Solved: Cisco SNMPv3 Configuration.

sean.martinez

NOTE: This is a quick recreation of an existing document, if you are logged into Thwack, you will be able to see the visual color codes here  https://thwack.solarwinds.com/t5/Group-Archive/Cisco-SNMPv3-Configuration-Example/gpm-p/536423

PURPOSE: This is for Basic setup for Cisco IOS, ASA, and Nexus

Reference:  SNMPv3

Notes for the Guide:

Username: TestSNMPv3User

Password: P@$$w0rd

View Name:  TestSNMPv3View

Group Name: TestSNMPv3Group

• 1. 1. Create the View
        • Example Command: SNMP-Server view TestSNMPv3View Internet included
          1. If you see %Bad OID, then Internet does not exist, use ISO (if exists), or 1.3.6
             • Included MIB Family is included in the view
             • Excluded MIB Family is excluded from the view
     2. Create the Group
        • • Example Command: SNMP-Server group TestSNMPv3Groupv3privReadTestSNMPv3ViewWriteTestSNMPv3View
            1. 1. v1: Group using the v1 security model
               2. v2c: Group using the v2c security model
               3. v3: Group using the User security model (SNMPv3)
               4. Auth: Group using the authNoPriv Security Model
               5. Noauth: Group using the noAuthNoPriv Security Model
               6. Priv: Group using the authPriv Security Model
               7. Access: Specify an access-list associated with this group
               8. Context: Specify a context to associate these views for the group
               9. Notify: Specify a notify view for the Group – Send a syslog every time a view is touched
               10. Read: Specify a read view for the group
               11. Write: Specify a write view for the group
     3. Create the User (usually do not see the user in Show Run/Show Start configurations)
        • • 1. Example Command: SNMP-Server user TestSNMPv3UserTestSNMPv3Groupv3Auth SHA P@$$w0rd priv AES P@$$w0rd
          • 1. Remote: Specify a remote SNMP entity to which the user belongs
            2. v1: Group using the v1 security model
            3. v2c: Group using the v2c security model
            4. v3: Group using the User security model (SNMPv3)
            5. Access: Specify an access-list associated with this group
            6. Auth: Authentication parameters for the user
            7. Encrypted: Specifying passwords as MD5 or SHA digests
            8. MD5: Use HMAC MD5 algorithm for authentication
            9. SHA: Use HMAC SHA1 algorithm for authentication
            10. 3DES: Use 168 bit 3DES algorithm for encryption
            11. AES: Use AES 128, 192, or 256 bit algorithm for encryption
            12. DES: Use 56 but DES algorithm for encryption
     4. Send to Destination Host (Required for ASA, optional for others)
        1. Command (ASA Only): SNMP-Server Host inside10.10.1.161 version 3 TestSNMPv3Group

Note: 10.10.1.161 is the Solarwinds server. If the Server is not in the list, then you will not be able to add the Device

• 1. 1. 1. inside   Name of interface Vlan1
        2. outside  Name of interface Vlan2

Example of the configurations

Cisco IOS

SNMP-Server view TestSNMPv3View Internet included

SNMP-Server group TestSNMPv3Group v3 priv Read TestSNMPv3View Write TestSNMPv3View

SNMP-Server user TestSNMPv3User TestSNMPv3Group v3 auth SHA P@$$w0rd priv AES P@$$w0rd

SNMP-Server group TestSNMPv3Group v3 priv context vlan match prefix

Cisco ASA

SNMP-Server group TestSNMPv3Group v3 priv

SNMP-Server user TestSNMPv3User TestSNMPv3Group v3 auth SHA P@$$w0rd priv AES P@$$w0rd

SNMP-Server Host inside 10.10.1.161 version 3 TestSNMPv3User

Cisco Nexus

                              snmp-server user TestSNMPv3User auth sha TestSNMPv3User priv aes-128 P@$$w0rd

Adding the device in Orion: Note: Do not initially add Read/Write Credentials, select Test and if successful, it works.

Troubleshooting Cisco

IOS

• • 1. Important Commands to use to Remove existing configurations, please use ? for more options:
       1. No snmp-server group
       2. No snmp-server user
       3. No snmp-server host
    1. Views  - contained in groups
       1. Views define what MIBs are available on the Device

• • Also Note the Host and the Interface it is going out on
  • 1. Command: snmp-server host 10.10.1.6 version 3 auth TestSNMPv3User version 3
       1. The authentication must match the same as the SNMPv3 configuration
  • You can add the following on the same command line to generate Traps:
  • 1. Server 2008:
       1. C:\ProgramData\Solarwinds\Logs\Orion\TrapService.log
  • If you see the following Error please see This KB

UDT Module:

While everything works by default on SNMPv2, you will need to add new commands to the Cisco devices to expose per VLAN values for this MIB. According to Cisco, SNMPv2 and SNMPv3 work quite differently when polling the BRIDGE-MIB which contains these layer 2 values.

To Allow all VLANs, for most Cisco Devices:

                                   SNMP-Server group TestSNMPv3Group v3 priv context vlan match prefix

If the Above does not show all VLANs, your version of IOS needs to have each VLAN explicitly listed.

• 1. Command: snmp-server group OurGroupName v3 priv context vlan-3
  2. Command: snmp-server group OurGroupName v3 priv context vlan-10
  3. Command: snmp-server group OurGroupName v3 priv context vlan-41

mjperkins

On a Cisco, you can specify (at least) 128 or 256-bit key length. In full the command would read:

snmp-server user TestSNMPv3User TestSNMPv3Group v3 auth SHA "AuthP@$$w0rd" priv aes 256 "PrivP@$$w0rd"

I have also found that enclosing the passwords in double-quotes makes a difference, especially when using any special characters.