Tuesday, July 9, 2013

CCIE DC: SNMPv3

Hi Guys!

A topic I for some reason or another avoided but that is on the blueprint is SNMPv3, I have no idea why I hated to look into it, I guess because monitoring is not my area of expertise, But I worked on it and now I think I understand it enough for the CCIE :).

So, you can practice NXOS SNMP on your MDS switches, the syntax is very similiar.

First let's talk about a great way to test it: get yourself Mib Browser, you will want the professional edition trial as the free edition can't do SNMPv3

Alright let's look at some SNMP, As usual my source was a cisco link:

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/sm_snmp.html

Super quick review of SNMP:

An agent is a device such as a router or a switch with information that SNMP can query, the kind of info the agent stores is referred to as a MIB (management information base.) An SNMP management station is the device or host that collects this info.


So SNMPv3 is similar to the SNMP you know and love (SNMPv2) but with user-based authentication and encryption. It uses a username and password combination for auth, and then a further password for the actual privilege, SNMPv3 comes in three versions.

NoAuthNoPriv
AuthNoPriv
AuthPriv

This simply refers to if the SNMP uses MD5 or SHA authentication (Auth), and DES or 3DES encryption (Privilege), so the word privilege here doesn't really refer to the same way we might think of privilege in IOS.

However, in SNMPv3 these users can also be granted certain rights, in SNMPv2 we had read or read-write community strings but couldn't really limit it a bit more granually than that, in SNMPv3 we can assign roles so we can control what MIB's an SNMP management station can access.


Next, SNMPv3 can be hooked up to a radius server if you desire,

Finally, in SNMP there is a concept of traps and informs, this is basically that the SNMP agent on the device can be configured to send messages to a host when certain events occur.

Let's get to some config!


Switch1(config)# snmp-server user ?
  WORD  Name of the user (Max Size 32)




This is the name of our user.

Switch1(config)# snmp-server user ccierants ?
    
  WORD   Group name (ignored for notif target user) (Max Size 32)
  auth   Authentication parameters for the user

Switch1(config)# snmp-server user ccierants auth ?
  md5  Use HMAC MD5 algorithm for authentication
  sha  Use HMAC SHA algorithm for authentication






Here you can see we get to choose what auth method we use

Switch1(config)# snmp-server user ccierants auth md5 ?
  WORD  Authentication password for user (Max Size 130)

Switch1(config)# snmp-server user ccierants auth md5 ciscopassexam ?
           
  engineID      EngineID for configuring notif target user (for V3 informs)
  localizedkey  Specifies whether the passwords are in localized key format
  priv          Encryption parameters for the user


Switch1(config)# snmp-server user ccierants auth md5 ciscopassexam priv  

   WORD     Privacy password for user (Max Size 130)
   aes-128  Use 128-bit AES algorithm for privacy

 Here you can see I can choose to use aes-128, DES is the default

Switch1(config)# snmp-server user ccierants auth md5 ciscopassexam priv cciedc123


Let's now view the user we have configured:


Switch1# show snmp user
______________________________________________________________
                  SNMP USERS
______________________________________________________________

User                          Auth  Priv(enforce) Groups                       
____                          ____  _____________ ______                       
admin                         md5   des(no)       network-admin                

ccierants                     md5   des(no)       network-operator             

nervmainpc                    md5   des(no)       network-operator             

______________________________________________________________
 NOTIFICATION TARGET USERS (configured  for sending V3 Inform)
______________________________________________________________

User                          Auth  Priv
____                          ____  ____



So we have created our user and pass now, let's use MIB walker to access it:





As you can see in the MIB browser we can select Auth and Priv, NoAuth, No-Priv and Auth No priv as we discussed.






Success! We have browsed the MIB tree!





Now as we mentioned and as the eagle-eyed of you may have spotted in the output, we can assign SNMP "groups" to the users, this allows us to assign privileges to that user.



Even though these are called groups, they are essentially just roles:

Switch1(config)# show snmp group  | inc Role:
Role: network-admin
Role: network-operator
Role: server-admin
Role: default-role


Notice that network-operator and network-admin line up nicely with RO and RW like in the old SNMP.



Let's quickly create a role with bugger-all privileges.

Role: ccierants
  Description: new role
  Vsan policy: permit (default)
  -------------------------------------------------
  Rule    Type    Command-type    Feature        
  -------------------------------------------------
  1       permit  config          iscsi          
  2       permit  show            iscsi      




Next we assign the role:


Switch1(config)# snmp-server user ccierants ccierantsrole



Note that this ADDED the role, so i have to remove the old role:

Switch1# show snmp user
______________________________________________________________
                  SNMP USERS
______________________________________________________________

User                          Auth  Priv(enforce) Groups                       
____                          ____  _____________ ______                       
admin                         md5   des(no)       network-admin                

ccierants                     md5   des(no)       network-operator             
                                                  ccierants                    


Switch1(config)# no snmp-server user ccierants network-operator


Now if we try and access something we have no privileges to:





Finally lets quickly look at traps, they are not too complicated.


First of all, to enable either traps or informs, you need to specify what you want to trap or inform ON! this is enabling the actual traps:


Switch1(config)# snmp-server enable traps ?
              
  aaa              Module notifications enable
  callhome         Module notifications enable
  cfs              Module notifications enable
  entity           Module notifications enable
  fcdomain         Module notifications enable
  fcns             Module notifications enable
  fcs              Module notifications enable
  fctrace          Module notifications enable
  fdmi             Module notifications enable
  feature-control  Module notifications enable
  fspf             Module notifications enable
  license          Module notifications enable
  link             Module notifications enable



You can see there is a bunch you can enable on, you can just say snmp-server enable traps to enable on all traps.




Switch1(config)# snmp-server host 1.1.1.1 ?
  WORD     SNMP community string or SNMPv3 user name (Max Size 32)
  informs  Send Inform messages to this host
  traps    Send Traps messages to this host
  version  SNMP version to use for notification messages
Here we can set if we want SNMP traps or informs.


Switch1(config)# snmp-server host 1.1.1.1 informs version 3 ?
  auth    Use the SNMPv3 authNoPriv Security Level
  noauth  Use the SNMPv3 noAuthNoPriv Security Level
  priv    Use the SNMPv3 authPriv Security Level



Here we set the use of noauth, authnopriv or authpriv.


Switch1(config)# snmp-server host 1.1.1.1 informs version 3 priv ccierants ?




We must define a user who is used to generate the SNMP traps to the server, the privileges on this user do not matter as he is the one generating the SNMP traps.


I hope this helps someone out there!


1 comment:

  1. Do you use vrf lite at the switch? Cisco Nexus has implemented feature that shows content related to one vrf only. With default SNMP configuration you can see just content of no vrf. If you have all IP interfaces assigned to any vrf you will not see any IP via SNMP.
    The mapping is 1:1 only as I found. You probably cannot use one SNMP user that can browse contents of all vrfs.

    https://supportforums.cisco.com/discussion/11914946/how-snmp-get-nexus-7k-non-default-vrf-arp-table

    ReplyDelete