olsonc0510 Fri, 09/23/2005 - 08:49
User Badges:

I am working on it now. I am able to get the read portion working but the write test fails. Be happy to send you email and docs I have on it. Perhaps we can work it out together. Do you know of a SNMPv3 test I can do without using LMS to test the write access?


olsonc0510 Fri, 09/23/2005 - 09:16
User Badges:

Got this to work. Will be out for the rest of the day but will get back to you Monday if you still want help.

dchrisconkle Fri, 09/23/2005 - 10:38
User Badges:

With the help of TAC I finally got it all working.


Try this site www.net-snmp.org


Here is the command sequence


snmp-server user (user name) (whatever your group name is) v3 (you can use whatever auth you want)


snmp-server group (group name) v3 (noauth or auth) read (read string) write (write string)


snmp-server view (read string) iso included


snmp-server view (write string) iso included


Try using LMS to see if all is okay.


LMS only use auth and noauth for the group security (can not use priv until later version of LMS comes out).


Here is a response I got from TAC on snmp views.


also is there any documentation that shows all the MIB view family names and

what they report?


I am not seeing anything that references all of the available names.

Names normally reference the subtrees that you want to access like ISO,

ifEntry, etc. You can also use the dotted decimal equivalent for that tree

or specific OID if you want to be that granular.



So is there a single view command that is used to access all?

I would hate to have do an include statement for each.


I believe the iso keyword includes anything under the iso tree:


iso OBJECT-TYPE

-- FROM

::= { 1 }


As you can see from the above it starts at .1



Snmp-server view iso included would be the statement.


yjdabear Fri, 09/23/2005 - 11:38
User Badges:
  • Gold, 750 points or more

Curious how to tackle this problem operationally:


http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/snmp3.htm


"Changing the value of snmpEngineID has important side-effects. A user's password (entered on the command line) is converted to an MD5 or SHA security digest. This digest is based on both the password and the local engine ID. The command line password is then destroyed, as required by RFC 2274. Because of this deletion, if the local value of engineID changes, the security digests of SNMPv3 users will be invalid, and the users will have to be reconfigured.


Similar restrictions require the reconfiguration of community strings when the engine ID changes. A remote engine ID is required when an SNMPv3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Please refer to the examples in the Configuring Informs section in the snmp-server host command reference page."


I hear any hardware change (like swapping out a bad line card) would force an engine ID change, so a whole series of parameters then would need to be reconfigured.

Actions

This Discussion