In Ubuntu, CentOS, and Cisco, how does one configure SNMPv3?

In Ubuntu, CentOS, and Cisco, how does one configure SNMPv3?

The Simple Network Management Protocol (SNMP) is a widely used protocol used to collect information in the device. For example, the CPU and RAM usage, Server Load balancer rate, network interface traffic status, and many other performance devices can be queried using SNMP.

Currently, SNMP has three versions: v1, v2c, and v3. SNMP v1 and v2c can be easily configured, which has been discussed in previous articles. SNMPv3 adds some additional features, including authentication and encryption schemes (such as MD5, SHA, AES, and DES ). This makes SNMPv3 safer and more desirable when we run SNMP queries on the Internet.

Compared with SNMP v1 or v2c, SNMPv3 has different configurations. The following describes in detail how the configuration is implemented.

Configure SNMPv3 in Ubuntu and Debian

Use the net-snmp-config tool for configuration. In the following example, an SNMPv3 account with read-only permission is created. The username is "snmpv3user" and the password is "snmpv3pass ". The default authentication method is MD5 encryption, and DES is used by default. These settings can also be changed as needed.

Root @ server :~ # Apt-get install snmp snmpd
Root @ server :~ # Service snmpd stop
Root @ server :~ # Net-snmp-config -- create-snmpv3-user-ro-A snmpv3pass snmpv3user

# OUTPUT ##

Adding the following line to/var/lib/snmp/snmpd. conf:

CreateUser snmpv3user MD5 "snmpv3pass" DES

Adding the following line to/usr/share/snmp/snmpd. conf:

Rouser snmpv3user

Root @ server :~ # Service snmpd start

SNMPv3 Testing

Use snmpwalk to test the SNMP configuration. A large amount of output data should be produced in the successful test results. The following example demonstrates the use of snmpwalk with the created V3 account. The local server IP address 192.168.1.1 of Ubuntu and Debian.

### SAMPLE OUTPUT ### 

iso.3.6.1.2.1.1.1.0 = STRING: "Linux server 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64"

iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10

iso.3.6.1.2.1.1.3.0 = Timeticks: (68028) 0:11:20.28

iso.3.6.1.2.1.1.7.0 = INTEGER: 72

iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00

iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1

iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1

iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1

iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1

iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49

iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4

iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50

iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1

iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."

iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."

iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."

iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"

iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"

iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"

iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"

iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."

iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00

iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00

iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00

iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00

iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00

### And the walk goes on and on ###

Delete An SNMPv3 account

When the net-snmp-config tool is running, information about this account is stored in var/lib/snmp/snmpd. conf and/usr/share/snmp/snmpd. conf. of the two files. Deleting an account deletes the information in this file.

Root @ server :~ # Service snmpd stop
Root @ server :~ # Vim/var/lib/snmp/snmpd. conf

## there should be a similar encrypted line that contains information on the user ##

## this line is removed ##

usmUser 1 3 0x80001f8880056e06573a1e895100000000 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL .1.3.6.1.6.3.10.1.1.2 0x945ed3c9708ea5493f53f953b45a4513 .1.3.6.1.6.3.10.1.2.2 0x945ed3c9708ea5493f53f953b45a4513 ""

Root @ server :~ # Vim/usr/share/snmp/snmpd. conf

## The following line is removed ##

   rouser snmpv3user

Do not forget to restart laterSnmpd

Root @ server :~ # Service snmpd start

Configure SNMPv3 in CentOS or RHEL

Compared with Ubuntu, the process of configuring SNMP v3 users in CentOS and RHEL is a bit different, but the process is basically the same.

First, install necessary software using yum

[Root @ server ~] # Yum install net-snmp-utils net-snmp-devel

After the installation is complete, stop snmpd and create an SNMP account with read-only attributes. .

[Root @ server ~] # Service snmpd stop

[Root @ server ~] # Net-snmp-create-v3-user-ro-A snmpv3pass-a MD5-x DES snmpv3user

# OUTPUT ##

Adding the following line to/var/lib/net-snmp/snmpd. conf:

CreateUser snmpv3user MD5 "snmpv3pass" DES

Adding the following line to/etc/snmp/snmpd. conf:

Rouser snmpv3user

[Root @ server ~] # Service snmpd start

SNMPv3 Testing

Snmpwalk is an excellent tool for testing SNMP configuration and output. A large amount of output data should be produced in the successful test results.

