Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2088
Views
0
Helpful
4
Replies

SNMPv3

dchrisconkle
Level 1
Level 1

‎09-19-2005 12:44 PM

Has anyone successfully deployed snmpv3 using LMS 2.5. I have configured a 3550xl-48 with snmpv3 but LMS will not manage the device after adding the snmp strings in CM and DCR.

Labels:
0 Helpful
4 Replies 4

olsonc0510
Level 1
Level 1

‎09-23-2005 08:49 AM

I am working on it now. I am able to get the read portion working but the write test fails. Be happy to send you email and docs I have on it. Perhaps we can work it out together. Do you know of a SNMPv3 test I can do without using LMS to test the write access?

0 Helpful

olsonc0510
Level 1
Level 1
In response to olsonc0510

‎09-23-2005 09:16 AM

Got this to work. Will be out for the rest of the day but will get back to you Monday if you still want help.

0 Helpful

dchrisconkle
Level 1
Level 1
In response to olsonc0510

‎09-23-2005 10:38 AM

With the help of TAC I finally got it all working.

Try this site www.net-snmp.org

Here is the command sequence

snmp-server user (user name) (whatever your group name is) v3 (you can use whatever auth you want)

snmp-server group (group name) v3 (noauth or auth) read (read string) write (write string)

snmp-server view (read string) iso included

snmp-server view (write string) iso included

Try using LMS to see if all is okay.

LMS only use auth and noauth for the group security (can not use priv until later version of LMS comes out).

Here is a response I got from TAC on snmp views.

also is there any documentation that shows all the MIB view family names and

what they report?

I am not seeing anything that references all of the available names.

Names normally reference the subtrees that you want to access like ISO,

ifEntry, etc. You can also use the dotted decimal equivalent for that tree

or specific OID if you want to be that granular.

So is there a single view command that is used to access all?

I would hate to have do an include statement for each.

I believe the iso keyword includes anything under the iso tree:

iso OBJECT-TYPE

-- FROM

::= { 1 }

As you can see from the above it starts at .1

Snmp-server view iso included would be the statement.

0 Helpful

yjdabear
VIP Alumni
VIP Alumni

‎09-23-2005 11:38 AM

Curious how to tackle this problem operationally:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/snmp3.htm

"Changing the value of snmpEngineID has important side-effects. A user's password (entered on the command line) is converted to an MD5 or SHA security digest. This digest is based on both the password and the local engine ID. The command line password is then destroyed, as required by RFC 2274. Because of this deletion, if the local value of engineID changes, the security digests of SNMPv3 users will be invalid, and the users will have to be reconfigured.

Similar restrictions require the reconfiguration of community strings when the engine ID changes. A remote engine ID is required when an SNMPv3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Please refer to the examples in the Configuring Informs section in the snmp-server host command reference page."

I hear any hardware change (like swapping out a bad line card) would force an engine ID change, so a whole series of parameters then would need to be reconfigured.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents