SNMP-Simple Network Management Protocol is used to provide management capability for TCP/IP based networks. There are three versions (v1, v2, v3) & only version 3 added the security capability to this protocol. If you are using this SNMP to manage & configure your network devices, it is better to use SNMPv3 which provide authentication & encryption capability to this protocol. You can read RFC3411- An Architecture for Describing SNMP Management Frameworks if your are interested in more details about this protocol.
There are 3 level of security you can provide to any SNMPv3 messages.
noAuthNoPriv – without authentication and without privacy,
authNoPriv – with authentication but without privacy,
authPriv – with authentication and with privacy.
In this post we will see how to configure SNMPv3 on a Cisco IOS device (5760,3850, Autonomous AP) & a Cisco WLC (5508) in order to manage via Prime Infrastructure as Network Management System(NMS).
In any IOS devices it is very simple two step process
1. Configure a SNMP group
2. Configure a SNMP user
Let’s configure this on a 3850 switch. First we will create a snmp group (called SNMP-GRP) with “authPriv” secuirity level. If you want you can associate an ACL to restrict which NMS host can be part of this group. But in this example I have used without that to make it simpler.
3850-3(config)#snmp-server ?
accounting SNMP Accounting parameters
cache Enable SNMP cache
chassis-id String to uniquely identify this chassis
community Enable SNMP; set community string and access privs
contact Text for mib object sysContact
context Create/Delete a context apart from default
drop Silently drop SNMP packets
enable Enable SNMP Traps
engineID Configure a local or remote SNMPv3 engineID
file-transfer File transfer related commands
group Define a User Security Model group
host Specify hosts to receive SNMP notifications
ifindex Enable ifindex persistence
inform Configure SNMP Informs options
ip IP ToS configuration for SNMP traffic
location Text for mib object sysLocation
manager Modify SNMP manager parameters
packetsize Largest SNMP packet size
password-policy SNMP v3 users password policy
queue-length Message queue length for each TRAP host
source-interface Assign an source interface
spi Configs for SNMP communication using SPI
sysobjectid sysObjectID
system-shutdown Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap SNMP trap options
trap-source Assign an interface for the source address of all traps
trap-timeout Set timeout for TRAP message retransmissions
user Define a user who can access the SNMP engine
view Define an SNMPv3 MIB view
3850-3(config)#snmp-server group ?
WORD Name of the group
3850-3(config)#snmp-server group SNMP-GRP ?
v1 group using the v1 security model
v2c group using the v2c security model
v3 group using the User Security Model (SNMPv3)
3850-3(config)#snmp-server group SNMP-GRP v3 ?
auth group using the authNoPriv Security Level
noauth group using the noAuthNoPriv Security Level
priv group using SNMPv3 authPriv security level
3850-3(config)#snmp-server group SNMP-GRP v3 priv ?
access specify an access-list associated with this group
context specify a context to associate these views for the group
match context name match criteria
notify specify a notify view for the group
read specify a read view for the group
write specify a write view for the group
<cr>
3850-3(config)#snmp-server group SNMP-GRP v3 priv
Now let’s define a SNMP user for this group with required Authentication & Encryption parameters. As you can see below 3850 supports 128,192, 256 bit AES encryption & you can choose any. I have chosen 128bit as that’s what Prime Infrastructure is supported. I have used “HMAC-SHA” over “HMAC-MD5″ since it is more secure.
3850-3(config)#snmp-server user ? WORD Name of the user 3850-3(config)#snmp-server user prime2 ? WORD Group to which the user belongs 3850-3(config)#snmp-server user prime2 SNMP-GRP ? remote Specify a remote SNMP entity to which the user belongs v1 user using the v1 security model v2c user using the v2c security model v3 user using the v3 security model 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 ? access specify an access-list associated with this group auth authentication parameters for the user encrypted specifying passwords as MD5 or SHA digests <cr> 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 au 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth ? md5 Use HMAC MD5 algorithm for authentication sha Use HMAC SHA algorithm for authentication 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sh 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha ? WORD authentication pasword for user 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> ? access specify an access-list associated with this group priv encryption parameters for the user <cr> 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv ? 3des Use 168 bit 3DES algorithm for encryption aes Use AES algorithm for encryption des Use 56 bit DES algorithm for encryption 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes ? 128 Use 128 bit AES algorithm for encryption 192 Use 192 bit AES algorithm for encryption 256 Use 256 bit AES algorithm for encryption 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 ? WORD privacy pasword for user 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD> ? access specify an access-list associated with this group <cr> 3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD>
Now if you go to Prime Infrastructure (PI), you can add this switch with the configured SNMPv3 details. To fully manage the switch PI need to access the switch via CLI (ssh/telent), so better to configure CLI credential as well for that purpose.
