Solved: Re: SNMP v3 on 9500-16x

JohnRosso3555 · ‎05-27-2021

Is it possible to set thew precise SHA1 and AES settings/passwords on this device, or does it just accept what Solarwinds throws at it?

I have things set exactly like regular IOS on the ASR1001 & ISR3900 - but IOS-XE 9500 Gilbraltar 16.12.2 will not cooperate like the other two routers.

To follow up on the question, can I reach the snmp-server through the Mgmt-vrf or it has to be from the default-vrf?

balaji.bandi · ‎05-28-2021

here is my test config on Cat 9300 works as expected :

snmp-server group XXXXX v3 priv read read_view
snmp-server ifindex persist
snmp-server trap timeout 30
snmp-server user XXXX XXXXX v3 encrypted auth sha YYYYYYYYYYYYY priv aes 128 YYYYYYYYYYYY
snmp-server view read_view 1.3.6.1.* included

To follow up on the question, can I reach the snmp-server through the Mgmt-vrf or it has to be from the default-vrf?

you can use any interface as long as reachable.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Reza Sharifi · ‎05-27-2021

To follow up on the question, can I reach the snmp-server through the Mgmt-vrf or it has to be from the default-vrf?

Mgmt-vrf should work just fine. something like this:

ip name-server vrf Mgmt-vrf x.x.x.x
ip domain name test.com
ip domain name vrf Mgmt-vrf test.com

HTH

JohnRosso3555 · ‎05-27-2021

Not sure I understand the answer. I have attached the run config minus the passwords. So I am able to connect the snmp-server, which is Solarwinds, using v1 and v2 snmp. But v3 snmp does not seem to work. I am wondering if the auth, priv need to have specific settings or an ID engine? I am using sha1 and AES128.

Thanks for taking a look.

balaji.bandi · ‎05-28-2021

here is my test config on Cat 9300 works as expected :

snmp-server group XXXXX v3 priv read read_view
snmp-server ifindex persist
snmp-server trap timeout 30
snmp-server user XXXX XXXXX v3 encrypted auth sha YYYYYYYYYYYYY priv aes 128 YYYYYYYYYYYY
snmp-server view read_view 1.3.6.1.* included

To follow up on the question, can I reach the snmp-server through the Mgmt-vrf or it has to be from the default-vrf?

you can use any interface as long as reachable.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JohnRosso3555 · ‎05-28-2021

Nice BB - I will give this a shot. I mean IOS-XE should be pretty much same on any hardware to some extent.

JohnRosso3555 · ‎05-28-2021

I don't know how it finally clicked in, but it did. Here is my output. Don't know why but the auth and priv user command is hidden.

ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.12.144.1 name Mgmt_c9500-16x_stack
ip ssh version 2
!
!
!
!
!
snmp-server group admingrp v3 priv
snmp-server enable traps tty
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
login local
width 30
stopbits 1
line vty 0 4
privilege level

balaji.bandi · ‎05-29-2021

check with show run all

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JohnRosso3555 · ‎06-03-2021

Wow, that is a lot going on there under "show run all". Concerned about the dual link detection not on the Port-channels. Should I put that under the Po config?

stackwise-virtual
domain 12
dual-active detection pagp
no dual-active detection pagp trust channel-group 10
no dual-active detection pagp trust channel-group 20
ptp mode forward
ptp globalprotocolenable