User Tools

Site Tools


tech:network:cisco:snmp:snmpv3:snmpv3

Cisco: SNMPv3

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.1 Device security
          • 5.1.b Implement and troubleshoot device access control
            • 5.1.b [ii] SNMP
      • 6.0 Infrastructure Services
        • 6.1 System management
          • 6.1.b Implement and troubleshoot SNMP
            • 6.1.b [i] v2c, v3
    • Lab v5.0
      • 4.0 Infrastructure Security
        • 4.1 Device security
          • 4.1.b Implement and troubleshoot device access control
            • 4.1.b [ii] SNMP
      • 5.0 Infrastructure Services
        • 5.1 System management
          • 5.1.b Implement and troubleshoot SNMP
            • 5.1.b [i] v2c, v3

SNMPv3 Lab

Install Net-SNMP

root@kozue:~# sudo apt install snmp snmptrapd
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libsensors4 libsnmp-base libsnmp30 snmpd
Suggested packages:
  lm-sensors snmp-mibs-downloader
The following NEW packages will be installed:
  libsensors4 libsnmp-base libsnmp30 snmp snmpd snmptrapd
0 upgraded, 6 newly installed, 0 to remove and 7 not upgraded.
Need to get 1,421 kB of archives.
After this operation, 5,136 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
interface Vlan 128
 ip address 10.0.128.1 255.255.255.0
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
monitor session 1 source interface Fa1/0/24
monitor session 1 destination interface Fa1/0/12 encapsulation replicate
!
end

SNMPv3 Agent Configuration without Authentication

  • SW1
configuret terminal
!
snmp-server view READVIEW internet included
snmp-server view READVIEW iso included
!
snmp-server group AUTHG v3 noauth read READVIEW
snmp-server user monitor1 AUTHG v3
!
end
  • kozue(SNMP Manager)
snmpget -v 3 -n "" -u monitor1 -l noAuthNoPriv 10.0.128.1 1.3.6.1.2.1.1.1.0

Console Log

SNMPv3 Agent Configuration with Authentication

  • SW1
configuret terminal
!
snmp-server view READVIEW internet included
snmp-server view READVIEW iso included
!
snmp-server group AUTHG2 v3 auth read READVIEW
snmp-server user monitor2 AUTHG2 v3 auth md5 monpass2
!
end
  • kozue(SNMP Manager)
snmpget -v 3 -n "" -u monitor2 -a MD5 -A "monpass2" -l authNoPriv 10.0.128.1 1.3.6.1.2.1.1.1.0

Console Log

SNMPv3 Agent Trap Configuration

generate engineID.

uuidgen | tr -d - | sed "s/\([0-9a-f]\{24\}\).\\+/\1/g"
wnoguchi@kotone:~$ uuidgen | tr -d - | sed "s/\([0-9a-f]\{24\}\).\\+/\1/g"
63b98a6f19c64c859740db39
  • SW1
configuret terminal
!
snmp-server engineID remote 10.0.128.254 63b98a6f19c64c859740db39
snmp-server group AUTHG3 v3 auth
snmp-server user monitor3 AUTHG3 remote 10.0.128.254 v3 auth md5 monpass3
snmp-server user monitor3 AUTHG3 v3 auth md5 monpass3
snmp-server host 10.0.128.254 informs version 3 auth monitor3 config
snmp-server enable traps
!
end
  • kozue(SNMP Manager)
wnoguchi@kozue:~$ systemctl status snmptrapd
● snmptrapd.service - Simple Network Management Protocol (SNMP) Trap Daemon.
   Loaded: loaded (/lib/systemd/system/snmptrapd.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
wnoguchi@kozue:~$ sudo systemctl enable --now snmptrapd
[sudo] password for wnoguchi:
Synchronizing state of snmptrapd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable snmptrapd
wnoguchi@kozue:~$ sudo systemctl status snmptrapd
● snmptrapd.service - Simple Network Management Protocol (SNMP) Trap Daemon.
   Loaded: loaded (/lib/systemd/system/snmptrapd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-10-05 00:28:19 JST; 5s ago
 Main PID: 5144 (snmptrapd)
    Tasks: 1 (limit: 4285)
   CGroup: /system.slice/snmptrapd.service
           └─5144 /usr/sbin/snmptrapd -Lsd -f

Oct 05 00:28:19 kozue systemd[1]: Started Simple Network Management Protocol (SNMP) Trap Daemon..
Oct 05 00:28:19 kozue snmptrapd[5144]: NET-SNMP version 5.7.3 AgentX subagent connected
Oct 05 00:28:19 kozue snmptrapd[5144]: Warning: no access control information configured.
                                         (Config search path: /etc/snmp:/usr/share/snmp:/usr/lib/x86_64-linux-gnu/snmp)
                                       This receiver will *NOT* accept any incoming notifications.
Oct 05 00:28:19 kozue snmptrapd[5144]: NET-SNMP version 5.7.3
/etc/snmp/snmptrapd.conf
createUser -e 0x63b98a6f19c64c859740db39 monitor3 MD5 monpass3
authUser log,execute,net monitor3
diff -u /root/orig/etc/snmp/snmptrapd.conf /etc/snmp/snmptrapd.conf
--- /root/orig/etc/snmp/snmptrapd.conf  2019-07-11 20:09:06.000000000 +0900
+++ /etc/snmp/snmptrapd.conf    2019-10-06 10:33:51.566095314 +0900
@@ -22,3 +22,7 @@
 #
 ## send mail when get linkDown
 #traphandle .1.3.6.1.6.3.1.1.5.3 /usr/bin/traptoemail -s smtp.example.org foobar@example.org
+
+createUser -e 0x63b98a6f19c64c859740db39 monitor3 MD5 monpass3
+authUser log monitor3
+
root@kozue:~# cat /var/lib/snmp/snmptrapd.conf 
#
# net-snmp (or ucd-snmp) persistent data file.
#
############################################################################
# STOP STOP STOP STOP STOP STOP STOP STOP STOP 
#
#          **** DO NOT EDIT THIS FILE ****
#
# STOP STOP STOP STOP STOP STOP STOP STOP STOP 
############################################################################
#
# DO NOT STORE CONFIGURATION ENTRIES HERE.
# Please save normal configuration tokens for snmptrapd in SNMPCONFPATH/snmptrapd.conf.
# Only "createUser" tokens should be placed here by snmptrapd administrators.
# (Did I mention: do not edit this file?)
#















