Solved: Re: snmp DNAC to C9800

j.madison · ‎03-15-2023

Hello,

I am trying to get my DNAC talking to my C9800 controllers via SNMP. I have matched the settings on both sides several times and it will not sync. Every time I blow away the SNMP account settings on the C9800-40 (v17.6.4) and recreate them it keeps changing the Group Name to SnmpAuthPrivGroup instead of the group name I define. It won't stop doing this. I also note that when I do a show snmp community on the C9800 it shows a long list of community names even though the WebUI is only showing one.

Any advice?

Scott Fella · ‎03-16-2023

I had to change mine to use SHA not MD5 as I get an error when I tried MD5. That seems to be the only difference I have on mine vs what you have. Try to use a linux machine or another tool to test snmpv3 get before you tinker too much with DNAc.

-Scott
*** Please rate helpful posts ***

View solution in original post

Flavio Miranda · ‎03-15-2023

Hi

Are you creating a Discovery profile under Tools> Discovery and enter the WLC´s information?

j.madison · ‎03-16-2023

The controllers are already discovered and reachable, the SNMP just won't sync up. I've tore down SNMP ends and rebuilt them multiple times and every time I do this the C9800 just changes out the Group-Name to SnmpAuthPrivGroup, regardless of what I manually configure. Wondering if this is a new feature (bug) on the controllers.

j.madison · ‎03-16-2023

Scott Fella · ‎03-16-2023

You also need to configure the "Auth" also not just the "Priv". Then you will see an option for what you are looking for. This is how you configure snmpv3 for auth/priv.

Hope that helps.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎03-16-2023

Here is a screen shot of mine at home:

*

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎03-16-2023

Maybe use the cli to configure this:

snmp-server group <v3-group-name> v3 auth write v1default
snmp-server user <v3-user-name> <v3-group-name> v3 auth sha <auth-password> priv aes 128 <encryption-password> access <access-list-number>

-Scott
*** Please rate helpful posts ***

j.madison · ‎03-16-2023

Well when I use the CLI and not the WebUI it does this correctly. Going to test it out now with DNA.

Scott Fella · ‎03-16-2023

I use the cli for as much as I can so I can automate. I haven't used the GUI for this, but this is how I got my controllers to use snmpv3 to communicate with Prime, DNAc and other tools via snmpv3.

Let me know if that works for you.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎03-16-2023

@j.madison did that work for you? Or are you still having issues with snmpv3?

-Scott
*** Please rate helpful posts ***

j.madison · ‎03-16-2023

Still not syncing with DNAC. I turned some SNMP debugging on, the WLC side but not showing much.

---

XXXXX # show snmp user

User name: wlc-v3user
Engine ID: 800000090300706D153D928C
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: wlc-v3group

XXXXX #show snmp host
Notification host: 10.20.68.10 udp-port: 162 type: trap
user: wlc-v3user security model: v3 priv

10.20.68.10 is my DNAC box.

Scott Fella · ‎03-16-2023

I had to change mine to use SHA not MD5 as I get an error when I tried MD5. That seems to be the only difference I have on mine vs what you have. Try to use a linux machine or another tool to test snmpv3 get before you tinker too much with DNAc.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎03-16-2023

Here is a snippet from a guide:

MD5 and DES/3DES are insecure protocols and although they are still an option in the 9800, they must not be selected and are not fully tested anymore.

-Scott
*** Please rate helpful posts ***

j.madison · ‎03-16-2023

That was it, MD5 hosed it and SHA sync'd up. Thanks Scott!

Scott Fella · ‎03-16-2023

Glad that worked. I couldn't recall offhand what I changed, but I did run into that issue when I migrated all IOS-XE from snmpv2 to snmpv3.

-Scott
*** Please rate helpful posts ***