cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
286
Views
0
Helpful
1
Replies
Highlighted
Enthusiast

DCNM SAN discovery (snmpv3/ssh)

Hello,

I have been trying to understand how to configure SAN discovery, but it looks like there are some either limitations or bugs in that area. DCNM has this page: Inventory - Discovery - SAN Switches, where I can define how to discover the fabric. We have snmpv3 user defined on each MDS with sha nad aes-128. Also, we use tacacs for ssh authentication. The main idea is not to use md5 and v2 communities (requirements from the sec team). Now, what I observed:

1. If I define v2 community, discovery works, but it's forbidden by the sec team

2. If I define snmpv3 user (defined locally on MDS) with sha and eas, discovery works, but I can see failed ssh logins to mds with that user (ssh is authenticated from tacacs) - why dcnm connects with ssh if snmpv3 discovery worked?

3. If I define AAA user with with md5 option, discovery works, but I can still see tcp connections to dcnm on port 161 (snmp), and what is md5 used for if the user comes from tacacs (see p.4 below)?

4. If I define AAA user with with sha and aes option, discovery does NOT work (failed to discover fabic, unknown user or password), what's the difference between md5 and sha if the user comes from tacacs?

 

Option 2 seems to work and to be compliant with security, but why dcnm tries to connect with ssh with that username, filling the log on mds with failed attempts?

 

Any clue on how to properly configure disovery options here?

 

Cheers,

Krzysztof

 
1 REPLY 1
Highlighted
VIP Engager

I believe the problem you have there might be related to CLI and SNMP user synchronization.

 


The Cisco NX-OS software implements RFC 3414 and RFC 3415, including user-based security model (USM) and role-based access control. While SNMP and the CLI have common role management and share the same credentials and access privileges, the local user database was not synchronized in earlier releases.

SNMPv3 user management can be centralized at the AAA server level. This centralized user management allows the SNMP agent running on the Cisco MDS switch to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. The AAA server also is used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.


Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/DCNM_OLH/SAN_Client/fmhelp/snmp.html#17649 

 

You can try adding the user to tacacs using cisco-av-pair, specifying also the snmpv3 authentication and privacy protocol attributes:

shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128 

Hope it helps,

Sergiu

 

 

Content for Community-Ad