New Site for Posts

Chesapeake Netcraftsmen has created a new website with a blogging section. I've moved my blog posts to that website. I just posted a blog on "Creating Policing with Cisco NCM".

Getting Started with Expect for Cisco NCM Command Scripts

Advanced Command scripts, with NCM, can be written in Perl or Expect. When there is interactive input, Expect is normally recommended. This blog provides a starting point for using Expect to aid in the creation of Cisco NCM command scripts

1 Reference Material

One of the best references for Expect is the “Exploring Expect” book published by O’Reilly. I’ll be adding page number references from the book to the sections below.

Another good reference is the included help files with ActiveState Expect.

2 Downloading and Installing ActiveState TCL with Expect Extensions

One way to learn how to use Expect is to use the free version, from ActiveState, on your Windows PC. This provides the opportunity to learn how TCL and Expect work and test scripts before deploying within NCM. Use the following steps to download and install Expect

1. Go to http://www.activestate.com and download the free TCL application

2. Install TCL

3. Open a command prompt

4. Type “teacup install Expect” to install the Expect extension to TCL

3 Create Your First Script

Now that TCL and Expect are installed, you can run through the following test script to see how Expect works. This test script shows how to telnet to a router and execute “show version”. Within the example script, replace anything in red with the appropriate information from your test router.

There are minor differences between this script and the script executed within NCM. The one main difference is the use of the “exp_send” command. Within NCM, this should just be “send”.

1. Open Notepad

2. Paste the following script into Notepad and save as sample.txt. This script assumes that you have AAA turned on an authorization set to have the user authorized into privileged exec mode. If this configuration is not already entered, you can add it by entering the following to add AAA with local authentication and authorization

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

username cisco privilege 15 password cisco

Script

#!/bin/sh

# \

exec tclsh "$0" ${1+"$@"}

package require Expect

log_user 1

spawn telnet 192.168.137.100

expect "Username" {

exp_send "cisco\r"

}

expect "assword" {

exp_send "cisco\r"

}

expect "R1#"

exp_send "terminal length 0\r"

expect "R1#"

exp_send "sh version\r"

expect "R1#"

exp_send "exit\r"

3. Run the script by opening a command prompt, navigating to the directory with the script, and executing “tclsh85 sample.txt”. The output of the script should look similar to the following

C:\Tcl>tclsh85 showversion.txt

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Connecting To 192.168.137.100...

Put something here

User Access Verification

Username: cisco

Password:

R1#terminal length 0

R1#sh version

Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(13a), RELEASE S

OFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Tue 06-Mar-07 20:25 by prod_rel_team

ROM: ROMMON Emulation Microcode

ROM: 3600 Software (C3640-JK9O3S-M), Version 12.4(13a), RELEASE SOFTWARE (fc1)

R1 uptime is 5 minutes

System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0

x0, BOOT_COUNT 0, BOOTDATA 19

System image file is "tftp://255.255.255.255/unknown"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3640 (R4700) processor (revision 0xFF) with 124928K/6144K bytes of memory.

Processor board ID 00000000

R4700 CPU at 100MHz, Implementation 33, Rev 1.2

17 FastEthernet interfaces

DRAM configuration is 64 bits wide with parity enabled.

125K bytes of NVRAM.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

R1#

C:\Tcl>

4 Regular Expressions

Expect scripts normally include the use of regular expressions to evaluate output from routers and switches. The best way to show how this works is through a simple example. Let’s take the output from “show interface fa1/0”. Here’s the output to use as a reference for the example to follow.

R1#sh int fa1/10

FastEthernet1/10 is up, line protocol is down

Hardware is Fast Ethernet, address is cc00.1264.f10a (bia cc00.1264.f10a)

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Auto-duplex, Auto-speed

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

With this script, we want to evaluate the up/down state of the interface and line protocol and exit out of the script with an error message if either the interface or line are down.

