How to configure SNMPv3 on Cisco IOS Router

19 posts were merged into an existing topic: How to configure SNMPv3 on Cisco IOS Router

Hi,

First of all thank you so much for you clear lessons, Im heavily depending on them as my study material for my CCNP 300-101.

I would love to see a full tutorial on how to implement Observium with GNS3 routers, I have searched the whole net, but nothing I can find,

could you please guide us step by step how to use GNS3 (VMware) with Observium

Thanks.

Hi Hussam,

Glad to hear you like it.

If you want to play around with Observium, it’s best to use the tutorial that you can find on the Observium website:

http://docs.observium.org/install_debian/

Once you have Observium up and running, the only thing you need to do is to use the cloud icon in GNS3 to connect a physical network card (or a virtual one if you use vmware) to your GNS3 routers:

This is an older video but it’s probably still 99% the same on the latest GNS3 version.

Rene

Thank you Rene, I will try them and I will let you know.

How to check below settings? Is there any way to check this configuration?

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123

I am not getting this configuration on “show run” all the time but SNMP works always fine.

Thanks
Manami

Hi Manami,

These SNMPv3 commands are not saved in the running config but in the private config. You can’t retrieve the passwords, the usernames will show up though with show snmp user.

Rene

Hi Rene

In your config example, do you not also need to configure the snmp server command?

e.g. snmp-server host 10.0.0.1 version 3 priv MYUSER

Where 10.0.0.1 is the IP of the SNMP server

Hello Chris

Thesnmp-server host command specifies the recipient of an SNMP notification either as a trap or a response to an inform request.

If you don’t specify the server as Rene has not in his example, you are able to connect to the router and send responses to SNMP inform requests only. Traps require further configuration on the router because they are initiated by the router itself. Informs are initiated by external SNMP queriers.

I hope this has been helpful!

Laz

Need to confirm what is the difference between auth and priv in snmp v3.

If i configure below then what is the difference between them,

snmp-server group SBG v3 auth read ABC
snmp-server group SBG V3 priv read ABC.

Regards,
Mohammed Oves

Hi Mohammed,

Auth is authentication and priv is privacy (encryption). For authentication we can use MD5 or SHA, for encryption DES/AES.

Rene

Why do you have to specify the security level on the group when you do it for the user?

Hello Justin

When you specify the security level in the following command

R1(config)#snmp-server group MYGROUP v3 priv

you are specifying that SNMP packets will be authenticated and encrypted.

When issuing the command:

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123

you are specifying that the user will indeed use the User Based Security Model (USM) for SNMPv3 that has been configured in the previous command. The priv keyword in the second command is not the same as that in the first. In the first, you have the option of specifying auth, noauth or priv while in the second command you either include the priv keyword or you don’t. If you use the priv keyword, you then must specify the encryption method and key sizes.

Take a look at the following two command references from Cisco:

snmp-server group:

snmp-server user:

I hope this has been helpful!

Laz

1 Like

Hello Rene,

In the topic, Introduction to SNMP, you have mentioned that
noAuthNoPriv means that noAuthNoPriv = username authentication but no encryption.

but In the topic SNMPv3, you have mention that
noAuthNoPriv means that : noAuthNoPriv = no authentication and no encryption.

so a bit confused, I think that there is no authentication in SNMPv3 but then what do you mean by username authentication in noAuthNoPriv.

Hello Tejpal

Yes, you are correct that the statements are confusing. First of all, let’s look at what the noAuthNoPriv level of security actually does. For SNMP v1 and v2, noAuthNoPriv will indeed result in no username authentication and no encryption. However, only the community string will be used to match for authentication.

For SNMP v3, because it doesn’t use the concept of a community string, the noAuthNoPriv level will result in no encryption but a username will be used for authentication.

Because of these differences, the statements were made in this way. However, I will let Rene know so that he can clarify this a little more.

Thanks for pointing that out!

Laz

Hello team,

I am having doubt regarding snmp and netflow, that where should we configure these protocols in a network topology i.e. switch, router, firewall or servers in DMZ?

Regards
Varun Uppal

Hello Varun

It all depends on what kinds of things you want to capture. For netflow, you can specify particular ports from which to capture traffic. You can choose these ports based on what information you want to gain. For example, if you want to follow the traffic that is flowing to and from a web server on your network, configure netflow to monitor the particular port on a switch that the server is connected to. If you want to examine backbone traffic, choose the port channel you have configured between your primary switches and your edge router.

For SNMP, the idea is the same. Do you want to examine particular attributes of traffic to and from your DMZ? Choose the appropriate ports.

In general, when choosing switches as the location to monitor, you are monitoring more specific traffic. Traffic that goes over routers and firewalls is usually consolidated traffic of many combined users.

Ultimately, you have to first define what you are looking for in order to proceed to practically decide on what ports to monitor.

I hope this has been helpful!

Laz

1 Like

Hello,
I had to use Des56 for the encryption type on my physical 2621xm router like this:


But when I tried to retrieve the information like Rene, but using snmp-get, I got “missing object name”
So I tried to add the object sysName.0 and then I got “Encryption not enabled”

Is this because des is not the same as Des56? Can you help me get this working? Do I have to get an NMS to be able to get it working? or Can I continue to use snmpget? Btw, smmpget worked just fine getting snmpv2 object info.

Thanks for your help!!! I should have started studying here a long time ago :frowning_face: I would have advanced in my studies much more had I done that.

Did anyone try this? If so, does this work using a VM with debian install? I could not get observium community version installed on ubuntu 18.04. Anyone had any luck implementing this with gns3? Please share!

Hello Martha

Doing some research, I find that several IOS platforms use the des56 keyword while others simply use des, however, both result in the same 56 bit encryption. It’s strange that you would get this result. I assume the 2621xm router doesn’t support aes?

Doing a bit more research, it seems that the problem may not be with your router configuration, but with your snmpget utility. The snmpget utility detects the use of des, but the specific package you have installed doesn’t support it or it wasn’t enabled. If you use your favorite search engine to find the error message that is displayed, you will find solutions to the problem for your particular installation.

I hope this has been helpful!

Laz

I will try this again sometime.

1 Like