How to configure SNMPv3 on Cisco IOS Router

Hi Laz,

Thank you very much for this!

Kindest Regards,

Andrew

1 Like

Something I may have missed but didn’t see was SNMPv3 informs. SNMP Traps do not get acknowledged. they just inform of an event.

SNMPv3 informs however are acknowledged so you can expect a reply.

another generic form not sure if this one cisco but it was plainly written.

http://www.net-snmp.org/tutorial/tutorial-5/commands/snmptrap-v3.html

Hello Brian

The inform message is not something new to SNMPv3. It is also available in SNMPv1 and SNMPv2. It can be enabled by using the snmp-server host inform command.

In the documentation you sent, it seems that Cisco has a typo. It says on page 4:

The following configuration example shows how to configure the SNMP Inform Request feature forSNMPv1 or SNMPv2:

But it has no configuration below that statement, and it goes on to show how traps can be configured.

I did see in Rene’s lesson on Introduction to SNMP, he states that SNMPv3 uses inform messages to resolve the problem of acknowledging SNMP messages. However, it is available in v1 and v2.

You may also find this post helpful:

I hope this has been helpful!

Laz

1 Like

thank you very much for this course, finally I understand how SNMP works, but my question is whether we have to monitor a multitude of equipment I will have to configure each client individually for example I want to monitor a PC how should I configure it as you did it on the router; is this a client application that I have to use?

Thello Berthol

If you want to monitor a device using SNMP, whether that device is a router, switch, PC, IP camera, IP phone, or printer, you must enable SNMP on that device. How you would do this depends upon the vendor of the device. For example, this Microsoft document describes how you can enable SNMP on a Windows 2003 Server to send SNMP information and to configure several other parameters.

In most cases, vendors will have SNMP disabled by default for security purposes.

I hope this has been helpful!

Laz

I try to create SNMP on NXOS 9000, is it right? Get no reponse from Router.

hostname R1
!
username MYUSER  password  password1 role MYGROUP 
snmp-server group MYGROUP v3 priv
snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY12
!
end

do I need to first command at all?

Hello!

I would like to verify whether my understanding of the SNMPv3 Security Model is correct.

NoAuthNoPriv - this basically relies on the username only, correct? The username is basically like the community string in v1 and v2c and is sent in clear text.

AuthNoPriv - this requires a username/password combination in which the user will be authenticated using MD5 or SHA instead of sending the password in clear text.

AuthPriv - this requires a username/password combination in which the user will be authenticated using MD5 or SHA and the entire SNMP packet will also be encrypted?

I was thinking, if AuthNoPriv already conceals the password by hashing it, is using AuthPriv even necessary at such a point?

And one more question. When configuring priv (encryption), the command also requires a key after specifying the encryption algorithm. This key is basically used to encrypt the message and also decrypt it back, assuming that both sides have an identical one, correct?

Thank you!

David

Hello Thao

Take a look at this post which is a response to a similar question you asked:

I hope this has been helpful!

Laz

Hello, everyone!

I have two more questions to ask. First of all, what is the use of EngineIDs in SNMPv3? I’ve heard that they make the managed devices unique, but why do we care about something like that?

The second thing is, my OCG book mentions the following when it comes to troubleshooting SNMP

Preventing indexes from shuffling - To prevent index shuffling and guarantee index persistence during reboots or minor software upgrades, use the snmp-server ifindex persist command which shows up as snmp ifmib ifindex persist in the running config.

I am pretty confused by this. What is an index? What is shuffling? What happens if indexes are shuffled?

Thank you!

David

Hello David

You’re on the right track with your understanding of SNMPv3 Security Models. Let me just add a couple of points for each one that will help in understanding. We can gain insight into what is actually being performed from the names of the keywords themselves:

NoAuthNoPriv - NoAuth means no cryptographic authentication. Credentials are used, but there is no cryptographic mechanism to verify the authenticity of the message. NoPriv means no privacy of the contents of the SNMP messages, meaning there is no encryption of the payload.

AuthNoPriv - Auth means there is cryptographic authentication. It uses MD5 or SHA for this purpose. The authentication mechanism is actually applied to the associated user using the snmp-server user command. The NoPriv remains in this security model as described above.

AuthPriv - As in the previous model, Auth means cryptographic authentication is employed.
Priv indicates that the whole SNMP packet is encrypted, which means if the packet is intercepted, it cannot be deciphered.

From the above description, you can see that while AuthNoPriv does hash the password, the rest of the SNMP packet is sent in clear text. AuthPriv however encrypts the contents of the SNMP packet. Because SNMP messages can contain vital information about the configuration and state of a network, it can potentially be dangerous if intercepted and read.

Regarding your last question, you’re correct again. When configuring priv (privacy or encryption), you need to specify an encryption algorithm and a key. This key is used to both encrypt and decrypt the message. Both sides of the communication must have the same key in order to successfully decrypt the message.

I hope this has been helpful!

Laz

Hello David!