#!/bin/sh

# \

exec tclsh "$0" ${1+"$@"}

package require Expect

log_user 1

spawn telnet 192.168.137.100

expect "Username" {

exp_send "cisco\r"

}

expect "assword" {

exp_send "cisco\r"

}

expect "R1#" {

exp_send "sh int fa1/10\r"

}

expect {

-re "is (\[a-z]*), line protocol is (\[a-z]*)" {

set int_status $expect_out(1,string)

set line_status $expect_out(2,string)

exp_continue

}

"R1#" {

exp_send "exit\r"

}

}

if {$int_status == "down" || $line_status == "down"} {

puts "\n!!!Interface is down!!!\n"

exit 1

}

else {

puts "\n!!!Interface is up!!!\n"

exit 0

}

Let’s look at the regular expression portion of the script

expect {

-re "is (\[a-z]*), line protocol is (\[a-z]*)" {

set int_status $expect_out(1,string)

set line_status $expect_out(2,string)

exp_continue

}

"R1#" {

exp_send "exit\r"

}

}

The “-re” specifies that the next portion should be treated as a regular expression (pg 109 Exploring Expect). The portion [a-z] specifies a single character matching any lower case character. The “*” after the [a-z] specifies a match for the rest of the lower case characters that follow the initial character. You’ll notice that there is a \ before the first [. This is required, by Expect, to have the [ ] treated correctly as a regular expression delineator (pg 91 Exploring Expect). The () specifiy that anything within them should be treated as a variable. The variable is saved in the line after the regular expression with the line (pg 111 Exploring Expect).

set int_status $expect_out(1,string)

The “1” specifies that it is the first variable created by the (). The second () is captured as the variable “line_status”. You’ll notice that the “1” has been replaced by a “2” in this case (pg 111 Exploring Expect).

The next thing to notice is the “exp_continue” command. This specifies that the expect command that surrounds it should be run until there is no remaining input to be evaluated (pg 145 Exploring Expect).

Here is the output of the script

C:\Tcl>tclsh85 sample.tcl

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Connecting To 192.168.137.100...

Put something here

User Access Verification

Username: cisco

Password:

R1#sh int fa1/10

FastEthernet1/10 is up, line protocol is down

Hardware is Fast Ethernet, address is cc00.1264.f10a (bia cc00.1264.f10a)

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Auto-duplex, Auto-speed

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

R1#

!!!Interface is down!!!

5 Limiting Script Output

In the first script, we saw that there was a lot of output. We could limit this output to specific information that we wanted to display. This is done by changing “log_user 1” to “log_user 0”(pg 175 Exploring Expect). Once this is done, specific output can be displayed using the “puts” command. Here is the script from the regular expression section that will only output the interface information

#!/bin/sh

# \

exec tclsh "$0" ${1+"$@"}

package require Expect

log_user 0

spawn telnet 192.168.137.100

expect "Username" {

exp_send "cisco\r"

}

expect "assword" {

exp_send "cisco\r"

}

expect "R1#" {

exp_send "sh int fa1/10\r"

}

expect {

-re "is (\[a-z]*), line protocol is (\[a-z]*)" {

set int_status $expect_out(1,string)

set line_status $expect_out(2,string)

exp_continue

}

"R1#" {

exp_send "exit\r"

}

}

if {$int_status == "down" || $line_status == "down"} {

puts "\n!!!Interface is down!!!\n"

exit 1

}

else {

puts "\n!!!Interface is up!!!\n"

exit 0

}

Here is the output that is displayed in this case

C:\Tcl>tclsh85 sample.tcl

!!!Interface is down!!!

Automation with Cisco NCM Command Scripts

One of the strongest features of Cisco NCM is the capability to create scripts to be executed against any number of devices. These scripts can be as simple as running a sequence of Cisco IOS commands or as complex as a multi-page Expect script. In this blog I'll show how easy it is to create an Expect script, within NCM.

For this example, let's assume we're trying to figure out a way to allow the Network Operations Center (NOC) to shut down interfaces on access switches, but not on distribution or core switches. Additionally, the NOC should not be able to be able to shut down the uplink ports located on ports fastethernet 0/23 and fastethernet 0/24.

NCM provides an easy way to get started with the script. This is done by creating a SSH session to the switch and executing the commands that would be executed in the command script. Then, the commands can be viewed and automatically converted to an Expect or Perl script. From there, the script can be customized to provide the logic to accomplish the task above. Let's walk through how each step is done.

1. Click on "Devices > Inventory".


2. In the resulting screen, click on the SSH button next to the device you would like to connect to


3. In the Java SSH window that appears, type in an example of the commands that would be used to shutdown an interface and exit.


