Tags

,

SNMP-Simple Network Management Protocol is used to provide management capability for TCP/IP based networks. There are three versions (v1, v2, v3) & only version 3 added the security capability to this protocol. If you are using this SNMP to manage & configure your network devices, it is better to use SNMPv3 which provide authentication & encryption capability to this protocol. You can read RFC3411- An Architecture for Describing SNMP Management Frameworks if your are interested in more details about this protocol.

There are 3 level of security you can provide to any SNMPv3 messages.

noAuthNoPriv – without authentication and without privacy,
authNoPriv   – with authentication but without privacy,
authPriv     – with authentication and with privacy.

In this post we will see how to configure SNMPv3 on a Cisco IOS device (5760,3850, Autonomous AP) & a Cisco WLC (5508) in order to manage via Prime Infrastructure as Network Management System(NMS).

In any IOS devices it is very simple two step process

1. Configure a SNMP group
2. Configure a SNMP user

Let’s configure this on a 3850 switch. First we will create a snmp group (called SNMP-GRP) with “authPriv” secuirity level. If you want  you can associate an ACL to restrict which NMS host can be part of this group. But in this example I have used without that to make it simpler.

3850-3(config)#snmp-server ?
  accounting        SNMP Accounting parameters
  cache             Enable SNMP cache
  chassis-id        String to uniquely identify this chassis
  community         Enable SNMP; set community string and access privs
  contact           Text for mib object sysContact
  context           Create/Delete a context apart from default
  drop              Silently drop SNMP packets
  enable            Enable SNMP Traps
  engineID          Configure a local or remote SNMPv3 engineID
  file-transfer     File transfer related commands
  group             Define a User Security Model group
  host              Specify hosts to receive SNMP notifications
  ifindex           Enable ifindex persistence
  inform            Configure SNMP Informs options
  ip                IP ToS configuration for SNMP traffic
  location          Text for mib object sysLocation
  manager           Modify SNMP manager parameters
  packetsize        Largest SNMP packet size
  password-policy   SNMP v3 users password policy
  queue-length      Message queue length for each TRAP host
  source-interface  Assign an source interface
  spi               Configs for SNMP communication using SPI
  sysobjectid       sysObjectID
  system-shutdown   Enable use of the SNMP reload command
  tftp-server-list  Limit TFTP servers used via SNMP
  trap              SNMP trap options
  trap-source       Assign an interface for the source address of all traps
  trap-timeout      Set timeout for TRAP message retransmissions
  user              Define a user who can access the SNMP engine
  view              Define an SNMPv3 MIB view

3850-3(config)#snmp-server group ?
  WORD  Name of the group

3850-3(config)#snmp-server group SNMP-GRP ?
  v1   group using the v1 security model
  v2c  group using the v2c security model
  v3   group using the User Security Model (SNMPv3)

3850-3(config)#snmp-server group SNMP-GRP v3 ?
  auth    group using the authNoPriv Security Level
  noauth  group using the noAuthNoPriv Security Level
  priv    group using SNMPv3 authPriv security level

3850-3(config)#snmp-server group SNMP-GRP v3 priv ?
  access   specify an access-list associated with this group
  context  specify a context to associate these views for the group
  match    context name match criteria
  notify   specify a notify view for the group
  read     specify a read view for the group
  write    specify a write view for the group
  <cr>

3850-3(config)#snmp-server group SNMP-GRP v3 priv

Now let’s define a SNMP user for this group with required Authentication & Encryption parameters. As you can see below 3850 supports 128,192, 256 bit AES encryption & you can choose any. I have chosen 128bit as that’s what Prime Infrastructure is supported. I have used “HMAC-SHA” over “HMAC-MD5” since it is more secure.

3850-3(config)#snmp-server user ?
  WORD  Name of the user

3850-3(config)#snmp-server user prime2 ?
  WORD  Group to which the user belongs

3850-3(config)#snmp-server user prime2 SNMP-GRP ?
  remote  Specify a remote SNMP entity to which the user belongs
  v1      user using the v1 security model
  v2c     user using the v2c security model
  v3      user using the v3 security model

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 ?
  access     specify an access-list associated with this group
  auth       authentication parameters for the user
  encrypted  specifying passwords as MD5 or SHA digests
  <cr>

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 au
3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth ?
  md5  Use HMAC MD5 algorithm for authentication
  sha  Use HMAC SHA algorithm for authentication

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sh
3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha ?
  WORD  authentication pasword for user

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> ?
  access  specify an access-list associated with this group
  priv    encryption parameters for the user
  <cr>

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv ?
  3des  Use 168 bit 3DES algorithm for encryption
  aes   Use AES algorithm for encryption
  des   Use 56 bit DES algorithm for encryption

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes ?
  128  Use 128 bit AES algorithm for encryption
  192  Use 192 bit AES algorithm for encryption
  256  Use 256 bit AES algorithm for encryption

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 ?
  WORD  privacy pasword for user

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD> ?
  access  specify an access-list associated with this group
  <cr>

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD>

Now if you go to Prime Infrastructure (PI), you can add this switch with the configured SNMPv3 details. To fully manage the switch PI need to access the switch via CLI (ssh/telent), so better to configure CLI credential as well for that purpose.

