09-19-2005 12:44 PM
Has anyone successfully deployed snmpv3 using LMS 2.5. I have configured a 3550xl-48 with snmpv3 but LMS will not manage the device after adding the snmp strings in CM and DCR.
09-23-2005 08:49 AM
I am working on it now. I am able to get the read portion working but the write test fails. Be happy to send you email and docs I have on it. Perhaps we can work it out together. Do you know of a SNMPv3 test I can do without using LMS to test the write access?
09-23-2005 09:16 AM
Got this to work. Will be out for the rest of the day but will get back to you Monday if you still want help.
09-23-2005 10:38 AM
With the help of TAC I finally got it all working.
Try this site www.net-snmp.org
Here is the command sequence
snmp-server user (user name) (whatever your group name is) v3 (you can use whatever auth you want)
snmp-server group (group name) v3 (noauth or auth) read (read string) write (write string)
snmp-server view (read string) iso included
snmp-server view (write string) iso included
Try using LMS to see if all is okay.
LMS only use auth and noauth for the group security (can not use priv until later version of LMS comes out).
Here is a response I got from TAC on snmp views.
what they report?
Names normally reference the subtrees that you want to access like ISO,
ifEntry, etc. You can also use the dotted decimal equivalent for that tree
or specific OID if you want to be that granular.
I would hate to have do an include statement for each.
iso OBJECT-TYPE
-- FROM
::= { 1 }
As you can see from the above it starts at .1
Snmp-server view
09-23-2005 11:38 AM
Curious how to tackle this problem operationally:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/snmp3.htm
"Changing the value of snmpEngineID has important side-effects. A user's password (entered on the command line) is converted to an MD5 or SHA security digest. This digest is based on both the password and the local engine ID. The command line password is then destroyed, as required by RFC 2274. Because of this deletion, if the local value of engineID changes, the security digests of SNMPv3 users will be invalid, and the users will have to be reconfigured.
Similar restrictions require the reconfiguration of community strings when the engine ID changes. A remote engine ID is required when an SNMPv3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Please refer to the examples in the Configuring Informs section in the snmp-server host command reference page."
I hear any hardware change (like swapping out a bad line card) would force an engine ID change, so a whole series of parameters then would need to be reconfigured.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: