In Ubuntu, CentOS, and Cisco, how does one configure SNMPv3?
The Simple Network Management Protocol (SNMP) is a widely used protocol used to collect information in the device. For example, the CPU and RAM usage, Server Load balancer rate, network interface traffic status, and many other performance devices can be queried using SNMP.
Currently, SNMP has three versions: v1, v2c, and v3. SNMP v1 and v2c can be easily configured, which has been discussed in previous articles. SNMPv3 adds some additional features, including authentication and encryption schemes (such as MD5, SHA, AES, and DES ). This makes SNMPv3 safer and more desirable when we run SNMP queries on the Internet.
Compared with SNMP v1 or v2c, SNMPv3 has different configurations. The following describes in detail how the configuration is implemented.
Configure SNMPv3 in Ubuntu and Debian
Use the net-snmp-config tool for configuration. In the following example, an SNMPv3 account with read-only permission is created. The username is "snmpv3user" and the password is "snmpv3pass ". The default authentication method is MD5 encryption, and DES is used by default. These settings can also be changed as needed.
Root @ server :~ # Apt-get install snmp snmpd
Root @ server :~ # Service snmpd stop
Root @ server :~ # Net-snmp-config -- create-snmpv3-user-ro-A snmpv3pass snmpv3user
# OUTPUT ##
Adding the following line to/var/lib/snmp/snmpd. conf:
CreateUser snmpv3user MD5 "snmpv3pass" DES
Adding the following line to/usr/share/snmp/snmpd. conf:
Rouser snmpv3user
Root @ server :~ # Service snmpd start
SNMPv3 Testing
Use snmpwalk to test the SNMP configuration. A large amount of output data should be produced in the successful test results. The following example demonstrates the use of snmpwalk with the created V3 account. The local server IP address 192.168.1.1 of Ubuntu and Debian.
### SAMPLE OUTPUT ###
iso.3.6.1.2.1.1.1.0 = STRING: "Linux server 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (68028) 0:11:20.28
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00
### And the walk goes on and on ###
Delete An SNMPv3 account
When the net-snmp-config tool is running, information about this account is stored in var/lib/snmp/snmpd. conf and/usr/share/snmp/snmpd. conf. of the two files. Deleting an account deletes the information in this file.
Root @ server :~ # Service snmpd stop
Root @ server :~ # Vim/var/lib/snmp/snmpd. conf
## there should be a similar encrypted line that contains information on the user ##
## this line is removed ##
usmUser 1 3 0x80001f8880056e06573a1e895100000000 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL .1.3.6.1.6.3.10.1.1.2 0x945ed3c9708ea5493f53f953b45a4513 .1.3.6.1.6.3.10.1.2.2 0x945ed3c9708ea5493f53f953b45a4513 ""
Root @ server :~ # Vim/usr/share/snmp/snmpd. conf
## The following line is removed ##
rouser snmpv3user
Do not forget to restart laterSnmpd
Root @ server :~ # Service snmpd start
Configure SNMPv3 in CentOS or RHEL
Compared with Ubuntu, the process of configuring SNMP v3 users in CentOS and RHEL is a bit different, but the process is basically the same.
First, install necessary software using yum
[Root @ server ~] # Yum install net-snmp-utils net-snmp-devel
After the installation is complete, stop snmpd and create an SNMP account with read-only attributes. .
[Root @ server ~] # Service snmpd stop
[Root @ server ~] # Net-snmp-create-v3-user-ro-A snmpv3pass-a MD5-x DES snmpv3user
# OUTPUT ##
Adding the following line to/var/lib/net-snmp/snmpd. conf:
CreateUser snmpv3user MD5 "snmpv3pass" DES
Adding the following line to/etc/snmp/snmpd. conf:
Rouser snmpv3user
[Root @ server ~] # Service snmpd start
SNMPv3 Testing
Snmpwalk is an excellent tool for testing SNMP configuration and output. A large amount of output data should be produced in the successful test results.
