via e-mail (not immediatly, but after a couple of days) with something that sounds like "still unsolved network issues for building xy, the graphs are empty, any advice?"
:-) :-D
Marco