I have been trying to understand how to configure SAN discovery, but it looks like there are some either limitations or bugs in that area. DCNM has this page: Inventory - Discovery - SAN Switches, where I can define how to discover the fabric. We have snmpv3 user defined on each MDS with sha nad aes-128. Also, we use tacacs for ssh authentication. The main idea is not to use md5 and v2 communities (requirements from the sec team). Now, what I observed:
1. If I define v2 community, discovery works, but it's forbidden by the sec team
2. If I define snmpv3 user (defined locally on MDS) with sha and eas, discovery works, but I can see failed ssh logins to mds with that user (ssh is authenticated from tacacs) - why dcnm connects with ssh if snmpv3 discovery worked?
3. If I define AAA user with with md5 option, discovery works, but I can still see tcp connections to dcnm on port 161 (snmp), and what is md5 used for if the user comes from tacacs (see p.4 below)?
4. If I define AAA user with with sha and aes option, discovery does NOT work (failed to discover fabic, unknown user or password), what's the difference between md5 and sha if the user comes from tacacs?
Option 2 seems to work and to be compliant with security, but why dcnm tries to connect with ssh with that username, filling the log on mds with failed attempts?
Any clue on how to properly configure disovery options here?
I believe the problem you have there might be related to CLI and SNMP user synchronization.
The Cisco NX-OS software implements RFC 3414 and RFC 3415, including user-based security model (USM) and role-based access control. While SNMP and the CLI have common role management and share the same credentials and access privileges, the local user database was not synchronized in earlier releases.
SNMPv3 user management can be centralized at the AAA server level. This centralized user management allows the SNMP agent running on the Cisco MDS switch to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. The AAA server also is used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.
Cisco® Nexus® Dashboard revolutionizes operations in today’s modern data-center environments. Join us to learn about the operational efficiencies realized from the seamless user experience of the dashboard and the powerful capabilities of Cisco Nexus Insi...
The HTML5 plug installation is successful. But I get the following error while I click on AVE. The other icons are showing up the results except AVE. Please let me know your SME thoughts on this error.
No VmmDomains Found
This session will help administrators and architects leverage SAN Insights Discovery to help understand the current status of their SAN fabric and help identify areas of opportunity for improvement. The attendees will learn the process, architecture, and ...
Join us to learn about the operational efficiencies realized from the seamless user experience of the dashboard and the powerful capabilities of Cisco Nexus Insights (NI), Cisco Network Assurance Engine (NAE), and Cisco Multi-Site Orchestrator (MSO). The ...
Cisco Intersight's Terraform Provider is now available in the Terraform Registry at https://registry.terraform.io/providers/CiscoDevNet/intersight/latest. The provider has Terraform resource and data source support for the wide range of Inters...