[Root @ server ~] # Snmpwalk-u snmpv3user-A snmpv3pass-a MD5-l authnoPriv 192.168.1.2-v3

### OUTPUT ###

SNMPv2-MIB: sysDescr.0 = STRING: Linux server. example. tst 2.6.32-71. el6.i686 #1 SMP Fri Nov 12 04:17:17 GMT 2010 i686

SNMPv2-MIB: sysObjectID.0 = OID: NET-SNMP-MIB: netSnmpAgentOIDs.10

DISMAN-EVENT-MIB: sysUpTimeInstance = Timeticks: (28963) 0:04:49. 63

SNMPv2-MIB: sysORLastChange.0 = Timeticks: (1) 0:00:00. 01

SNMPv2-MIB: sysORID.1 = OID: SNMP-MPD-MIB: snmpdmibobjects.3.1.1

SNMPv2-MIB: sysORID.2 = OID: SNMP-USER-BASED-SM-MIB: usmMIBCompliance

SNMPv2-MIB: sysORID.3 = OID: SNMP-FRAMEWORK-MIB: snmpFrameworkMIBCompliance

SNMPv2-MIB: sysORID.4 = OID: SNMPv2-MIB: snmpMIB

SNMPv2-MIB: sysORID.5 = OID: TCP-MIB: tcpMIB

SNMPv2-MIB: sysORID.6 = OID: IP-MIB: ip

SNMPv2-MIB: sysORID.7 = OID: UDP-MIB: udpMIB

SNMPv2-MIB: sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB: vacmBasicGroup

SNMPv2-MIB: sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching.

SNMPv2-MIB: sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.

The SNMPv2-MIB: sysORDescr.3 = STRING: The SNMP Management Architecture MIB.

The SNMPv2-MIB: sysORDescr.4 = STRING: The MIB module for SNMPv2 entities

SNMPv2-MIB: sysORDescr.5 = STRING: The MIB module for managing TCP implementation

# And the output continues ##

Delete An SNMPv3 account

SNMPv3 account information is contained in two files. Deleting an account deletes the information in this file.

Root @ server :~ # Service snmpd stop

Root @ server :~ # Vim/var/lib/net-snmp/snmpd. conf

# There shoshould be a similar encrypted line that contains information on the user ##

# This line is removed ##

UsmUser 1 3 0x736e6d7076337573657200 0x736e6d7076337573657200 NULL. 1.3.6.1.6.3.10.1.1.2 users. 1.3.6.1.3.10.1.2.2 users ""

Root @ server :~ # Vim/etc/snmp/snmpd. conf

# The following line is removed ##

Rouser snmpv3user

Root @ server :~ # Service snmpd start

Firewall adjustment (optional)

The firewall rules in the following example can be used to restrict the source IP addresses allowed for SNMP query. Two IP addresses (for example, 192.168.1.100/101) are placed in the whitelist.

Root @ server :~ # Iptables-a input-s 192.168.1.100/32-p udp-dport 161-j ACCEPT
Root @ server :~ # Iptables-a input-s 192.168.1.101/32-p udp-dport 161-j ACCEPT
Root @ server :~ # Iptables-a input-p udp-dport 161-j DROP

Configure SNMPv3 for Cisco switches and routers

Cisco switches and routers also support SNMPv3. The following example creates an access control list (ACL) to restrict the source IP addresses allowed for SNMP queries. However, this step is skipped.

Set the access control list (ACL) (optional)

# Global config mode ##
Ip access-list standard SNMP_ACL
Permit 192.168.1.100
Permit 192.168.1.100

SNMPv3 Configuration

The following configuration creates a group named v3Group and AuthNoPriv security level v3. The optional access list defined above can also be set.

# Global config mode ##
# With ACL ##
Snmp-server group v3Group v3 auth access SNMP_ACL
 
# Without ACL ##
Snmp-server group v3Group v3 auth

The user v3user is created and added to the v3Group. The MD5 password and AES encryption key are also defined.

Snmp-server user v3user v3Group v3 auth md5 snmpv3pass priv aes 128 snmpv3pass

SNMPv3 Testing

SNMP users and related groups can be viewed on Cisco devices.

### Privileged EXEC mode ##
Show snmp user

User name: v3user

Engine ID :************************

Storage-type: nonvolatile active

Authentication Protocol: MD5

Privacy Protocol: AES128

Group-name: v3Group

Snmpwalk in any Linux device can be used to verify the configuration and check the output.

Snmpwalk-u snmpv3user-A snmpv3pass-a MD5-l authnoPriv 192.168.1.3-v3

Iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software"

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.1166

Iso.3.6.1.2.1.1.7.0 = INTEGER: 78

Iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00. 00

Iso.3.6.1.2.1.2.1.0 = INTEGER: 54

Iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1

Iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2

Iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3

# Output truncated ##

I hope the above tutorials will help you.

Configure SNMPv3 on Ubuntu 14.04

SNMP for dynamic network analysis

Network status monitoring using SNMP

Set up an SNMP test environment in CentOS 6.3

Linux (Ubuntu/CentOS) SNMP Configuration

Enable and configure the SNMP service for Citrix Xenserver