I'm trying to set up snmp v3 on my switch network and I seem to be hitting a bit of a brick wall. I'm very new to snmp in general so I spent some time researching and I did manage to get some progress, I think.
Anyways, I am unable to pull data from a test switch ever since I tried implementing snmp v3 (it was working when I was just using v2 communities), and I was wondering if anyone could help me.
My snmp configs on my switch (a 2950T 24 port) are:
snmp-server engineID local xxx
snmp-server engineID remote xxx.xxx.2.240 000000000100000000000000
snmp-server group tscgrp v3 auth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF
snmp-server community -------- RO
snmp-server community -------- RW
snmp-server contact TSC (x9149)
snmp-server enable traps config
snmp-server host xxx.xxx.2.240 version 3 auth tscusr
and a 'show snmp user' command:
User name: tscusr
Engine ID: 800000090300001A6DCD8440
Authentication Protocol: MD5
Is there anything I'm doing wrong here? The local engineID seemed to appear on it's own but I'm not sure how to set up the remote engineID (in terms of finding out what it is). What is needed to get it working on the 2k3 server that ciscoworks is sitting on, if anything? Or is it something to do with ciscoworks itself? This is a new (full) CWS install on a new server box, and the switch is on the same C-class subnet. There is no issue with blocked ports or reachability as far as I know.
Any help is greatly appreciated, thanks in advance!
The only way to obfuscate the SNMP credentials is with SNMPv3. The credentials are not encrypted in this case, but rather hashed using either MD5 or SHA-1.
SNMP contexts allow access to a MIB branch on varying conditions. For example, certain MIB branches may be replicated across different subsystems or different logical entries within the same device. Examples include MPLS VRFs, clustered switch devices, and VLANs. In the latter case, each VLAN has its own context. In order for User Tracking to get the users on each VLAN on the switch, it polls the BRIDGE-MIB using each VLAN's context. Since the 2950 series do not support contexts, this will fail, and it will appear as if there are no end users on the switch.
With SNMPv1/v2c, this same thing was accomplished using community string indexing. This was a hack Cisco developed to workaround the limitations in these early versions of SNMP. Community string indexing worked by appending an '@' followed by the VLAN number to the community string.