SNMP V3

Answered Question

We have been asked to migrate all devices to SNMP V3.

I tried to test this out on a 2811 router but it is failing. All i need is to allow my NMS (solarwinds) to poll using snmpv3

Here is my config

snmp-server user test test v3 auth md5 test priv des56 test

snmp-server group test v3 priv

IS there anything else i need to do to use snmp v3 for polling

Ambi

Attachment: 
I have this problem too.
0 votes
Correct Answer by Joe Clarke about 8 years 9 months ago

The SNMP USM spec says that passwords must be at least eight characters. So you should increase the length of your passwords (e.g. tester123). Also, you do not want to specify a context name in Solarwinds (i.e. leave this field blank). Contexts are not used for general polling. Other than that, this looks okay.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Correct Answer
Joe Clarke Thu, 02/28/2008 - 00:05

The SNMP USM spec says that passwords must be at least eight characters. So you should increase the length of your passwords (e.g. tester123). Also, you do not want to specify a context name in Solarwinds (i.e. leave this field blank). Contexts are not used for general polling. Other than that, this looks okay.

Thanks......that did the trick

However i have one more problem. eventhough i disabled snmp and renabled it, the old username still appears in sh snmp users

Is there any way i can get rid of these (ofcourse without a reload). since the sh runn config does not show the username it is difficult to identify the exact commands need to remove them

Ambi

Joe Clarke Thu, 03/13/2008 - 08:10

There is nothing that needs to be done in IOS to enable this. Typically, the objects to poll for utilization are ifInOctets and ifOutOctets (along with ifSpeed). Faster interfaces will require ifHCInOctets and ifHCOutOctets and ifHighSpeed. All of these should be pollable with the SNMPv3 config you provided earlier.

Joe Clarke Mon, 03/17/2008 - 15:06

Our devices don't support the HOST-RESOURCE-MIB. We use the CISCO-PROCESS-MIB for CPU utilization. To figure out why the interface utilization is not working, you will need to provide a sniffer trace of the NMS polling the device.

Joe Clarke Thu, 03/20/2008 - 09:24

I use Cacti in my lab and at home for this kind of monitoring. It supports SNMPv3 authNoPriv and authPriv using net-snmp's stack. It works really well (http://www.cacti.net/).

GERARD PUOPLO Mon, 03/24/2008 - 14:02

Many tools will not be able to handle SNMPv3 priv for SNMPv3 polling. I think that is why polling is ok in many of the instances in this conversation but not the display of the data.

Joe Clarke Mon, 03/24/2008 - 14:09

The data returned by an SNMPv3 authPriv poll is the same returned by SNMPv3 authNoPriv and SNMPv2c. The only difference is encryption. If the encryption was broken, the device shouldn't be responding with any data at all (only report packets). That is why I requested a sniffer trace early on.

GERARD PUOPLO Mon, 03/24/2008 - 14:34

Agreed.

But there is SNMPv3 authPriv and Priv. The settings in the user example looks to me to be authPriv and Priv rather than AuthPriv and noPriv meaning the data is to be encrypted. Many SNMP managers will support SNMPv3 authpriv if you configure them correctly but only in noPriv mode ...

Joe Clarke Mon, 03/24/2008 - 14:46

There is authPriv and there is authNoPriv. If the manager claims to support authPriv, it must expect encryption (using the specified algorithm). There is no such thing as authPriv without encryption (then it would be called authNoPriv, and the manager should not be offering fields to specify encryption parameters).

Actions

This Discussion