Solved: snmp v3 configuration on 1800 series for Nagios v 3.2.2

bdevassia · ‎10-29-2010

Hi,

Anybody have idea how to configure snmp v3 in 1800 series routers with Nagios configured for monitoring? Can we keep the community name if keep v3 running? I have configured snmp v3 as per the manual. But if I remove the v2 community name it stop responding? Please can I get the complete example configuration of SNMP v3 on cisco routers or switches with encription enabled?

Thanks,

Baby

ngoldwat · ‎10-31-2010

Hi,

Usefull Commands:

show snmp                    Displays the SNMP status.
show snmp community   Displays the SNMP community strings.
show snmp engineID      Displays the SNMP engineID.
show snmp group           Displays SNMP roles.
show snmp sessions      Displays SNMP sessions.
show snmp trap             Displays the SNMP notifications enabled or disabled.
show snmp user            Displays SNMPv3 users.

SNMPv3 Hidden Show commands:
show snmp community
show snmp view
show snmp chassis
show snmp location
show snmp contact

Configuration Tasks: configure engineID, views, groups, users, hosts, proxies

Note: Configuring engineID, views, hosts, and proxies is optional

snmp-server engineID local engineID-string

snmp-server group groupname v3 {auth | noauth | priv}

[read readview]

[write writeview]

[notify notifyview]

[access access-list]

Ex : snmp-server group henrygroup v3 noauth

snmp-server user username v3 groupname

[ auth {md5 | sha} key ]

[priv des56 passwd ]

[access access-list]

Ex : snmp-server evan evangroup v3 auth md5 evenkey

Note: User with authentication does not appear in the running config (use ‘show user’)‏

snmp-server host host [ traps | informs ] version 3

[auth | noauth | priv]

[udp-port port]

[notification-type]

Ex : snmp-server host 172.16.20.20 version 3 auth evan

SNMPv3 Configuration example:

snmp-server engineID local 123456789012345678901234

snmp-server evan evangroup v3 auth md5 evankey

snmp-server user henry henrygroup v3

snmp-server group evangroup v3 auth

snmp-server group henrygroup v3 noauth read henryview

snmp-server view henryview mib-2 included

snmp-server view henryview cisco excluded

snmp-server community public RO

View solution in original post

ngoldwat · ‎11-01-2010

Here is a snippet from RFC 3414

   The User-based Security Model prescribes that, if authentication is
   used, then the complete message is checked for integrity in the
   authentication module.

   For a message to be authenticated, it needs to pass authentication
   check by the authentication module and the timeliness check which is
   a fixed part of this User-based Security model.

If you are interested in learning more then the following may be of interest:

RFC 3413

RFC 3414
RFC 3415

RFC 3584

Thanks.

View solution in original post

ngoldwat · ‎10-31-2010

Hi,

Usefull Commands:

show snmp                    Displays the SNMP status.
show snmp community   Displays the SNMP community strings.
show snmp engineID      Displays the SNMP engineID.
show snmp group           Displays SNMP roles.
show snmp sessions      Displays SNMP sessions.
show snmp trap             Displays the SNMP notifications enabled or disabled.
show snmp user            Displays SNMPv3 users.

SNMPv3 Hidden Show commands:
show snmp community
show snmp view
show snmp chassis
show snmp location
show snmp contact

Configuration Tasks: configure engineID, views, groups, users, hosts, proxies

Note: Configuring engineID, views, hosts, and proxies is optional

snmp-server engineID local engineID-string

snmp-server group groupname v3 {auth | noauth | priv}

[read readview]

[write writeview]

[notify notifyview]

[access access-list]

Ex : snmp-server group henrygroup v3 noauth

snmp-server user username v3 groupname

[ auth {md5 | sha} key ]

[priv des56 passwd ]

[access access-list]

Ex : snmp-server evan evangroup v3 auth md5 evenkey

Note: User with authentication does not appear in the running config (use ‘show user’)‏

snmp-server host host [ traps | informs ] version 3

[auth | noauth | priv]

[udp-port port]

[notification-type]

Ex : snmp-server host 172.16.20.20 version 3 auth evan

SNMPv3 Configuration example:

snmp-server engineID local 123456789012345678901234

snmp-server evan evangroup v3 auth md5 evankey

snmp-server user henry henrygroup v3

snmp-server group evangroup v3 auth

snmp-server group henrygroup v3 noauth read henryview

snmp-server view henryview mib-2 included

snmp-server view henryview cisco excluded

snmp-server community public RO

bdevassia · ‎11-01-2010

Thank you!

Tried this configuration with Solarwinds tool and it works. Not added SNMP community name. Just wanted to know why the 'snmp-server community' in picture when we use snmp v3? And how to verify DES/AES inplace? (At present I am not enabled DES/AES since the IOS ver not supporting this)

Thanks,

Baby

ngoldwat · ‎11-01-2010

Here is a snippet from RFC 3414

   The User-based Security Model prescribes that, if authentication is
   used, then the complete message is checked for integrity in the
   authentication module.

   For a message to be authenticated, it needs to pass authentication
   check by the authentication module and the timeliness check which is
   a fixed part of this User-based Security model.

If you are interested in learning more then the following may be of interest:

RFC 3413

RFC 3414
RFC 3415

RFC 3584

Thanks.

bdevassia · ‎11-02-2010

Great. Thanks!

Baby