Configuring SNMPv3
Here is the configuration relation diagram in SNMPv3.A user can be added to a group or not as you need.Once a user joined a group,one or more kinds of views (notfiy-view, write-view, read-view) must be configured.Besides, configurations on user change with the security-level of the group as below 3 diagrams. Note notify-view,write-view and read-view are optional but you have to choose at least one view.In the below diagram,view1,view2,view3 can be the same or different.
NOTE:
Once created, the loopback interface will always remain UP. Unlike any VLAN interface which can go down accidentally, the loopback interfaces are more stable and hence a much better choice for the SNMP configuration.
If the Pica8 switch is used as an SNMP Agent device and communicates with the SNMP NMS through the inband port, it is highly recommended to use the IP address of the route reachable loopback interface on the Pica8 switch as the communication address for Snmpwalk, which will ensure that communication is not interrupted and provide stablibility to the SNMP process.
Configuring Basic Information
Contact and location information can be configured as below which is the same as SNMPv2.
admin@XorPlus# set protocols snmp contact support@pica8.com admin@XorPlus# set protocols snmp location beijing admin@XorPlus# commit Commit OK. Save done.
Configuring trap-group
By default, trap messages are sent in the form of SNMPv2. But you can change it to SNMPv3 as below and designate NMS to which trap messages are sent. Note that in SNMPv3, security-name is user while in SNMPv2, security-name is community.
You can configure the source interface on the device from which traps are sent. The system specifies the IP address of this interface as the source IP address of traps. In this way, the trap source can be identified on the NMS. To ensure device security, it is recommended that you set the source interface to the loopback interface.
admin@Xorplus# set l3-interface loopback lo address 10.226.14.201 prefix-length 32 admin@XorPlus# set protocols snmp trap-group version v3 admin@XorPlus# set protocols snmp trap-group targets 10.10.51.42 security-name user1 admin@Xorplus# set protocols snmp trap-group source-interface loopback admin@XorPlus# commit Commit OK. Save done.
Setting Up a User
By default, SNMPv3 is enabled. And you should set up a usm-user first before you configure other functions of SNMPv3. Besides, adding a user to a group is optional. When a user is added to a group, the needed views should be configured. If you create a user without adding to any groups, you can configure as below. However, under the below circumstance, all the OIDs can be visited by its NMS which can read but can't write and be notified.
admin@XorPlus# set protocols snmp v3 usm-user user1 admin@XorPlus# commit Commit OK. Save done.
Configuring Mib-view
If you want to improve security, the user needs to be added to a group. Because in this way, you can configure a read-view, write-view or notify-view(you can choose only one kind or more as you need) which defines the authority of a NMS. Before configuring a read-view(write-view or notify-view), please set up a mib-view which is used as a view of the group. Here are the configurations. As for a mib-view, you can include or exclude some subtrees and can also configure mask for them.
admin@XorPlus# set protocols snmp v3 usm-user user2 group group1 admin@XorPlus# set protocols snmp v3 mib-view view1 subtree 1.3.6.1.2.1 type included admin@XorPlus# set protocols snmp v3 mib-view view1 subtree 1.3.6.1.2.1.6.13 type excluded admin@XorPlus# set protocols snmp v3 mib-view view1 subtree 1.3.6.1.2.1 mask fc admin@XorPlus# set protocols snmp v3 mib-view view1 subtree 1.3.6.1.2.1.6.13 mask ff admin@XorPlus# set protocols snmp v3 group group1 read-view view1 admin@XorPlus# set protocols snmp v3 group group1 write-view view1 admin@XorPlus# set protocols snmp v3 group group1 notify-view view1 admin@XorPlus# commit Commit OK. Save done.
Configuring Security-level
You can improve security better by configuring security-level for the group. And the default setting of security-level is NoAuthNoPriv. You can change it to AuthNoPriv or AuthPriv. But please remember to configure authentication-mode, authentication-key, privacy-mode, privacy-key for the user. Configuration are as below.
admin@XorPlus# set protocols snmp v3 group group1 security-level AuthPriv admin@XorPlus# set protocols snmp v3 usm-user user1 authentication-mode md5 admin@XorPlus# set protocols snmp v3 usm-user user1 authentication-key authnkey admin@XorPlus# set protocols snmp v3 usm-user user1 privacy-mode des admin@XorPlus# set protocols snmp v3 usm-user user1 privacy-key privykey admin@XorPlus# commit Commit OK. Save done.
NMS Visits Switch by user
NMS reads OID tree 1.3.6.1.2.1.6.13 as below. user1 is the user's name. AuthPriv is the security-level of group. 10.10.51.155 is the IP of the switch.
pica8@pica8:~$snmpwalk -u user1 -l AuthPriv -A sha -a u1111key -X des -x u1111key 10.10.51.155 1.3.6.1.2.1.6.13
Enable or Disable LLDP SNMP Trap
The LLDP SNMP trap is enabled by default. You can use the following command to disable LLDP SNMP trap, then there will be no more LLDP trap message sends to snmp.
admin@Xorplus# set protocols lldp snmp-trap false admin@Xorplus# commit Waiting for merging configuration. Commit OK. Save done.
Copyright © 2024 Pica8 Inc. All Rights Reserved.