4. Navigate back to the device by, once again, going to "Devices > Inventory". Click on the device name


5. In the resulting screen, click on "View > Telnet/SSH Sessions"


6. Click on "View Commands Only" to view the commands that you just entered


7. Click on "Convert to Expect Script" to automatically create a script from the commands entered.



8. At this point, an Expect script is created with the code needed to execute the commands entered previously


9. There a few places that need customization. First, the interface used in the script, fastethernet0/9 should be a variable that the NOC can define at execution time. This can be done by replacing fastethernet0/9 with a NCM variable that the NOC will be prompted to enter when they execute the script. To do this, replace fastethernet0/9 with $interface$. A string with $ at the beginning and end signifies an NCM variable.

send "interface fa0/9\r" -----------> send "interface $interface$\r"

10. When this is added, the "Pull Variables" button can be clicked to create the prompt that the NOC will see when they execute the script


11. This brings up another screen that requires information to be entered for the prompt


12. That's the basics of the script. The only thing left to do is add the restrictions for the script. First, the NOC should only be able to change access layer switches. The naming convention for the switches state that access switches start with "A". We can use this as a check to make sure an access switch is being used. Below is the corresponding Expect code snippet

if [string match "^A*" $enable_prompt] {
} else {
puts "\nThis is not an access layer switch\n"
exit 1
}

This snippet checks to see if the pre-defined $enable_prompt variable starts with an A. If so, it is an access layer switch. If not, an error message is displayed and the script is exited with error status.

13. The second check was to make sure fastethernet0/23 or fastethernet0/24 are not used. This is accomplished with the snippet below.

set protected_int {"1/6" "1/7"}
set int $interface$

set i 0
foreach i $protected_int {
if [string match "*$i" $int] {
puts "\nShutdown of uplink ports is not permitted\n"
exit 1
}
}

In this portion, the uplink interfaces are put into an array named "protect_int". The interface, that the NOC chooses, is stored in the $interface$ variable. A for loop checks to see if there is match between an uplink interface and the chosen interface. If so, an error message is sent and the scripted is exited.

14. When the script is created, the Expect command "log_user 1" is set. This means that whatever is sent in the script is also sent to the script output. In order to stop this from happening, set "log_user 0". With this set, only the "puts" output is displayed. In general, this is what you will want to see.

15. To run the script, click "Devices > Device Tools > Command Scripts"


16. Select "Run" on the script to execute.


17. Select the devices to run the script on, the interface to shutdown, and click "Save Task" to execute the script



That's all there is to creating a command script in NCM. I would highly recommend purchasing the "Exploring Expect" book written by Don Libes and published by O'Reilly. Additionally, I would recommend downloading ActiveTCL from Activestate.com. Expect is actually an extension of TCL. After installing TCL, you can load the Expect extension by entering "teacup install Expect" from a CMD prompt.

Microsoft Swiss Army Toolkit

Every once in awhile there are instances where you need information about a Microsoft Windows XP computer that you think should be easy to find but seems impossible to uncover. The tool to find the information is a built-in command line tool call wmic.exe. This command has a slew of command line options that can uncover practically any information about your computer. Here are some examples.

Want to find out the OS version of your computer? Run "wmic os". The output shows up in columns with a ton of information. The version information show up as shown below

C:\>wmic os
Version
5.1.2600

Here's a list of all the command line parameters available

C:\> wmic /?

[global switches]

The following global switches are available:
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the for the connection.
/?[:] Usage information.

For more information on a specific global switch, type: switch-name /?


