Wednesday, January 8, 2014

Configuring SNMPv3 for Cisco IOS and ASA devices

    Configuring SNMPv2 is pretty simple. All you need to monitor is SNMP-Server community public RO. SNMPv3 is a whole new beast, but I have taken the pain points out with this document I created to get monitoring setup for your devices. This is for Cisco devices, but I have been told that Brocade and a few other vendors use similar configurations.

    This post will cover

  • Setting up SNMPv3
  • Removing SNMPv3
  • Troubleshooting SNMPv3
  • Setup monitoring for wireless access points
  • Setup monitoring for Solarwinds User Device Tracker or any network topology application

    • Setup SNMPv3 

    This is for Basic setup. If you are looking for a more secure setup, you will need to contact Cisco. This document was only designed to get the device monitored and to troubleshoot any Issues.
    Reference:  SNMPv3

    1. Command: Enable
    2. Command: Config T
    3. Create the View
      1. Command: SNMP-Server view TestSNMPv3View Internet included
      2. ASA Command does not exist, this will default to standard view
    TestSNMPv3View is the View Name
    If you see %Bad OID, then Internet does not exist, use ISO (if exists), or 1.3.6
    1. Included MIB Family is included in the view
    2. Excluded MIB Family is excluded from the view
    1. Create the Group
      1. Command: SNMP-Server group TestSNMPv3Group v3 priv Read TestSNMPv3View Write TestSNMPv3View
      2. Command (ASA Only): SNMP-Server group TestSNMPv3Group v3 priv Read
    TestSNMPv3Group is the Group Name
    1. v1: Group using the v1 security model
    2. v2c: Group using the v2c security model
    3. v3: Group using the User security model (SNMPv3)
    4. Auth: Group using the authNoPriv Security Model
    5. Noauth: Group using the noAuthNoPriv Security Model
    6. Priv: Group using the authPriv Security Model
    7. Access: Specify an access-list associated with this group
    8. Context: Specify a context to associate these views for the group
    9. Notify: Specify a notify view for the Group – Send a syslog every time a view is touched
    10. Read: Specify a read view for the group
    11. Write: Specify a write view for the group
    1. Create a User
      1. Command (same for ASA): SNMP-Server user TestSNMPv3User TestSNMPv3Group v3 auth md5 P@$$w0rd priv DES P@$$w0rd
    TestSNMPv3User is the User Name
    1. Remote: Specify a remote SNMP entity to which the user belongs
    2. v1: Group using the v1 security model
    3. v2c: Group using the v2c security model
    4. v3: Group using the User security model (SNMPv3)
    5. Access: Specify an access-list associated with this group
    6. Auth: Authentication parameters for the user
    7. Encrypted: Specifying passwords as MD5 or SHA digests
    8. MD5: Use HMAC MD5 algorithm for authentication
    9. SHA: Use HMAC SHA algorithm for authentication
    10. 3DES: Use 168 bit 3DES algorithm for encryption
    11. AES: Use AES algorithm for encryption
    12. DES: Use 56 but DES algorithm for encryption

    1. Send to Destination Host (ASA Only)
      1. Command (ASA Only): SNMP-Server Host inside 10.10.1.1 version 3 TestSNMPv3Group
    Note: 10.10.1.1 is the destination host that is able to monitor the Device, if the IP Address of Solarwinds NPM is not in the list, then you will not be able to add the Device
    1.   inside   Name of interface Vlan1
    2.   outside  Name of interface Vlan2

    1. Example of the configuration from start to finish:

    1. Standard Cisco:
    Cisco:enable
    Cisco#config t
    Enter configuration commands, one per line.  End with CNTL/Z.

    Cisco(config)#SNMP-Server view TestSNMPv3View internet included
    Cisco(config)#SNMP-Server group TestSNMPv3Group v3 priv Read TestSNMPv3View Write TestSNMPv3View
    Cisco(config)#SNMP-Server user TestSNMPv3User TestSNMPv3Group v3 auth MD5 P@$$w0rd priv DES P@$$w0rd

    1. Cisco ASA:
    Cisco:enable
    Cisco#config t

    Cisco(config)# SNMP-Server group TestSNMPv3Group v3 priv
    Cisco(config)# SNMP-Server user TestSNMPv3User TestSNMPv3Group v3 auth MD5 P@$$w0rd priv DES P@$$w0rd
    Cisco(config)# SNMP-Server Host inside 10.10.1.1 version 3 TestSNMPv3User
      
    1. Adding the device in Orion:
    Note: Do not initially add Read/Write Credentials, then select Test.

    Removing SNMPv3 Configuration 

    1. Important Commands to use to Remove existing configurations, please use ? for more options:
      1. No snmp-server group
      2. No snmp-server user
      3. No snmp-server host

    Troubleshooting SNMPv3 Configuration

    1. Command: Show snmp view
      1. Views  - contained in groups
        1. Views define what MIBs are available on the Device

    1. The view name we are looking for here is TestSNMPv3View, and you can see it includes everything from Internet down
    2. MIB Iso is 1. and below
    1. Command: Show snmp group 
      1.  Group view associates from the TestSNMPv3Group is the following:
        1. Read view: TestSNMPv3View
        2. Write View: TestSNMPv3View
        3. Security Model: v3 priv

    1. Command: show snmp user

    1. Looking at the User TestSNMPv3User, it is assigned to the group TestSNMPv3Group.

    Troubleshooting an ASA

    Note: Show SNMP View does not work on ASA Devices, you will use def_read_view as the view

    1. Command: Show run | grep SNMP
      1. Shows the current SNMP Configuration (note none is listed, so this is no config)

    1. Shows the current SNMP Configuration. Note that this is the exact same configuration as in step 7, and the password is encrypted.
    2. Also Note the Host and the Interface it is going out on
    SNMPv3 Traps (Orion Core 2011.2 and higher )
    Note: This assumes that you have setup and configured SNMPv3 on the device already.
    1. Add the following while in Configuration Terminal:
      1. Command: snmp-server host 10.10.1.6 version 3 auth TestSNMPv3User version 3
        1. The authentication must match the same as the SNMPv3 configuration
    1. You can add the following on the same command line to generate Traps:
    config syslog aaa_server snmp ( these are basic Trap types sent.)

    Troubleshooting SNMPv3 Traps.

    1. Check the Log File:
      1. Server 2008:
        1.  C:\ProgramData\Solarwinds\Logs\Orion\TrapService.log
      1. Server 2003
        1. C:\Documents and Settings\All Users\Application Data\Solarwinds\Logs\Orion\TrapService.log
    1. If you see the following Error please see This KB
    ERROR TrapService.TrapService - Bad trap packet received from Node with IP <IP of Device>. Error description : Security level is set to 2 but no encryption password was provided.

    View Wireless Information

    Add to your current View:
    1. Command: SNMP-Server view TestSNMPv3View ieee802dot11 included

    Solarwinds User Device Tracker Module, or any Network Topology setup

    While everything works by default on SNMPv2, you will need to add new commands to the Cisco devices to expose per VLAN values for this MIB. According to Cisco, SNMPv2 and SNMPv3 work quite differently when polling the BRIDGE-MIB which contains these layer 2 values. There is no single command that will expose all existing VLANs. If on a certain switch you have devices on VLANs 3, 10, and 41, you needed to add these commands:
    1. Command: snmp-server group OurGroupName v3 priv context vlan-3
    2. Command: snmp-server group OurGroupName v3 priv context vlan-10
    3. Command: snmp-server group OurGroupName v3 priv context vlan-41

Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)