Nexus 5548 SNMPv3 configuration

jamescox3 · ‎09-19-2012

I'm trying to setup SNMPv3 on a Nexus 5548. We are using SNMPv3 on 3750's without any issue, but haveing issues getting it setup on the Nexus.

I have been using the following link for the setup following it line by line.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/system_management/command/reference/sm_cmd_s.html#wp1024269

The part that I'm having issues with is when I try to enforce SNMP message encryption on a per user basis.

When I issue snmp-server user (username) enforcePriv, I get warning: unable to update CLI users database. reason: role does not exist grounp not found.

I have been doing some searching and have yet to find out why i'm getting that message.

Any thoughts or help would be appericated.

Thanks

Reza Sharifi · ‎09-19-2012

Hi,

I tried the same command on a 5k with ver 5.0(3) and a 7k with 6.1.1. The option enforcepriv does not exist. the only option is global "snmp-server globalenforcepriv" and not per user.

HTH

Majed Zouhairy · ‎08-13-2015

i got the error when i was trying to enter the command with a group name that does not exist.

however the following worked:

snmp-server user username auth md5 secret priv aes-128 secret

Janaka Wellege · ‎02-15-2016

I have configured SNMP V3 as per above but Cisco SNTC giving error message "SNMP Credentials Not set[I have verified that SNTC and 5K SNMP V3 Credentials are same]

Quote:

NS02SWDMZ04D1# sh rol
role       rollback
NS02SWDMZ04D1# sh role | b v3grp30
Role: v3grp30
Description: new role
vsan policy: permit(default)
Vlan policy: permit(default)
Interface policy: permit(default)
Vrf policy: permit(default)
-------------------------------------------------------------------
Rule    Perm    Type        Scope               Entity
-------------------------------------------------------------------
1       permit read
NS02SWDMZ04D1#
NS02SWDMZ04D1# sh snmp user
______________________________________________________________
                  SNMP USERS
______________________________________________________________

User Auth Priv(enforce) Groups
____ ____ _____________ ______
<Output Omitted>

V3user1 sha aes-128(no) network-operator
v3grp30

______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
______________________________________________________________

User Auth Priv
____ ____ ____

Unquote:

Prabath Godevithanage · ‎02-16-2016

Hi Janaka,

I'll throw some ideas for you if you are still working on this.I never worked with SNTC so not exactly sure the role of it.

to start with I might try with the default role "network-operator" or "network-admin" instead of your custom role. so the config would be something like this

dccore01(config)# snmp-server user snmpadmin auth sha Kitkat201602$1 priv Boombeach$12

Paessler SNMP tester or MIB browser can be used for you to test your config.I used them time to time and they are great tools

So on the reading device(SNTC) config would be something similar attached image

***Please rate all the useful posts***
-Prabath

Janaka Wellege · ‎02-16-2016

Hi Pre,

Thanks for the information.

I have already run snmpwalk command and verified that SNMP V3 at N5k ok.

Issue is related to Cisco SNTC[ Cisco CSP Collector 2.5]

I have already raised a ticket with cisco Ref 638110937 and troubleshooting the issue with cisco team.

for your reference here is the snmpwalk[Paessler SNMP tester ] commands and its output.

Quote:

C:\>snmpwalk -v 3 -u V3user1 -a sha -A <sha key> -x AES -X <AES key> -l authPriv <device ip removed> 1.3.6.1.2.1.1.2

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.12.3.1.3.1084

C:\>snmpwalk -v 3 -u V3user1 -a sha -A <sha key> -x AES -X <AES key> -l authPriv <device ip removed>1.3.6.1.2.1.47.1.1.1.1.11

SNMPv2-SMI::mib-2.47.1.1.1.1.11.10 = STRING: "SSI1618000X"

SNMPv2-SMI::mib-2.47.1.1.1.1.11.22 = STRING: "FOC162552UW"

Unquote:

Regards,

Janaka

Soporteco · ‎01-24-2015

Any solution for this issue? I have many question about this topic. I'm trying to configure snmpv3 in Nexus 5548 and I don't know, for instance, where the "group" sentence is configured. I meant, I don't know what command I have to type to create a group or role. I'm using Orion SolarWinds as a SNMP server and I haven't been able to recognize this device from solarwinds.

I will apprecciate any help you guys can give me.

lax_dannyz · ‎03-19-2018

In case there is someone else with this issue later, the group name is assigned after the user name ->

7700-NEXUS1-1(config)# snmp-server user Danny ?
<CR>
WORD Group name (ignored for notif target user) (Max Size 28)
auth Authentication parameters for the user
use-ipv4acl Specify IPv4 ACL, the ACL name specified after must be IPv4 ACL.
use-ipv6acl Specify IPv6 ACL, the ACL name specified after must be IPv6 ACL.

7700-NEXUS1-1(config)# snmp-server user Danny DannyV3Group ?

This is a nexus 5k system image file is: bootflash:///n5000-uk9.7.3.2.N1.1.bin

micahgawin · ‎10-30-2015

I experienced similiar issues on a 5596 so I wanted to chime in in case it can resolve the issues.

snmp-server user testuser group1 auth sha **** priv aes-128 ****

**ERROR** reason: role does not exist grounp not found.

If you run the command "show role", it is likely that it does not exist hence the error.

show role | i group1 will likely show no results, you will need to add this role/permissions to get this working.

(config) role name group1

rule 1 permit read

exit

Now assign the user role to the group:

(config) snmp-server user testuser group1

exit

verify user role:

show role | b group1

verify snmp user

show snmp user

______________________________________________________________
SNMP USERS
______________________________________________________________

User Auth Priv(enforce) Groups
____ ____ _____________ ______

testuser sha aes-128(no) group1

lastly, run the full command again and it should work:

(config)snmp-server user testuser group1 auth sha **** priv aes-128 ****

Hope this helps...