Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1950
Views
0
Helpful
1
Replies

snmpv3 testing on a 3560-24TS

john.a.mcclintock
Level 1
Level 1

‎01-06-2011 02:07 AM

Hi All,

I am currently trying to setup a network for a customer where I want to use snmp v3, Due to limiting factors within the monitoring software I want to use I cannot use encryption. That aside my goals are to setup two users, one with RO and one with RW and to test and prove this is working properly. I think I have achieved my goals, however, I simply cannot seem to find a test that will either a - work or b- prove security.

I was hoping there would be an SNMP guru somewhere could help me with both my config (which I hope is alright) and then with some snmpset commands that I can use to test whether the RO and RW privileges are working properly. So, without further ado I'll start with details. This is the config on my switch:

snmp-server group RO-group v3 auth read RO-view
snmp-server group NOC-RW v3 auth
snmp-server view RO-view mib-2 included
snmp-server view RO-view cisco excluded
snmp-server community private RW
snmp-server system-shutdown

Here are the users and groups:

Switch#sh snmp user

User name: RO-user
Engine ID: 80000009030000152BD15503
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: None
Group-name: RO-group

User name: NOC
Engine ID: 80000009030000152BD15503
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: None
Group-name: NOC-RW


Switch#sh snmp group
groupname: RO-group                           security model:v3 auth
readview : RO-view                            writeview: <no writeview specified>

notifyview: <no notifyview specified>
row status: active

groupname: NOC-RW                           security model:v3 auth
readview : v1default                        writeview: <no writeview specified>

IOS version is: c3560-advipservicesk9-mz.122-35.SE5

snmp commands used are (I have used the snmp v2c version here to simplify things and ensure it wasn't a privilege issue I was running into):

snmpset -c private -v 2c myswitch tsMsgSend.0 i 2 (apparently should reboot the device)

snmpset -c private -v 2c myswitch vtpVlanEditOperation.1 integer 2

From both these commands I get the output:

tsMsgSend.0:  (Sub-id not found: (top) -> tsMsgSend)

I am using net-snmp 5.5.0 for Windows. I have checked the MIB information for the 3560 and that seems to suggest both these MIB options should be available (apologies for bad terminology this is my first real delve into snmp) within the MIB for the switch.

Thanks in advance for any help.

John

Labels:
0 Helpful
1 Reply 1

john.a.mcclintock
Level 1
Level 1

‎01-06-2011 08:26 AM

Ok, I have some progress. I finally managed to find a snmpset command that is allowed and seems to be working:

snmpset -c private myswitch ifAdminStatus.5049 i 2

This shuts the loopback0 port down remotely. However, it seems my users are not quite right as when I try it with my RW user I get a no access error which I would expect to get with my RO user. Proven by setting up a RO community string and getting the following when trying the above:

snmpset -c public -v 2c myswitch ifAdminStatus.5049 i 2
Error in packet.
Reason: noAccess
Failed object: IF-MIB::ifAdminStatus.5049

This is the output I am seeing from both my v3 users. Obviously I want to fix this for the user I want to have full RW privileges for so can anyone tell me what is wrong with my config please?

Cheers,

John

0 Helpful
Customers Also Viewed These Support Documents