A topic I for some reason or another avoided but that is on the blueprint is SNMPv3, I have no idea why I hated to look into it, I guess because monitoring is not my area of expertise, But I worked on it and now I think I understand it enough for the CCIE :).
So, you can practice NXOS SNMP on your MDS switches, the syntax is very similiar.
First let's talk about a great way to test it: get yourself Mib Browser, you will want the professional edition trial as the free edition can't do SNMPv3
Alright let's look at some SNMP, As usual my source was a cisco link:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/sm_snmp.html
Super quick review of SNMP:
An agent is a device such as a router or a switch with information that SNMP can query, the kind of info the agent stores is referred to as a MIB (management information base.) An SNMP management station is the device or host that collects this info.
So SNMPv3 is similar to the SNMP you know and love (SNMPv2) but with user-based authentication and encryption. It uses a username and password combination for auth, and then a further password for the actual privilege, SNMPv3 comes in three versions.
NoAuthNoPriv
AuthNoPriv
AuthPriv
This simply refers to if the SNMP uses MD5 or SHA authentication (Auth), and DES or 3DES encryption (Privilege), so the word privilege here doesn't really refer to the same way we might think of privilege in IOS.
However, in SNMPv3 these users can also be granted certain rights, in SNMPv2 we had read or read-write community strings but couldn't really limit it a bit more granually than that, in SNMPv3 we can assign roles so we can control what MIB's an SNMP management station can access.
Next, SNMPv3 can be hooked up to a radius server if you desire,
Finally, in SNMP there is a concept of traps and informs, this is basically that the SNMP agent on the device can be configured to send messages to a host when certain events occur.
Let's get to some config!
Switch1(config)# snmp-server user ?
WORD Name of the user (Max Size 32)
This is the name of our user.
Switch1(config)# snmp-server user ccierants ?
WORD Group name (ignored for notif target user) (Max Size 32)
auth Authentication parameters for the user
Switch1(config)# snmp-server user ccierants auth ?
md5 Use HMAC MD5 algorithm for authentication
sha Use HMAC SHA algorithm for authentication
Here you can see we get to choose what auth method we use
Switch1(config)# snmp-server user ccierants auth md5 ?
WORD Authentication password for user (Max Size 130)
Switch1(config)# snmp-server user ccierants auth md5 ciscopassexam ?
engineID EngineID for configuring notif target user (for V3 informs)
localizedkey Specifies whether the passwords are in localized key format
priv Encryption parameters for the user
Switch1(config)# snmp-server user ccierants auth md5 ciscopassexam priv
WORD Privacy password for user (Max Size 130)
aes-128 Use 128-bit AES algorithm for privacy
Here you can see I can choose to use aes-128, DES is the default
Switch1(config)# snmp-server user ccierants auth md5 ciscopassexam priv cciedc123
Let's now view the user we have configured:
Switch1# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
admin md5 des(no) network-admin
ccierants md5 des(no) network-operator
nervmainpc md5 des(no) network-operator
______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
______________________________________________________________
User Auth Priv
____ ____ ____
So we have created our user and pass now, let's use MIB walker to access it:
As you can see in the MIB browser we can select Auth and Priv, NoAuth, No-Priv and Auth No priv as we discussed.
Success! We have browsed the MIB tree!
Now as we mentioned and as the eagle-eyed of you may have spotted in the output, we can assign SNMP "groups" to the users, this allows us to assign privileges to that user.
Even though these are called groups, they are essentially just roles:
Switch1(config)# show snmp group | inc Role:
Role: network-admin
Role: network-operator
Role: server-admin
Role: default-role
Notice that network-operator and network-admin line up nicely with RO and RW like in the old SNMP.
Let's quickly create a role with bugger-all privileges.
Role: ccierants
Description: new role
Vsan policy: permit (default)
-------------------------------------------------
Rule Type Command-type Feature
-------------------------------------------------
1 permit config iscsi
2 permit show iscsi
Next we assign the role:
Switch1(config)# snmp-server user ccierants ccierantsrole
Note that this ADDED the role, so i have to remove the old role:
Switch1# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
admin md5 des(no) network-admin
ccierants md5 des(no) network-operator
ccierants
Switch1(config)# no snmp-server user ccierants network-operator
Now if we try and access something we have no privileges to:
Finally lets quickly look at traps, they are not too complicated.
First of all, to enable either traps or informs, you need to specify what you want to trap or inform ON! this is enabling the actual traps:
Switch1(config)# snmp-server enable traps ?
aaa Module notifications enable
callhome Module notifications enable
cfs Module notifications enable
entity Module notifications enable
fcdomain Module notifications enable
fcns Module notifications enable
fcs Module notifications enable
fctrace Module notifications enable
fdmi Module notifications enable
feature-control Module notifications enable
fspf Module notifications enable
license Module notifications enable
link Module notifications enable
You can see there is a bunch you can enable on, you can just say snmp-server enable traps to enable on all traps.
Switch1(config)# snmp-server host 1.1.1.1 ?
WORD SNMP community string or SNMPv3 user name (Max Size 32)
informs Send Inform messages to this host
traps Send Traps messages to this host
version SNMP version to use for notification messages
Here we can set if we want SNMP traps or informs.
Switch1(config)# snmp-server host 1.1.1.1 informs version 3 ?
auth Use the SNMPv3 authNoPriv Security Level
noauth Use the SNMPv3 noAuthNoPriv Security Level
priv Use the SNMPv3 authPriv Security Level
Here we set the use of noauth, authnopriv or authpriv.
Switch1(config)# snmp-server host 1.1.1.1 informs version 3 priv ccierants ?
We must define a user who is used to generate the SNMP traps to the server, the privileges on this user do not matter as he is the one generating the SNMP traps.
I hope this helps someone out there!
Do you use vrf lite at the switch? Cisco Nexus has implemented feature that shows content related to one vrf only. With default SNMP configuration you can see just content of no vrf. If you have all IP interfaces assigned to any vrf you will not see any IP via SNMP.
ReplyDeleteThe mapping is 1:1 only as I found. You probably cannot use one SNMP user that can browse contents of all vrfs.
https://supportforums.cisco.com/discussion/11914946/how-snmp-get-nexus-7k-non-default-vrf-arp-table
Nice information. Thank you for the efforts you have made in writing this valuable detail. If you want to know more about minecraft best servers then visit MelonCube !!!
ReplyDelete