SNMP manager and monitoring software network monitoring software

Newsletter | Forum | Contact Us | News | Products | Downloads | Support | Partners

 version française
 

How to configure SNMP version 3 (SNMP v3) on Cisco routers

Introduction
Prerequisite
SNMP version 3 (SNMPv3) configuration with no authentication
SNMP version 3 (SNMPv3) configuration with authentication
WARNINGS and Remarks

Introduction to SNMP v3

SNMP version 3 (SNMP V3) is designed to provide security enhancement to the SNMP protocol by adding authentication and encryption. Unlike in version 1, where identification was performed by community name, sent in clear text in the SNMP packets, the SNMP version 3 allows the use of advanced mechanisms that garanty a strong level of security. The inconvenient of this, is a more complex configuration on both sides, the agent and the manager, of the SNMP peer communication.

This How to is an example of setting of the SNMP agent located in a Cisco Router and the LoriotPro SNMP manager

Prerequisite

Cisco SNMP version 3 (SNMPv3) is supported since the version 12.0.3T of the IOS. Verify that you have the good IOS version before starting the SNMP V3 configuration of LoriotPro and work with your Cisco router.

Remark: If you have problems for retreiving SNMP table contained in Cisco router, use the no snmp-server sparse-tables command.

The SNMPV3 support different types of authentication protocol (see rfc2574.TXT for more information).

Noauthentification NONE
Authentification HMAC-MD5-96 or HMAC-SHA-96
Privacy CBC-DES

 

Due to French government diffusion restriction LoriotPro includes only the NONE and HMAC-MD5-96 SNMP V3 authentication method.

SNMP version 3 (SNMPv3) configuration with no authentication

We will first set and check a simple configuration in SNMP V3 without authentication.

Cisco Configuration

This first table show an example of Cisco configuration.

snmp-server engineID local 00000009020000000C096681 The snmpV3 engine ID of your router. This value is automatically generated by the router. The value here 00000009020000000C096681 is a example. Keep the value set by the router.
snmp-server group LoriotNoAuth v3 noauth This command create a group called for example LoriotNoAuth
snmp-server user LoriotNoAuthUser LoriotNoAuth v3 This command creates a user attached to the LoriotNoAuth group with the name LoriotNoAuthUser.

his setting is sufficient if you want to read SNMP information. If you want to Set the SNMP values add these command lines.

snmp-server group LoriotNoAuth v3 noauth write view1 Add a write view called view1 to your group LoriotNoAuth
snmp-server view view1 system included Add MIB OID in your view. Only authorized OID will be accessible. Here the system group is added to allow the configuration of the syslocation, syscontact ... objects.

Now it is possible to set the syslocation OID with the user LoriotNoAuthUser.

If you want to receive on LoriotPro SNMP notification through this profile add this line

snmp-server host 10.33.10.122 version 3 noauth LoriotNoAuthUser The router will send the SNMP version 3 (SNMPv3) notification to 10.33.10.122 using the LoriotNoAuthUser user name.

Remarks about Notification (Equivalent to SNMPv1 Traps)

The SNMPV3 notifications received in the LoriotPro Event Manager have agreen circle and SNMPv3 writen in the middle.The SNMPV2c notification have one green circle and SNMPv2c written in the middle.

SNMP V3

LoriotPro configuration :

In the Directory tree select your SNMP version 3 (SNMPv3) host (router). Before changing the configuration, verify with a ping the availability of the router.

Cisco router

Click on the <properties> option in the contextual menu or toolbar snmpv3

In the host configuration window, select SNMPV3 in Global Host Parameters pane.

snmpv3 set

In the UserName filed add your user name, LoriotNoAuthUser in our example, and press quit.

SNMP V3 configuration

Answer Yes to this question

init SNMP v3

If you get in return the following string, check the router configuration, you should have make a mistake.

usmstat

The answer is like below, you can work in SNMPV3 with this host.

get SNMP V3

SNMP version 3 (SNMPv3) configuration with authentication

We now modify the previous setting and add authentication. The authentication method is HMAC-MD5-96.

Cisco Configuration

snmp-server engineID local 00000009020000000C096681 The snmpV3 engine ID of your router. This value is automatically generated by the router. The value here 00000009020000000C096681 is a example. Keep the value set by the router.
snmp-server group LoriotAuth v3 auth This command create a group called for example LoriotNoAuth

snmp-server user LoriotAuthUser LoriotAuth v3 auth md5 changeme

 This command creates a user attached to the LoriotAuth group with the name LoriotAuthUser, select the md5 authentication and a password, here changeme.

If you want to receive notification through this profile add these command lines

snmp-server host 10.33.10.122 version 3 auth LoriotAuthUser If Loriot is installed with the 10.33.10.122 ip address, the router send the SNMP version 3 (SNMPv3) notification to 10.33.10.122 using the LoriotAuthUser user name.

 

LoriotPro configuration :

Repeat the same procedure than for the noauthentication method but select the correct values for md5 authentication like in the example below.

authentication snmp v3

If the answer looks like that, you can work in SNMPV3 with this host.

authen MD5 SNMP v3

Remark : You see the calculated KULL key (see rfc2475)

authoritativeengineid v3

here under an example of snmp v3 packet get-request on the sysname object:

snmp v3 exemple of packet

The get-response of the Cisco router

snmp v3 get response

WARNINGS and Remarks

With some versions of the IOS and some Cisco router products (25xx...), you lose the authentication user profile when you power down/up up the router. Consequently, when Loriot have to send an information the SNMPv3 discover process fail and LoriotPro send one alarm message to say that the SNMPv3 discovery procedure fail with this router (host).





Dont forget to save your configuration before exiting LoriotPro.

LoriotPro supports SNMP V1, SNMP V2c and SNMP V3. When you configure your host withSNMP V1, SNMP V2c or SNMP V3 parameters, LoriotPro use by default SNMP V3, else SNMP V2c in last SNMP V1.

In 'Global Host Parameters' options even if the community are set but the V3 parameters are set, LoriotPro will use SNMPv3.

You must clear the SNMP V3 parameters with the 'Clear' button in the 'SNMP version 3 (SNMPv3) Parameters Module' to force Loriotto use SNMPV2c or SNMPV1.





If you want more information concerning Cisco router configuration go to www.cisco.com

Newsletter | Forum | Contact Us | News | Products | Downloads | Support | Partners Luteus logo
   
google search button LoriotPro Site Map lexicon and terminology © LUTEUS SARL. All rights reserved