Configuring SNMPv3

Owned by Tracy Yang (Unlicensed)
Mar 03, 2023
3 min read

Here is the configuration relation diagram in SNMPv3.A user can be added to a group or not as you need.Once a user joined a group,one or more kinds of views (notfiy-view, write-view, read-view) must be configured.Besides, configurations on user change with the security-level of the group as below 3 diagrams. Note notify-view,write-view and read-view are optional but you have to choose at least one view.In the below diagram,view1,view2,view3 can be the same or different.

NOTE:

Once created, the loopback interface will always remain UP. Unlike any VLAN interface which can go down accidentally, the loopback interfaces are more stable and hence a much better choice for the SNMP configuration.
If the Pica8 switch is used as an SNMP Agent device and communicates with the SNMP NMS through the inband port, it is highly recommended to use the IP address of the route reachable loopback interface on the Pica8 switch as the communication address for Snmpwalk, which will ensure that communication is not interrupted and provide stablibility to the SNMP process.

 

        

Configuring Basic Information

Contact and location information can be configured as below which is the same as SNMPv2.


admin@XorPlus# set protocols snmp contact support@pica8.com
admin@XorPlus# set protocols snmp location beijing 
admin@XorPlus# commit
Commit OK.
Save done.

Configuring trap-group

By default, trap messages are sent in the form of SNMPv2. But you can change it to SNMPv3 as below and designate NMS to which trap messages are sent. Note that in SNMPv3, security-name is user while in SNMPv2, security-name is community.

You can configure the source  interface on the device from which traps are sent. The system specifies the IP address of this interface as the source IP address of traps. In this way, the trap source can be identified on the NMS. To ensure device security, it is recommended that you set the source interface to the loopback interface.

admin@Xorplus# set l3-interface loopback lo address 10.226.14.201 prefix-length 32
admin@XorPlus# set protocols snmp trap-group version v3  
admin@XorPlus# set protocols snmp trap-group targets 10.10.51.42 security-name user1  
admin@Xorplus# set protocols snmp trap-group source-interface loopback
admin@XorPlus# commit
Commit OK.
Save done.

Setting Up a User

By default, SNMPv3 is enabled. And you should set up a usm-user first before you configure other functions of SNMPv3. Besides, adding a user to a group is optional. When a user is added to a group, the needed views should be configured. If you create a user without adding to any groups, you can configure as below. However, under the below circumstance, all the OIDs can be visited by its NMS which can read but can't write and be notified.

admin@XorPlus# set protocols snmp v3 usm-user user1 
admin@XorPlus# commit
Commit OK.
Save done.

Configuring Mib-view

If you want to improve security, the user needs to be added to a group. Because in this way, you can configure a read-view, write-view or notify-view(you can choose only one kind or more as you need) which defines the authority of a NMS. Before configuring a read-view(write-view or notify-view), please set up a mib-view which is used as a view of the group. Here are the configurations. As for a mib-view, you can include or exclude some subtrees and can also configure mask for them.


admin@XorPlus# set protocols snmp v3 usm-user user2 group group1  
admin@XorPlus# set protocols snmp v3 mib-view view1 subtree 1.3.6.1.2.1 type included 
admin@XorPlus# set protocols snmp v3 mib-view view1 subtree 1.3.6.1.2.1.6.13 type excluded  
admin@XorPlus# set protocols snmp v3 mib-view view1 subtree 1.3.6.1.2.1 mask fc  
admin@XorPlus# set protocols snmp v3 mib-view view1 subtree 1.3.6.1.2.1.6.13 mask ff 
admin@XorPlus# set protocols snmp v3 group group1 read-view view1  
admin@XorPlus# set protocols snmp v3 group group1 write-view view1  
admin@XorPlus# set protocols snmp v3 group group1 notify-view view1 
admin@XorPlus# commit
Commit OK.
Save done.

Configuring Security-level

You can improve security better by configuring security-level for the group. And the default setting of security-level is NoAuthNoPriv. You can change it to AuthNoPriv or AuthPriv. But please remember to configure authentication-mode, authentication-key, privacy-mode, privacy-key  for the user. Configuration are as below.


admin@XorPlus# set protocols snmp v3 group group1 security-level AuthPriv 
admin@XorPlus# set protocols snmp v3 usm-user user1 authentication-mode md5  
admin@XorPlus# set protocols snmp v3 usm-user user1 authentication-key authnkey
admin@XorPlus# set protocols snmp v3 usm-user user1 privacy-mode des  
admin@XorPlus# set protocols snmp v3 usm-user user1 privacy-key privykey
admin@XorPlus# commit
Commit OK.
Save done.

NMS Visits Switch by user

NMS reads OID tree 1.3.6.1.2.1.6.13 as below. user1 is  the user's name. AuthPriv is the security-level of group. 10.10.51.155 is the IP of the switch.

pica8@pica8:~$snmpwalk -u user1 -l AuthPriv -A sha -a u1111key -X des -x u1111key 10.10.51.155 1.3.6.1.2.1.6.13

Enable or Disable LLDP SNMP Trap

The LLDP SNMP trap is enabled by default. You can use the following command to disable LLDP SNMP trap, then there will be no more LLDP trap message sends to snmp.

admin@Xorplus# set protocols lldp snmp-trap false
admin@Xorplus# commit
Waiting for merging configuration.
Commit OK.
Save done.

Copyright © 2024 Pica8 Inc. All Rights Reserved.