Did anyone try this? If so, does this work using a VM with debian install? I could not get observium community version installed on ubuntu 18.04. Anyone had any luck implementing this with gns3? Please share!
Hello Martha
Doing some research, I find that several IOS platforms use the des56 keyword while others simply use des, however, both result in the same 56 bit encryption. Itâs strange that you would get this result. I assume the 2621xm router doesnât support aes?
Doing a bit more research, it seems that the problem may not be with your router configuration, but with your snmpget utility. The snmpget utility detects the use of des, but the specific package you have installed doesnât support it or it wasnât enabled. If you use your favorite search engine to find the error message that is displayed, you will find solutions to the problem for your particular installation.
I hope this has been helpful!
Laz
I will try this again sometime.
1 Like
Hi Rene,
The paragraph below is from the lesson:
The notify view is used to send notifications to members of the group. If you donât specify any then it will be disabled by default.
The example below is from Cisco certification guide.
My question is no any notify view is defined in snmp-server group command and if notify view is not defined notifications are disabled. So it means the configuration is wrong? Could you please clarify?
Best RegardsâŚ
Hello Fatih
No, it is not wrong to simply not configure any notify views. Remember, that the notify option specifies a notify view This does not mean that all notifications are disabled and SNMP stops working.
The notify view is something that you can define and configure. By default nothing is defined for the notify view, that is, the null OID until the snmp-server host command is issued. The notify view is usually not configured manually. Rather, itâs added by the snmp-server host command automatically, when a user in a group is bound to a notification target host. SNMP will use the username configured with snmp-server host along with the security model specified to authenticate and possibly encrypt the notifications.
Cisco recommends that you let the software autogenerate the notify view, so unless your configuration requires it, it is better not to configure this at all. You can find more info about this and related commands at the following Cisco documentaiton.
I hope this has been helpful!
Laz
Rene,
Do I need to use the same name group If I have some devices? or different group for each device?
Hello Juan
An SNMP group is simply a table that maps SNMP users to SNMP views. These are local to the device. You can use the same or different group names within each device. You can specify up to 10 groups within a single device.
I hope this has been helpful!
Laz
Great information provided there Rene and rest of the team. On my side have a couple of questions if thats okay. First one is about the SNMPv3, I understand that in SNMPv3 we dont need to configure the âtargetâ IP of the SNMP manager like in SNMPv2 if thats true please kindly confirm it. The second question is again about SNMPv3 and I am wondering if for example we have a device which already has some SNMP configuration can we configure additional snmp-server for a new monitoring system with out removing or ovewriting the old snmp config?
Hello Hektor
Absolutely, thatâs why weâre here, so fire away!
Yes, this is correct. With SNMPv2 you would use the command:
Router(config)#snmp-server host <server-ip-address> version 2c <community-name>
Where in version 3 you create an snmp-server group and configure a user account which in turn is used by the SNMP monitor to connect and interact with the device. Such a configuration would be similar to what is shown in the lesson:
R1(config)#snmp-server group MYGROUP v3 priv
R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123
You would then have the SNMP monitor log in and retrieve SNMP data.
Yes, this is possible, and it is a great migration strategy from v2 to v3. You can have SNMPv2 configs which function just fine with one SNMP monitor, and you can configure SNMPv3 configurations that can function with another (or even the same) SNMP monitor. Itâs a good idea however to use this only as a temporary solution for migrations as SNMPv3 is much more secure.
I hope this has been helpful!
Laz
1 Like
There is a nice answer from Mr. Odom
1 Like
Hi NetworkLessons Team,
Thanks for the great tutorial!
I just wanted to know if there was a list of SNMP traps somewhere which can be used on a cisco device?.. As I do not want to enable allâŚ
Thanks!
Hello Andrew
You can enable traps to be sent based on various commands. The general command to enable all traps is snmp-server enable traps. However, there are many options to this command. For example:
snmp-server enable traps [notification-type]
where notification-type can be one of many notifications to enable. A whole series of these can be found at the following Cisco command reference:
Other than the notification-type options, there are dozens of additional options you could use to narrow down the type of traps you want to send. All of these can be found in the link above.
I hope this has been helpful!
Laz
1 Like
Hi Laz,
Thank you very much for this!
Kindest Regards,
Andrew
1 Like
Something I may have missed but didnât see was SNMPv3 informs. SNMP Traps do not get acknowledged. they just inform of an event.
SNMPv3 informs however are acknowledged so you can expect a reply.
another generic form not sure if this one cisco but it was plainly written.
http://www.net-snmp.org/tutorial/tutorial-5/commands/snmptrap-v3.html
Hello Brian
The inform message is not something new to SNMPv3. It is also available in SNMPv1 and SNMPv2. It can be enabled by using the snmp-server host inform command.
In the documentation you sent, it seems that Cisco has a typo. It says on page 4:
The following configuration example shows how to configure the SNMP Inform Request feature forSNMPv1 or SNMPv2:
But it has no configuration below that statement, and it goes on to show how traps can be configured.
I did see in Reneâs lesson on Introduction to SNMP, he states that SNMPv3 uses inform messages to resolve the problem of acknowledging SNMP messages. However, it is available in v1 and v2.
You may also find this post helpful:
I hope this has been helpful!
Laz
1 Like
thank you very much for this course, finally I understand how SNMP works, but my question is whether we have to monitor a multitude of equipment I will have to configure each client individually for example I want to monitor a PC how should I configure it as you did it on the router; is this a client application that I have to use?
Thello Berthol
If you want to monitor a device using SNMP, whether that device is a router, switch, PC, IP camera, IP phone, or printer, you must enable SNMP on that device. How you would do this depends upon the vendor of the device. For example, this Microsoft document describes how you can enable SNMP on a Windows 2003 Server to send SNMP information and to configure several other parameters.
In most cases, vendors will have SNMP disabled by default for security purposes.
I hope this has been helpful!
Laz
I try to create SNMP on NXOS 9000, is it right? Get no reponse from Router.
hostname R1
!
username MYUSER password password1 role MYGROUP
snmp-server group MYGROUP v3 priv
snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY12
!
end
do I need to first command at all?
Hello!
I would like to verify whether my understanding of the SNMPv3 Security Model is correct.
NoAuthNoPriv - this basically relies on the username only, correct? The username is basically like the community string in v1 and v2c and is sent in clear text.
AuthNoPriv - this requires a username/password combination in which the user will be authenticated using MD5 or SHA instead of sending the password in clear text.
AuthPriv - this requires a username/password combination in which the user will be authenticated using MD5 or SHA and the entire SNMP packet will also be encrypted?
I was thinking, if AuthNoPriv already conceals the password by hashing it, is using AuthPriv even necessary at such a point?
And one more question. When configuring priv (encryption), the command also requires a key after specifying the encryption algorithm. This key is basically used to encrypt the message and also decrypt it back, assuming that both sides have an identical one, correct?
Thank you!
David
Hello Thao
Take a look at this post which is a response to a similar question you asked:
I hope this has been helpful!
Laz