The following alias/es are available in the current role:
ALIAS - Access to the aliases available on the local system
BASEBOARD - Base board (also known as a motherboard or system board) management.
BIOS - Basic input/output services (BIOS) management.
BOOTCONFIG - Boot configuration management.
CDROM - CD-ROM management.
COMPUTERSYSTEM - Computer system management.
CPU - CPU management.
CSPRODUCT - Computer system product information from SMBIOS.
DATAFILE - DataFile Management.
DCOMAPP - DCOM Application management.
DESKTOP - User's Desktop management.
DESKTOPMONITOR - Desktop Monitor management.
DEVICEMEMORYADDRESS - Device memory addresses management.
DISKDRIVE - Physical disk drive management.
DISKQUOTA - Disk space usage for NTFS volumes.
DMACHANNEL - Direct memory access (DMA) channel management.
ENVIRONMENT - System environment settings management.
FSDIR - Filesystem directory entry management.
GROUP - Group account management.
IDECONTROLLER - IDE Controller management.
IRQ - Interrupt request line (IRQ) management.
JOB - Provides access to the jobs scheduled using the schedule service.
LOADORDER - Management of system services that define execution dependencies.
LOGICALDISK - Local storage device management.
LOGON - LOGON Sessions.
MEMCACHE - Cache memory management.
MEMLOGICAL - System memory management (configuration layout and availability of memory).
MEMPHYSICAL - Computer system's physical memory management.
NETCLIENT - Network Client management.
NETLOGIN - Network login information (of a particular user) management.
NETPROTOCOL - Protocols (and their network characteristics) management.
NETUSE - Active network connection management.
NIC - Network Interface Controller (NIC) management.
NICCONFIG - Network adapter management.
NTDOMAIN - NT Domain management.
NTEVENT - Entries in the NT Event Log.
NTEVENTLOG - NT eventlog file management.
ONBOARDDEVICE - Management of common adapter devices built into the motherboard (system board).
OS - Installed Operating System/s management.
PAGEFILE - Virtual memory file swapping management.
PAGEFILESET - Page file settings management.
PARTITION - Management of partitioned areas of a physical disk.
PORT - I/O port management.
PORTCONNECTOR - Physical connection ports management.
PRINTER - Printer device management.
PRINTERCONFIG - Printer device configuration management.
PRINTJOB - Print job management.
PROCESS - Process management.
PRODUCT - Installation package task management.
QFE - Quick Fix Engineering.
QUOTASETTING - Setting information for disk quotas on a volume.
RECOVEROS - Information that will be gathered from memory when the operating system fails.
REGISTRY - Computer system registry management.
SCSICONTROLLER - SCSI Controller management.
SERVER - Server information management.
SERVICE - Service application management.
SHARE - Shared resource management.
SOFTWAREELEMENT - Management of the elements of a software product installed on a system.
SOFTWAREFEATURE - Management of software product subsets of SoftwareElement.
SOUNDDEV - Sound Device management.
STARTUP - Management of commands that run automatically when users log onto the computer system.
SYSACCOUNT - System account management.
SYSDRIVER - Management of the system driver for a base service.
SYSTEMENCLOSURE - Physical system enclosure management.
SYSTEMSLOT - Management of physical connection points including ports, slots and peripherals, and proprietary connections points.
TAPEDRIVE - Tape drive management.
TEMPERATURE - Data management of a temperature sensor (electronic thermometer).
TIMEZONE - Time zone data management.
UPS - Uninterruptible power supply (UPS) management.
USERACCOUNT - User account management.
VOLTAGE - Voltage sensor (electronic voltmeter) data management.
VOLUMEQUOTASETTING - Associates the disk quota setting with a specific disk volume.
WMISET - WMI service operational parameters management.

For more information on a specific alias, type: alias /?

CLASS - Escapes to full WMI schema.
PATH - Escapes to full WMI object paths.
CONTEXT - Displays the state of all the global switches.
QUIT/EXIT - Exits the program.

For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?

Features of Cisco Network Compliance Manager (NCM)

Cisco Network Compliance Manager (NCM) is a powerful tool that can ease network and security management by automating many of the more tedious aspects. This is all on top of the policies that can be used to ensure compliance with various compliance standards such as SOX, PCI, COBIT, ITIL, COSO, GLBA, and HIPAA. Here's a list of the top features that NCM can provide for an enterprise

1. Bare Metal Provisioning: This feature allows NCM to configure a device from scratch. The assumption is that the device console port is connected to a terminal server. NCM connects to the terminal server and discovers the device through the console port. It then pushes a config to the device and sets it up for use on the network
2. Device Configuration Template: This is a full configuration for a device that can be used as your "golden config". Every time a new device is configured, it can use this device configuration template as a baseline for the configuration. Unique portions, such as IP addresses, can be added through device variables that are defined at implementation time.
   
3. Command scripts: These are code snippets that can be run as a script. This is a great way to allow NOC personnel to safely execute commands without worrying about misconfigurations. The command scripts can even be forced to go through a workflow process. This could ensure that a higher level engineer reviews the command script before it is sent out.
4. Policies: These are checks that are done against the device snapshots that are periodically taken. This is one of the strongest features of NCM. There are number of different ways that policies can be used. One way is to check for stale configurations that should not exist. An example of this would be old SNMP server configurations that should be removed. The policy can also be configured to auto-remediate the problem and remove the stale configuration. To make this safer, the auto-remediation could be sent through a workflow for approval before it is actually implemented as a task. The second benefit of policies is standards based policy compliance checks. These would be policies, such as SOX and PCI. The third benefit of policies is automated checking of software vulnerabilities. This is provided with NCM Alert center. This is a subscription based service that is used to check for software vulnerabilities in Cisco devices. When a Cisco vulnerability announcement is released, Cisco creates an NCM policy to check for the software vulnerability. NCM downloads that policy, from Cisco, and uses it to check the devices it supports. If a vulnerability is found, it shows up in the police compliance report. The great thing about this is that the Cisco created policy checks for both the software version and the feature that causes the vulnerability. If the feature is not used, the device will not show up as vulnerable. This granularity ensures that only the devices truly vulnerable to a PSIRT are flagged.
   