SNMPv3-02Note, that when you add a 3850/3650 switch to Prime it will automatically treated it as a WLC as well (since those switches has integrated WLC within the switch). So same 3850 appear under Controllers & Switches section.

Let’s configure this on 5760 controller. Since it is IOS device, you have to simply add those two lines.

5760-1(config)#snmp-server group SNMP-GRP v3 priv
5760-1(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD>

You can verify your configuration using “show snmp-server group” & “show snmp-server user” outputs as shown below.

5760-1#show snmp group 
groupname: SNMP-GRP                         security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : v1default                        writeview: <no writeview specified>        
notifyview: <no notifyview specified>       
row status: active

5760-1#show snmp user 
User name: prime2
Engine ID: 80000009030044ADD9039D00
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: SNMP-GRP

Let’s see same configuration on Autonomous Access point (again IOS device). So there is no difference, only those two lines required. But some time depend on the AP hardware & IOS version you running on the AP, all these encryption may not supported. For example 1252 with 15.2 support AES encryption where as 1131 running on 12.4 version only support DES for SNMP encryption.

AAP1(config)#do sh ver | in IOS
Cisco IOS Software, C1250 Software (C1250-K9W7-M), Version 15.2(2)JA1, RELEASE SOFTWARE (fc1)

AAP1(config)#snmp-server group SNMP-GRP v3 priv
AAP1(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD> 

AAP2#sh ver | in IOS
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(21a)JY, RELEASE SOFTWARE (fc1)

AAP2(config)#snmp-server group SNMP-GRP v3 priv
AAP2(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv ?
  des56  Use 56 bit DES algorithm for encryption
AAP2(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv des56 <PRIVACY_PASSWORD>

Now let’s see how we can configure SNMPv3 on a 5508 (run on AireOS). Since it is not IOS command syntax is different, but again it is one simple config line. I have not shown the GUI method here, but if you are more comfortable with that you can do it in that way too.

(5508-1) >config snmp v3user create ?           
<username>     Enter user name for a v3 user.
               
(5508-1) >config snmp v3user create prime2 ?               
ro             Read-only mode.
rw             Read-write mode.
               
(5508-1) >config snmp v3user create prime2 rw ?
none           Disable authentication protocol for a SNMP v3 user.
hmacmd5        Set the SNMP v3 user authentication type to HMACMD5.
hmacsha        Set the SNMP v3 user authentication type to HMACSHA.
               
(5508-1) >config snmp v3user create prime2 rw hmacsha ?
none           Disables encryption type for SNMP v3 user.
aescfb128      Set the SNMP v3 user encryption type to AES.
des            Set the SNMP v3 user encryption type to DES.
               
(5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 ?               
<authkey>      Enter authentication key for authtype hmacmd5/hmacsha for a v3 user.
               
(5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 <AUTH_PASSWORD> ?
               
<encrypkey>    Enter encryption key for for des encryption for a v3 user.
               
(5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 <AUTH_PASSWORD> <PRIVACY_PASSWORD>

You can verify “show snmpversion” & “show snmpv3user” CLI commands. There is default SNMPv3 user called “default” & you can delete that using “config snmp v3user delete default” if needed. In the below I have deleted that user.

(5508-1) >show snmpversion 
SNMP v1  Mode.................................... Disable 
SNMP v2c Mode.................................... Enable 
SNMP v3  Mode.................................... Enable 

(5508-1) >show snmpv3user 
SNMP v3 User Name    AccessMode  Authentication Encryption   
-------------------- ----------- -------------- ----------   
prime2                Read/Write  HMAC-SHA       CFB-AES

In this way you can make sure Prime Infrastructure to your managed devices communicate in secure fashion (SNMPv3). Here is a sample PI dashboard showing this managed devices.

SNMPv3-03Here is a quick reference link from Cisco if you want to configure & verify SNMPv3 on Cisco devices.

Related Posts

1. Configuring SNMP on WLC