Versions Compared

Version Old Version 2 New Version 3
Changes made by

Keith Sinclair (Deactivated)

Keith Sinclair (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NMIS supports using SNMPv3 for securing the collection of sensivite network information.  This is especially important from core switches and routers which if compromised could have a considerable business impact.  This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.

Table of Contents

Configuring Cisco IOS for SNMPv3

The first step is to enable SNMPv3 on your router or switch.  If using Cisco IOS, the commands are below, if using other Cisco operating systems or other vendors, the concepts are the same and the commands will likely be similar.  The most important thing is that the device will support SNMPv3, it will require encryption features if you want to use full auth/priv mode.

Required Cisco IOS Configuration for SNMPv3 communication to NMIS8

The following three lines of Cisco IOS commands are required to enable SNMPv3 on the Cisco IOS device.  When running a show run, the configured user will not show up in the running configuration, the configured users can be viewed by running the command "show snmp user".

Code Block
themeEmacs
snmp-server view NMIS8RO iso included
snmp-server group NMIS8 v3 priv match exact read NMIS8RO 
snmp-server user nmis8 NMIS8 v3 auth md5 nmis4242 priv des nmis4242

...

The commands above will create a user called nmis8, with an authorisation password of nmis4242 and a privilege password of nmis4242
View the configured SNMP users
 Code Block
themeEmacs
asgard# show snmp user 
User name: nmis8
Engine ID: 800000090300001E13B18D00
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: NMIS8
Testing your SNMPv3 Configuration with NET-SNMP
To verify that SNMPv3 is working as configured run the following command.  Change the username and passwords if you have used different ones.
 Code Block
themeEmacs
snmpwalk -v 3 -l authPriv -u nmis8 -a md5 -A nmis4242 -x DES -X nmis4242 asgard<HOSTNAME> .1.3.6.1.2.1.1
...
Configuring NMIS8 for SNMPv3
...
You will need to modify the NMIS8 configuration to use SNMPv3, the user name, protocols and passwords need to match the above IOS configuration.
 Code Block
themeEmacs
 'version' => 'snmpv3',
 'authkey' => '',
 'username' => 'nmis8',
 'authpassword' => 'nmis4242',
 'authprotocol' => 'md5',
 'privpassword' => 'nmis4242',
 'privprotocol' => 'des',
Test SNMPv3 communication to the device
 Code Block
themeEmacs
/usr/local/nmis8/bin/nmis.pl type=collect node=asgard debug=true
In the command output you are looking to verify that data was collected from the device, so any updates to an RRD will show that data was collected and is being stored.
 Code Block
themeEmacs
--snip--
11:19:02 updateRRD, DS MemoryUsedPROC:MemoryFreePROC:avgBusy5:avgBusy1:bufferFail:bufferElHit:MemoryFreeIO:bufferElFree:MemoryUsedIO
11:19:02 updateRRD, value N:19299276:27249732:3:2:0:810903:30345952:1118:4257056
--snip-- 
...
Ensure NMIS has the necessary encryption modules installed, it may be missing Crypt::DES
 Code Block
themeEmacs
install Crypt::DES
 
...
Details about Cisco IOS SNMPv3
More details about Cisco IOS SNMPv3 can be found at http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html