Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NMIS supports using SNMPv3 for securing the collection of sensivite network information.  This is especially important from core switches and routers which if compromised could have a considerable business impact.  This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.

Table of Contents

IMPORTANT NOTE ON 256 BIT ENCRYPTION PROTOCOL SUPPORT

Regarding SNMPv3 protocol support, different vendors and even different products support different combinations of authentication and privilege protocols.  The above example is for an older Cisco router, newer devices support SHA256 and AES256, the combinations will depend on your device.

Configuring Cisco IOS for SNMPv3

The first step is to enable SNMPv3 on your router or switch.  If using Cisco IOS, the commands are below, if using other Cisco operating systems or other vendors, the concepts are the same and the commands will likely be similar.  The most important thing is that the device will support SNMPv3, it will require encryption features if you want to use full auth/priv mode.

Required Cisco IOS Configuration for SNMPv3 communication to NMIS

The following three lines of Cisco IOS commands are required to enable SNMPv3 on the Cisco IOS device.  When running a show run, the configured user will not show up in the running configuration, the configured users can be viewed by running the command "show snmp user".

Code Block
themeEmacs
snmp-server view NMIS8RO iso included
snmp-server group NMIS8 v3 priv match exact read NMIS8RO 
snmp-server user nmis8 NMIS8 v3 auth md5 nmis4242 priv des nmis4242 

The commands above will create a user called nmis8, with an authorisation password of nmis4242 and a privilege password of nmis4242

View the configured SNMP users

Code Block
themeEmacs
asgard# show snmp user 
User name: nmis8
Engine ID: 800000090300001E13B18D00
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: NMIS8

Details about Cisco IOS SNMPv3

More details about Cisco IOS SNMPv3 can be found at http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html

Configuring Linux SNMP Daemon (Net-SNMP SNMPD) for SNMPv3

The first step is to enable SNMPv3 on in the /etc/snmp/snmpd.conf file, then restart the daemon.

Required Linux SNMPD Configuration for SNMPv3 communication to NMIS8

Add the following configuration to the top, edit the /etc/snmp/snmpd.conf file as the root user, e.g.

Code Block
sudo vi /etc/snmp/snmpd.conf

Add the following configuration replacing the username and passwords is you require.

Code Block
themeEmacs
createUser nmis SHA banana4242 AES monkey4242
rouser nmis priv 1.3.6.1

The commands above will create a user called nmis, with an authorisation password of banana4242 and a privilege password of monkey4242

The view of 1.3.6.1, will permit access to the Standard MIB and the Enterprise MIB, essentially providing full access.

Restart the SNMP Daemon

Code Block
themeEmacs
sudo service snmpd restart

Testing your SNMPv3 Configuration with NET-SNMP

To verify that SNMPv3 is working as configured run the following command.  Change the username and passwords if you have used different ones.

Code Block
themeEmacs
snmpwalk -v 3 -l authPriv -u nmis -a sha -A banana4242 -x aes -X monkey4242 <HOSTNAME> .1.3.6.1.2.1.1

Configuring NMIS9 for SNMPv3

Prerequisites

To use SNMP version 3 NMIS requires two perl modules that are not normally or automatically installed, Crypt::DES and Digest::HMAC.
From version 8.5.14 onwards the installer will try to install these modules; until then you'll have to resolve this dependency by hand:

  • on Debian or Ubuntu use: sudo apt-get install libcrypt-des-perl libdigest-hmac-perl
  • on RedHat/CentOS use: sudo yum install perl-Digest-HMAC perl-Crypt-DES
  • or, if neither option appeals you may also use CPAN: sudo  cpan Crypt::DES Digest::HMAC.

Change Nodes.nmis Configuration

You can edit a Node using the NMIS GUI to include support for SNMPv3, as described in Adding and Editing a Device in NMIS8 (same works in NMIS9).

For NMIS 9 it can be done using the GUI or the node admin tool.

You will need to modify the node configuration to use SNMPv3, the user name, protocols and passwords need to match the above IOS or Linux configuration.