[Root @ server ~] # Snmpwalk-u snmpv3user-A snmpv3pass-a MD5-l authnoPriv 192.168.1.2-v3
### OUTPUT ###
SNMPv2-MIB: sysDescr.0 = STRING: Linux server. example. tst 2.6.32-71. el6.i686 #1 SMP Fri Nov 12 04:17:17 GMT 2010 i686
SNMPv2-MIB: sysObjectID.0 = OID: NET-SNMP-MIB: netSnmpAgentOIDs.10
DISMAN-EVENT-MIB: sysUpTimeInstance = Timeticks: (28963) 0:04:49. 63
SNMPv2-MIB: sysORLastChange.0 = Timeticks: (1) 0:00:00. 01
SNMPv2-MIB: sysORID.1 = OID: SNMP-MPD-MIB: snmpdmibobjects.3.1.1
SNMPv2-MIB: sysORID.2 = OID: SNMP-USER-BASED-SM-MIB: usmMIBCompliance
SNMPv2-MIB: sysORID.3 = OID: SNMP-FRAMEWORK-MIB: snmpFrameworkMIBCompliance
SNMPv2-MIB: sysORID.4 = OID: SNMPv2-MIB: snmpMIB
SNMPv2-MIB: sysORID.5 = OID: TCP-MIB: tcpMIB
SNMPv2-MIB: sysORID.6 = OID: IP-MIB: ip
SNMPv2-MIB: sysORID.7 = OID: UDP-MIB: udpMIB
SNMPv2-MIB: sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB: vacmBasicGroup
SNMPv2-MIB: sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB: sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
The SNMPv2-MIB: sysORDescr.3 = STRING: The SNMP Management Architecture MIB.
The SNMPv2-MIB: sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB: sysORDescr.5 = STRING: The MIB module for managing TCP implementation
# And the output continues ##
Delete An SNMPv3 account
SNMPv3 account information is contained in two files. Deleting an account deletes the information in this file.
Root @ server :~ # Service snmpd stop
Root @ server :~ # Vim/var/lib/net-snmp/snmpd. conf
# There shoshould be a similar encrypted line that contains information on the user ##
# This line is removed ##
UsmUser 1 3 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL. 1.3.6.1.6.3.10.1.1.2 users. 1.3.6.1.3.10.1.2.2 users ""
Root @ server :~ # Vim/etc/snmp/snmpd. conf
# The following line is removed ##
Rouser snmpv3user
Root @ server :~ # Service snmpd start
Firewall adjustment (optional)
The firewall rules in the following example can be used to restrict the source IP addresses allowed for SNMP query. Two IP addresses (for example, 192.168.1.100/101) are placed in the whitelist.
Root @ server :~ # Iptables-a input-s 192.168.1.100/32-p udp-dport 161-j ACCEPT
Root @ server :~ # Iptables-a input-s 192.168.1.101/32-p udp-dport 161-j ACCEPT
Root @ server :~ # Iptables-a input-p udp-dport 161-j DROP
Configure SNMPv3 for Cisco switches and routers
Cisco switches and routers also support SNMPv3. The following example creates an access control list (ACL) to restrict the source IP addresses allowed for SNMP queries. However, this step is skipped.
Set the access control list (ACL) (optional)
# Global config mode ##
Ip access-list standard SNMP_ACL
Permit 192.168.1.100
Permit 192.168.1.100
SNMPv3 Configuration
The following configuration creates a group named v3Group and AuthNoPriv security level v3. The optional access list defined above can also be set.
# Global config mode ##
# With ACL ##
Snmp-server group v3Group v3 auth access SNMP_ACL
# Without ACL ##
Snmp-server group v3Group v3 auth
The user v3user is created and added to the v3Group. The MD5 password and AES encryption key are also defined.
Snmp-server user v3user v3Group v3 auth md5 snmpv3pass priv aes 128 snmpv3pass
SNMPv3 Testing
SNMP users and related groups can be viewed on Cisco devices.
### Privileged EXEC mode ##
Show snmp user
User name: v3user
Engine ID :************************
Storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: v3Group
Snmpwalk in any Linux device can be used to verify the configuration and check the output.
Snmpwalk-u snmpv3user-A snmpv3pass-a MD5-l authnoPriv 192.168.1.3-v3
Iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software"
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.1166
Iso.3.6.1.2.1.1.7.0 = INTEGER: 78
Iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00. 00
Iso.3.6.1.2.1.2.1.0 = INTEGER: 54
Iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
Iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2
Iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3
# Output truncated ##
I hope the above tutorials will help you.
Configure SNMPv3 on Ubuntu 14.04
SNMP for dynamic network analysis
Network status monitoring using SNMP
Set up an SNMP test environment in CentOS 6.3
Linux (Ubuntu/CentOS) SNMP Configuration
Enable and configure the SNMP service for Citrix Xenserver