The Engine ID is a feature specific to SNMPv3, and was introduced as part of its enhanced security model. The engine ID uniquely identifies each SNMPv3 entity, be it an SNMP agent or an SNMP manager. The uniqueness of the ID is crucial for security purposes, keeping in mind that SNMPv3 has added security features compared to its predecessors. The Engine ID is used in the generation of security parameters, and it helps to ensure that the communication is indeed with the correct device. Without unique Engine IDs, there could be potential for security breaches or miscommunication. Some more info about this feature and how its configuration affects the SNMP setup can be found in this Cisco documentation:

https://www.cisco.com/assets/sol/sb/Switches_Emulators_v2_3_5_xx/help/350_550/index.html#page/tesla_350_550_olh/snmp_engine_id.html

When a device boots up, SNMP assigns a particular index to identify each individual interface on that network device. These indexes are used by SNMP to identify the specific interface for which it’s collecting statistics.

Shuffling of these indexes can occur during a reboot or a minor software upgrade. This is especially true if virtual interfaces, SVIs, tunnels, or loopback interfaces have been configured over the lifetime of the device. When a reboot occurs, the order that the indexes have been assigned may change.

This means that the index previously assigned to a particular interface might be assigned to a different interface after the reboot or upgrade. This can cause confusion and inaccuracies in your network monitoring, as the SNMP manager might collect data for the wrong interface.

The command snmp-server ifindex persist (or snmp ifmib ifindex persist in the running config) is used to prevent this shuffling. It ensures that the same index is assigned back to the same interface even after a reboot or software upgrade, hence maintaining accuracy in your network monitoring.

I hope this has been helpful!

Laz

1 Like

Thanks for this article. i’m preparing my ccnp , you’re helping me a lot.
God bless

1 Like

Hello Rene, great article, im trying to use Observium , on my router i have a principale line and a backup line, i can monitor only one IP configured on the same IP event if i try to bring up a vritual management IP that is proxied on both pubblic ips but obsermium only permited to add only one pubblic ip, is there a workaorund?

Hello Chris

Great to hear that the lessons are helpful for you! We wish you success in your CCNP certification, and we’re here to help you along the way.

God bless you too!

Laz

Hello Valerio

Although Observium is used within the lessons, the focus is not on the use of this NMS system, so our aid in this area may be limited. However, doing some research, I have found that it may be possible for a workaround.

You’re correct that you can only add one IP address per device. However, you should be able to add the same device twice, once for each IP address. That way, Observium will see the single device as two entities, one for each of its IP addresses.

Specifically:

  • Add the device using the primary IP address and let Observium discover and poll it.
  • Then, add the same device again but this time use the second IP address.

This will let you monitor both IP addresses. The downside is that Observium will treat these as two separate devices, which may not be ideal for your monitoring needs.

Also, remember to configure SNMP on both IPs on your router. If SNMP is not enabled on the second IP, Observium will not be able to poll it.

As noted in the lesson, Observium has been forked to LibreNMS, and typically it is a better choice, so you may want to try that.

I hope this has been helpful!

Laz

Hi Laz,
thanks, i will try to use LibreNMS, i created a Loopback interface that is proxied on both ips but i can only add one ip and not also on the second, the error that i received on observium is:

Already got device with SNMP-read sysName (name of device), ‘snmpEngineID’ = 80001E4104303044304436 and ‘entPhysicalSerialNum’ = 0008D2 .

Thank you
Valerio

Hello Valerio

The error message you’re receiving indicates that Observium is detecting a conflict. It seems to be identifying the second IP address as belonging to a device that it’s already monitoring.

A possible workaround could be to try and add the second IP address as a new device but with a different sysName. This might trick Observium into treating it as a separate device. However, this workaround might not be ideal as it could lead to some confusion in your network monitoring.

Another option would be to check if you have SNMP correctly configured on both IP addresses. If SNMP is not correctly set up on the second IP, Observium might not be able to recognize it as a separate entity.

In any case, if you do try out LibreNMS, you may find that the problems you are facing will be resolved. Let us know how you get along!

I hope this has been helpful!

Laz

Thank you very much @lagapidis , i will try LibreNMS.

Valerio

Hello, I think for the part "noAuthNoPriv " is meaning “no username authentication but no encryption.”?

For clarification please. Thanks

Hello Matthew

The “noAuthNoPriv” option, even though it does say “noAuth” still requires the use of a username. The noAuth portion of the name actually indicates that SNMP messages are not authenticated. This means that the message’s integrity and the identity of the sender are not verified, but a username is still necessary. And the “NoPriv” portion indeed means that there is no encryption as you state. Does that make sense?

I hope this has been helpful!

Laz

is from SNMP (Simple Network Management Protocol) security model and it stands for “No Authentication, No Privacy”. This means that the SNMP messages are sent in plain text and no authentication is required to access the SNMP objects. It’s the least secure mode and is generally not recommended for most SNMP implementations due to its potential security vulnerabilities.