5. Software Image Management (SWIM): NCM collects all the information that is needed to determine the software version that should be used on the devices. By using SWIM, downloading updated software images from Cisco is just a matter of a few mouse clicks. Deployment of the software images is also just a few mouse clicks.
   
6. Searching: The search functionality built into NCM is excellent. The searches are extremely flexible. When trying to search for a set of information about devices I usually find an extremely easy way of creating the search. Additionally, searches can be saved as a user report. This saves a lot of time. An initial search may take awhile to define which fields should show up and what information should be searched on. Once this is defined and saved as a user report, the information can be retrieved in a few mouse clicks.
7. Inventory for Cisco SW Maintenance: By using the search functionality, a comprehensive list of devices and serial numbers can be retrieved. This information can be used to define the devices that need to be covered under Cisco SW maintenance for the upcoming year.
   
8. Reporting: There are a number of great reports that NCM generates that show management level reports as well as detailed reports about the network environment
9. Diagrams: NCM can create L2, L3, L3 port, and other diagrams that show the network in a JPG, interactive JPG, or Visio format. You can also define which devices show up in the diagram to provide unique views showning the connectivity of different devices in the network.

I'll be providing further blogs, in the future, showing screenshots of the features listed above. Feel free to shoot me an email if there's a specific topic you wanted me to cover.

Tracking down high bandwidth users

When your internet bandwidth is being maxed out, it's nice to have an easy way to determine which users are causing the problem. One way of doing this is by using Netflow statistics. One free toolset to collect Netflow data is called flow-tools.

If you're using ASA FWs, a quick and dirty way to check out the offending users is to use the built in statistics in Cisco ASDM. This is located on the firewall dashboard as shown below



On this dashboard is a "top usage status" box that shows the offending user IP addresses along with the percentage of bandwidth used. This is shown below



This data can be used as a starting point for tracking down the high bandwidth users on your network

SNMP testing with net-snmp

With most network management systems and network security systems, SNMP is a critical component. One great tool for checking SNMP functionality is net-snmp. This tool works with Windows and Linux. From a security perspective, this net-snmp can be used as another troubleshooting tool to ensure that Cisco MARS and Cisco NCM are working correctly.

One basic tool, included with the toolset, is snmpwalk. This can be used to determine the OIDs used for a network device. Here's a partial execution of the command against a Cisco 2523 router.

C:\Apps\net-snmp\bin> snmpwalk -c cisco -v 1 10.1.1.200 more
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IK8OS-L), Version 12.2(32), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 02-Dec-05 16:15 by
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.27
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1229180359) 142 days, 6:23:23.59
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: termserv-R5
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
IF-MIB::ifNumber.0 = INTEGER: 4
IF-MIB::ifIndex.1 = INTEGER: 1

You can see that all the MIB OID values by adding the "-O n" option. By just typing "snmpwalk" you can get the full list of command line options. The use of "-O n" is shown below

C:\Apps\net-snmp\bin> snmpwalk -O n -c cisco -v 1 10.1.1.200
.1.3.6.1.2.1.1.1.0 = STRING: Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IK8OS-L), Version 12.2(32), RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 02-Dec-05 16:15 by
.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.9.1.27
.1.3.6.1.2.1.1.3.0 = Timeticks: (1229164596) 142 days, 6:20:45.96
.1.3.6.1.2.1.1.4.0 = STRING:
.1.3.6.1.2.1.1.5.0 = STRING: termserv-R5
.1.3.6.1.2.1.1.6.0 = STRING:
.1.3.6.1.2.1.1.7.0 = INTEGER: 78
.1.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
.1.3.6.1.2.1.2.1.0 =
INTEGER: 4
.1.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1

You can then use this information to be more specific with your SNMP requests by using snmpget. Using the example above, we can just get the version information for the 2523 router by executing the command below

C:\Apps\net-snmp\bin> snmpget -c cisco -v 1 10.1.1.200 .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IK8OS-L), Version 12.2(32), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 02-Dec-05 16:15 by