SNMP v3 configuration

Unanswered Question
May 11th, 2010

Hi All, Can any one help me configuring SNMP v3 with two set of groups and users. One with all read/write access wich will be used for LMS and other only read access which will be used by other softwares..

I dont have clue to configure snmp v3. Please provide the working config/commands if possible.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Tue, 05/11/2010 - 21:10

First, see http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml .  This covers securing SNMP including SNMPv3.  In short, you will need two groups:

snmp-server group lmsgrp v3 auth

snmp-server group nmsgrp v3 auth write v1default

Then, create a user for each group:

snmp-server user lmsuser lmsgrp v3 auth md5 lmsuser123

snmp-server user nmsuser nmsgrp v3 auth md5 nmsuser123

This sample config will enable SNMPv3 authNoPriv using MD5 authentication.  You can use lmsuser as your LMS user with the password lmsuser123.  For your other NMSes, you can use nmsuser with password nmsuser123.

That said, LMS can use SNMP read-write, so having a read-only user for LMS might not be sufficient, especially if you plan to use IPM.

jain.nitin Tue, 05/11/2010 - 23:26

snmp-server user username snmpgroup remote ip address v3 auth sha

what is this command used for, do i need to use this command ? what about snmp-server host ip address v3 traps command

Thanks for your help and providing sample config/commands

jain.nitin Tue, 05/11/2010 - 23:31

dear clarke, in your given configuration lmsgrp will have read-write permission & nmsgrp will have only read permission..is that correct...but in nmsgrp you are saying "v3 auth write v1default" which will give write permission to this group correct me if I m wrong. I want LMS to give all permission but other nms should have read only access.

Joe Clarke Tue, 05/11/2010 - 23:42

I misread.  Just reverse the group configurations then.

snmp-server group lmsgrp v3 auth write v1default notify v1default

snmp-server group nmsgrp v3 auth

Joe Clarke Tue, 05/11/2010 - 23:41

No, you do not need this command.  This command is only required if you will be sending SNMP inform notifications.  If you want to enable v3 traps, just configure:

snmp-server host x.x.x.x traps version 3 auth lmsuser

You will also want to add a notify view to your lmsgrp:

snmp-server group lmsgrp v3 auth notify v1default

However, be aware, LMS does not support v3 traps.  You will need to configure v1 or v2c traps if you want DFM to be able to process them.

sohaildxbfze Mon, 08/23/2010 - 11:31

further to my earlier post i have following config & i have LMS 3.2 latest one

snmp-server engineID local xxxxxxxxxxxx
snmp-server group ABC v3 auth write v1default access 10
snmp-server user lmsadmin ABC v3 auth md5 abc

snmp-server host 1.1.2.1 version 3 auth lmsadmin
snmp-server location DATACENTER

snmp-server contact ITDEPT


access-list 10 permit 1.1.2.0 0.0.0.255

But I cant configure switch ports. device credential report is showing ok for telnet & snmp v3.

snmp v3 traps are they supported on lms 3.2 now??????????????

sohaildxbfze Mon, 08/23/2010 - 11:27

i defined

snmp-server group abc v3 auth write v1default access 10

but still when i do RME>Device Management>Cisco View

I cant configure the ports on switch my example device is 3560-48PS, error says there is timeout for chasis & OR check snmp credentials.

I have run dvice credential report,, & it says snnp v3 ok (read & write) as well as telnet.

Any idea??????

Actions

This Discussion