Note, that when you add a 3850/3650 switch to Prime it will automatically treated it as a WLC as well (since those switches has integrated WLC within the switch). So same 3850 appear under Controllers & Switches section.
Let’s configure this on 5760 controller. Since it is IOS device, you have to simply add those two lines.
5760-1(config)#snmp-server group SNMP-GRP v3 priv 5760-1(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD>
You can verify your configuration using “show snmp-server group” & “show snmp-server user” outputs as shown below.
5760-1#show snmp group groupname: SNMP-GRP security model:v3 priv contextname: <no context specified> storage-type: nonvolatile readview : v1default writeview: <no writeview specified> notifyview: <no notifyview specified> row status: active 5760-1#show snmp user User name: prime2 Engine ID: 80000009030044ADD9039D00 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: AES128 Group-name: SNMP-GRP
Let’s see same configuration on Autonomous Access point (again IOS device). So there is no difference, only those two lines required. But some time depend on the AP hardware & IOS version you running on the AP, all these encryption may not supported. For example 1252 with 15.2 support AES encryption where as 1131 running on 12.4 version only support DES for SNMP encryption.
AAP1(config)#do sh ver | in IOS Cisco IOS Software, C1250 Software (C1250-K9W7-M), Version 15.2(2)JA1, RELEASE SOFTWARE (fc1) AAP1(config)#snmp-server group SNMP-GRP v3 priv AAP1(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD> AAP2#sh ver | in IOS Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(21a)JY, RELEASE SOFTWARE (fc1) AAP2(config)#snmp-server group SNMP-GRP v3 priv AAP2(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv ? des56 Use 56 bit DES algorithm for encryption AAP2(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv des56 <PRIVACY_PASSWORD>
Now let’s see how we can configure SNMPv3 on a 5508 (run on AireOS). Since it is not IOS command syntax is different, but again it is one simple config line. I have not shown the GUI method here, but if you are more comfortable with that you can do it in that way too.
(5508-1) >config snmp v3user create ? <username> Enter user name for a v3 user. (5508-1) >config snmp v3user create prime2 ? ro Read-only mode. rw Read-write mode. (5508-1) >config snmp v3user create prime2 rw ? none Disable authentication protocol for a SNMP v3 user. hmacmd5 Set the SNMP v3 user authentication type to HMACMD5. hmacsha Set the SNMP v3 user authentication type to HMACSHA. (5508-1) >config snmp v3user create prime2 rw hmacsha ? none Disables encryption type for SNMP v3 user. aescfb128 Set the SNMP v3 user encryption type to AES. des Set the SNMP v3 user encryption type to DES. (5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 ? <authkey> Enter authentication key for authtype hmacmd5/hmacsha for a v3 user. (5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 <AUTH_PASSWORD> ? <encrypkey> Enter encryption key for for des encryption for a v3 user. (5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 <AUTH_PASSWORD> <PRIVACY_PASSWORD>
You can verify “show snmpversion” & “show snmpv3user” CLI commands. There is default SNMPv3 user called “default” & you can delete that using “config snmp v3user delete default” if needed. In the below I have deleted that user.
(5508-1) >show snmpversion SNMP v1 Mode.................................... Disable SNMP v2c Mode.................................... Enable SNMP v3 Mode.................................... Enable (5508-1) >show snmpv3user SNMP v3 User Name AccessMode Authentication Encryption -------------------- ----------- -------------- ---------- prime2 Read/Write HMAC-SHA CFB-AES
In this way you can make sure Prime Infrastructure to your managed devices communicate in secure fashion (SNMPv3). Here is a sample PI dashboard showing this managed devices.
Here is a quick reference link from Cisco if you want to configure & verify SNMPv3 on Cisco devices.
Related Posts