engineBoots 2
oldEngineID 0x80001f888075f091014a57905d00000000
diff -u /root/orig/var/lib/snmp/snmptrapd.conf /var/lib/snmp/snmptrapd.conf
sudo systemctl restart snmptrapd
sudo systemctl status snmptrapd
root@kozue:~# diff -u /root/orig/var/lib/snmp/snmptrapd.conf /var/lib/snmp/snmptrapd.conf
root@kozue:~# systemctl restart snmptrapd
root@kozue:~# systemctl status snmptrapd
● snmptrapd.service - Simple Network Management Protocol (SNMP) Trap Daemon.
   Loaded: loaded (/lib/systemd/system/snmptrapd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-10-06 11:01:26 JST; 5s ago
 Main PID: 2579 (snmptrapd)
    Tasks: 1 (limit: 4285)
   CGroup: /system.slice/snmptrapd.service
           └─2579 /usr/sbin/snmptrapd -Lsd -f

Oct 06 11:01:26 kozue systemd[1]: Started Simple Network Management Protocol (SNMP) Trap Daemon..
Oct 06 11:01:26 kozue snmptrapd[2579]: NET-SNMP version 5.7.3 AgentX subagent connected
Oct 06 11:01:26 kozue snmptrapd[2579]: NET-SNMP version 5.7.3
root@kozue:~# diff -u /root/orig/var/lib/snmp/snmptrapd.conf /var/lib/snmp/snmptrapd.conf
--- /root/orig/var/lib/snmp/snmptrapd.conf      2019-10-05 01:56:46.138971430 +0900
+++ /var/lib/snmp/snmptrapd.conf        2019-10-06 11:01:26.447612035 +0900
@@ -29,5 +29,5 @@
 
 
 
-engineBoots 2
+engineBoots 3
 oldEngineID 0x80001f888075f091014a57905d00000000
root@kozue:~# diff -u /root/orig/var/lib/snmp/snmptrapd.conf /var/lib/snmp/snmptrapd.conf
--- /root/orig/var/lib/snmp/snmptrapd.conf      2019-10-05 01:56:46.138971430 +0900
+++ /var/lib/snmp/snmptrapd.conf        2019-10-06 11:01:26.447612035 +0900
@@ -29,5 +29,5 @@
 
 
 
-engineBoots 2
+engineBoots 3
 oldEngineID 0x80001f888075f091014a57905d00000000
root@kozue:~# diff -u /root/orig/etc/snmp/snmptrapd.conf /etc/snmp/snmptrapd.conf 
--- /root/orig/etc/snmp/snmptrapd.conf  2019-07-11 20:09:06.000000000 +0900
+++ /etc/snmp/snmptrapd.conf    2019-10-06 10:33:51.566095314 +0900
@@ -22,3 +22,7 @@
 #
 ## send mail when get linkDown
 #traphandle .1.3.6.1.6.3.1.1.5.3 /usr/bin/traptoemail -s smtp.example.org foobar@example.org
+
+createUser -e 0x63b98a6f19c64c859740db39 monitor3 MD5 monpass3
+authUser log,execute,net monitor3
+
root@kozue:~# tail -f /var/log/syslog
Oct  6 10:51:29 kozue kernel: [11586.307054] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
Oct  6 11:00:59 kozue snmpd[845]: message repeated 43 times: [ error on subcontainer 'ia_addr' insert (-1)]
Oct  6 11:01:26 kozue systemd[1]: Stopping Simple Network Management Protocol (SNMP) Trap Daemon....
Oct  6 11:01:26 kozue snmptrapd[842]: 2019-10-06 11:01:26 NET-SNMP version 5.7.3 Stopped.
Oct  6 11:01:26 kozue snmptrapd[842]: Stopping snmptrapd
Oct  6 11:01:26 kozue systemd[1]: Stopped Simple Network Management Protocol (SNMP) Trap Daemon..
Oct  6 11:01:26 kozue systemd[1]: Started Simple Network Management Protocol (SNMP) Trap Daemon..
Oct  6 11:01:26 kozue snmptrapd[2579]: NET-SNMP version 5.7.3 AgentX subagent connected
Oct  6 11:01:26 kozue snmptrapd[2579]: NET-SNMP version 5.7.3
Oct  6 11:01:29 kozue snmpd[845]: error on subcontainer 'ia_addr' insert (-1)

Verification

kozue(SNMP Manager) Console Log

SW1 Console Log

configuration only notified…

no snmp-server host 10.0.128.254 informs version 3 auth monitor3 config
snmp-server host 10.0.128.254 informs version 3 auth monitor3
no snmp-server host 10.0.128.254 informs version 3 auth monitor3
snmp-server host 10.0.128.254 informs version 3 auth monitor3 snmp
  • kozue(SNMP Manager)
tail -f /var/log/syslog | fgrep snmptrapd --line-buffered

kozue(SNMP Manager) Console Log

SW1 Console Log

References

tech/network/cisco/snmp/snmpv3/snmpv3.txt · Last modified: 2019/10/06 12:31 by wnoguchi