snmpv3 questions

bluesea2010 · ‎09-08-2014

Hi all

First of all i don't know whether i post here or cln. Below is my configurations and some questions

ip access-list standard snmp_access
permit 192.168.9.10 log
!
snmp-server view allview iso included
snmp-server group groupname v3 priv read allview write allview access snmp_access
snmp-server user username groupname v3 auth md5 password priv des password

snmp-server host 192.168.9.10 version 3 priv username
snmp-server host 192.168.9.10 informs v3 copy-config
snmp-server host 192.168.9.10 informs v3 config-copy
snmp-server host 192.168.9.10 informs v3 eigrp
snmp-server host 192.168.9.10 informs v3 envmon
snmp-server host 192.168.9.10 informs v3 errdisable
snmp-server host 192.168.9.10 informs v3 snmp
snmp-server host 192.168.9.10 informs v3 stackwise
snmp-server host 192.168.9.10 informs v3 syslog
snmp-server host 192.168.9.10 informs v3 tty
snmp-server host 192.168.9.10 informs v3 vlan-membership
snmp-server host 192.168.9.10 informs v3 vlancreate
snmp-server host 192.168.9.10 informs v3 vlandelete
snmp-server host 192.168.9.10 informs v3 vtp

1 . if i have two Snmp Manager(NMS) do i need to repeat all the above for the second server also( for example snmp-server host 192.168.9.11 informs v3 copy-config)
2 . Do i need to specify the access list for the user also ? (for example snmp-server user username groupname v3 auth md5 password priv des password access snmp_access)
3. One of the NMS is cisco prime , how can i find the engineid of lms ?
4. why do i need the following " snmp-server host 192.168.9.10 version 3 priv username "?
5. If i want notify only following things "Port -security ,Port down ,Link flap and cpu hog " , how can i figure out what are the views need to be included ( snmp-server view allview iso included)

Thanks

jordanburnett · ‎09-16-2014

1 . if i have two Snmp Manager(NMS) do i need to repeat all the above for the second server also( for example snmp-server host 192.168.9.11 informs v3 copy-config)

If you do it that way, yes. SNMP host command is specific per server. However, you should be able to enable the traps globally by using multiple snmp-server enable traps <enter traps> commands, then specify the host that you want to send informs.

i.e. for v2c you would use something like:

snmp-server enable traps snmp linkdown linkup
snmp-server enable traps config
snmp-server host 192.0.2.1 informs version 2c CISCO

snmp-server host 192.0.2.2 informs version 2c CISCO

Then, both hosts would receive the globally enabled traps (as informs) but you only have to use two snmp-server host commands.

2 . Do i need to specify the access list for the user also ? (for example snmp-server user username groupname v3 auth md5 password priv des password access snmp_access)

It's two different use cases. One limits the possible IP addresses that can be used by the user account, one limits the possible IP addresses that can use the group. It adds some flexibility for accounting.

3. One of the NMS is cisco prime , how can i find the engineid of lms ?

Can you explain why you need to find this?

4. why do i need the following " snmp-server host 192.168.9.10 version 3 priv username "?j

This sets the user that you will use to authenticate with the SNMP server you specified for sending traps/informs. Remember that authentication is mutual. You won't be able to just send traps to a SNMPv3 server without specifying a user--think of a DoS on a logging server by just sending a bunch of unauthenticated traps, or worse, informs. In v2c, you were required to send the community string which acted as the "user." In v3, you send an actual username.

5. If i want notify only following things "Port -security ,Port down ,Link flap and cpu hog " , how can i figure out what are the views need to be included ( snmp-server view allview iso included)

If you're only talking about notifications, you can simply only enable the specific traps that you want the host to see. If you're worried about polling or someone using the username to see more info than you would like, then you can limit the view by researching/excluding certain MIBs (usually a pain) or simply use the default view (no view specified) and see if it has the necessary info (it likely does).