Solved: SNMP V2 Question

gmaccisco1 · ‎11-10-2006

hi guys,

I need to know if my routers and switches, all Cisco is talking SNMP v2 or v1. I know that my switches, CAT 4006 and L3 switches CAT 4500 and CAT 2950 searies are talking SNMP v1 since I can see the community string in a captured packets when i read the packets using etherreal. how can I have SNMP V2 either activated or Install the support on Cisco 3825 routers, Cisco 2621 routers and CAT 4006, SUPII switches please?

Regards,

Masood

Joe Clarke · ‎11-11-2006

If you are using SNMPv3, you do not need to define a community string. Note: one will be automatically defined if you enable v1 or v2c traps, though.

If the device does not support SNMPv3, then you will need to use community-based SNMP.

CSM is the next version of VMS. If you have a contract on VMS, go to http://www.cisco.com/upgrade/ and enter your contract number. If you are entitled to the upgrade, it will be shown there. Else, you need to contact your sales team.

View solution in original post

Joe Clarke · ‎11-10-2006

IOS 11.3 and higher supports both SNMPv1 and SNMPv2c. We used to support the original SNMPv2 in 11.2, but this has since been removed. No one used the party-based SNMPv2. Both SNMPv1 and SNMPv2c use community strings. SNMPv2c offers no additional security features over v1.

IOS devices are all multilingual when it comes to SNMP. If you are running 11.3 and higher, all engines support both v1 and v2c. You cannot disable one over the other. If your device is running 12.93)T or 12.0(6)S or higher, you also have SNMPv3 support. SNMPv3 offers more security by way of hashing credentials (authentication) and encrypting the payload (privacy).

If all you want is to be able to use SNMPv2c with your IOS devices, just send a v2c request. All 3825s must support v1, v2c, and v3 given the minimum code that they run.

gmaccisco1 · ‎11-11-2006

Hi,

Thanks for your response. My concern is the security issue and if SNMP v3 gives us what we want, then we do SNMP v3. but, I don't know how?

all my routers and switches (all Cisco) run the latest IOS versions. ow can I have snmp v3 installed or activated? I beleive i am confused on wether it should be installed or just activated using the command line.

Please advise,

Masood

Joe Clarke · ‎11-11-2006

While SNMPv3 does provide additional security, you have to be careful since not all management platforms support v3 yet. And those that do may only support SNMPv3 authNoPriv (e.g. CiscoWorks LMS).

More on configuring SNMPv3 can be found at http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide09186a00800878fa.html and http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml .

gmaccisco1 · ‎11-11-2006

hey thanks. the only applications that I use are the LMS and VMS so I should be ok configuring SNMP v3? how do I configure that beside, snmp-server community v3 ....?

I still don't know the relationship between traps and informs and odn't know when these must be enabled or if I need to enabl the snmp server?

all i know is to provide a community string so that LMS get the informaton about the device.

please advise as these papers are not that clear.

Thanks,

Masood

Joe Clarke · ‎11-11-2006

There is no such thing as a community in SNMPv3. You will need to define an SNMP group, then an SNMP user. For example, the following basic SNMPv3 config will work for most parts of LMS:

snmp-server group v3group v3 auth

snmp-server user v3user v3group v3 auth md5 v3userpassword

In this case, the username is v3user, the password is v3userpassword, and the authentication hashing algorithm is MD5.

There is much more to SNMPv3 (e.g. views, contexts), so I encourage you to read the links I posted very carefully as well as consult the online documentation for LMS. Note that LMS 2.5 and higher supports SNMPv3 authNoPriv and VMS does not support SNMPv3 at all. You will need to upgrade to Cisco Security Management Suite (CSM) to get v3 authNoPriv support. You will not be able to use SNMPv3 authPriv (encrypted SNMP) in either bundle. That is scheduled for a future release.

You do not need to be receiving traps or informs to get SNMPv3 polling to work. LMS does support traps, however, via the DFM application. It only processes v1 and v2c traps, though.

gmaccisco1 · ‎11-11-2006

Thanks very much for your prompt response and the example. I will try to follow the example on my routers and switch (L3). does a switch with CAT IOS (CAT 4006) suppots this as well?

Thx,

Masood

Joe Clarke · ‎11-11-2006

Yes, v3 is supported on the Cat4000. You will want to be running 12.2(25)SG on these switches in order to get the SNMPv3 context support needed for User Tracking.

gmaccisco1 · ‎11-11-2006

so, no need to define a community string anymore?

and how should we deal with older devices as far as snmp?

is CSM is the next version to VMS? can I get an upgrade package to VMS and it makes it the CSM?

Thanks,

Masood

Joe Clarke · ‎11-11-2006

If you are using SNMPv3, you do not need to define a community string. Note: one will be automatically defined if you enable v1 or v2c traps, though.

If the device does not support SNMPv3, then you will need to use community-based SNMP.

CSM is the next version of VMS. If you have a contract on VMS, go to http://www.cisco.com/upgrade/ and enter your contract number. If you are entitled to the upgrade, it will be shown there. Else, you need to contact your sales team.