Code Block
themeEmacs
/usr/local/nmis9/admin/node_admin.pl act=set node=<YOURNODENAME> \
entry.configuration.authpassword=banana4242 \
entry.configuration.authprotocol=sha \
entry.configuration.privpassword=monkey4242 \
entry.configuration.privprotocol=aes \
entry.configuration.username=nmis \
entry.configuration.version=snmpv3

Test NMIS SNMPv3 communication to the device

Ensure NMIS has the necessary encryption modules installed, it may be missing Crypt::DES, you will only need to do this if you see an error message below

Code Block
themeEmacs
cpan
install Crypt::DES

Run a test NMIS collect to the device using SNMPv3

Code Block
themeEmacs
/usr/local/nmis8/bin/nmis.pl type=collect node=asgard debug=true

For nmis9, it can be done: 

Code Block
themeEmacs
/usr/local/nmis9/bin/nmis-cli type=schedule job.type=collect job.node=asgard job.verbosity=7

In nmis9, the credentials can be also tested with an admin tool:

Code Block
/usr/local/nmis9/bin/admin/test.pl act=snmp node=NODENAME

An example output:

Code Block
*** Testing snmp with snmpget snmpv2c
 Running...     snmpget -v 2c -c **** host.opmantek.net 1.3.6.1.2.1.1.1.0 
 Result: iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(25f), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 16-Aug-11 06:21 by prod_rel_team"



*** Testing snmp with internal NMIS API 
 SNMP session open to HOST success 

    Result: Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(25f), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 16-Aug-11 06:21 by prod_rel_team

** Model: CiscoRouter


In the command output you are looking to verify that data was collected from the device, so any updates to an RRD will show that data was collected and is being stored.

Code Block
themeEmacs
--snip--
11:19:02 updateRRD, DS MemoryUsedPROC:MemoryFreePROC:avgBusy5:avgBusy1:bufferFail:bufferElHit:MemoryFreeIO:bufferElFree:MemoryUsedIO
11:19:02 updateRRD, value N:19299276:27249732:3:2:0:810903:30345952:1118:4257056
--snip-- 

You should now be using SNMPv3 to communicate with this device from NMIS8.

Related Topics

NMIS supports using SNMPv3 for securing the collection of sensivite network information.  This is especially important from core switches and routers which if compromised could have a considerable business impact.  This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.

Table of Contents

Configuring Cisco IOS for SNMPv3

The first step is to enable SNMPv3 on your router or switch.  If using Cisco IOS, the commands are below, if using other Cisco operating systems or other vendors, the concepts are the same and the commands will likely be similar.  The most important thing is that the device will support SNMPv3, it will require encryption features if you want to use full auth/priv mode.

...

The commands above will create a user called nmis8, with an authorisation password of nmis4242 and a privilege password of nmis4242

View the configured SNMP users

Code Block
themeEmacs
asgard# show snmp user 
User name: nmis8
Engine ID: 800000090300001E13B18D00
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: NMIS8

Configuring Linux SNMP Daemon (Net-SNMP SNMPD) for SNMPv3

The first step is to enable SNMPv3 on in the /etc/snmp/snmpd.conf file, then restart the daemon.

Required Linux SNMPD Configuration for SNMPv3 communication to NMIS8

Add the following configuration to the top, edit the /etc/snmp/snmpd.conf file as the root user, e.g.

...

The view of 1.3.6.1, will permit access to the Standard MIB and the Enterprise MIB, essentially providing full access.

Restart the SNMP Daemon

Code Block
themeEmacs
sudo service snmpd restart

Testing your SNMPv3 Configuration with NET-SNMP

To verify that SNMPv3 is working as configured run the following command.  Change the username and passwords if you have used different ones.

...

Configuring NMIS8 for SNMPv3

Prerequisites

To use SNMP version 3 NMIS requires two perl modules that are not normally or automatically installed, Crypt::DES and Digest::HMAC.
From version 8.5.14 onwards the installer will try to install these modules; until then you'll have to resolve this dependency by hand:

  • on Debian or Ubuntu use: sudo apt-get install libcrypt-des-perl libdigest-hmac-perl
  • on RedHat/CentOS use: sudo yum install perl-Digest-HMAC perl-Crypt-DES
  • or, if neither option appeals you may also use CPAN: sudo  cpan Crypt::DES Digest::HMAC.

Change Nodes.nmis Configuration

You can edit a Node using the NMIS GUI to include support for SNMPv3, as described in Adding and Editing a Device in NMIS8, you can also edit the Nodes.nmis file to set the details.

...

You should now be using SNMPv3 to communicate with this device from NMIS8.

Details about Cisco IOS SNMPv3

More details about Cisco IOS SNMPv3 can be found at http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html

Related Topics