SNMPv3
Simple Network Management Protocol (SNMP) is an internet protocol that network devices can use to communicate with one another and share information.
3 min read
What is SNMP?
What is the SNMP User?
An SNMP Group is then associated with an SNMP User. An SNMP User gets added to SNMP Groups to limit what accesses and views they have. While associating the User to the Group, the username is defined, the password, as well as the level of encryption and authentication.
What is an SNMP Group?
An SNMP View must be associated with an SNMP Group. The SNMP Group does the work of defining the type of access: read-only or read/write. The SNMP Group also specifies what kind of security is enabled during the interaction with the device in question.
What is the SNMP View?
The SNMP View defines what you're able to see on a Cisco device. Using SNMP gives someone a lot of access to network devices. If you know what you're doing, you can even pull device passwords. An SNMP View can secure your network management by restricting that.
So, you might create a View that says, "I want people to only see the interfaces of this device." Or, "I want people to only see the statistics of that interface." You could even go further and say, "I want people to only see the statistics of one, specific interface of the device."
What's the difference between OID & MIB?
OID is a code string that represents some value.
MIB is just a database of all available OID's for the device, describing which OID is linked to which value.
Example: you have an interface eth0/0. This interface have some characteristics, like current MTU, Bandwidth, packet count, error count etc. Each characteristic can be presented by a numeric value:
MTU 1500
Bandwidth 10000
Packets 2442334
Errors 1332
Each of these values can be queried or read using a specific OID. For example MTU could be linked to OID 2.3.1.5.1.5.1.2.2.3.2.2.2.3.2.1.Write your text here...
Setting up SNMPv3
Setting up SNMP View
snmp-server view ADMINView internet included
snmp-server view ADMINView mib-2 included
snmp-server view ADMINView cisco included
snmp-server view ADMINView ciscoEvMonSupplyStatusEntry.3 included
snmp-server trap-source VlanData
snmp-server source -interface informs VlanData
snmp-server enable traps snmp authentication
snmp-server enable traps rf
snmp-server enable traps memory
snmp server enable traps config
snmp-server trap timestamp
snmp-server host LOGGING SERVER IP version 3 priv ADMIN
Adding SNMP-Server Host to ACL (Poller Account)
!ip access-list standard ADMIN_Poller
! permit <LOGGING SERVER IP>
ip access-list standard ADMIN_Poller
permit <192.168.1.100>
Setting up SNMP-Server Host
!snmp-server host <LOGGING SERVER IP> version 3 priv <SNMP_USER>
snmp-server host <192.168.1.100> version 3 priv <ADMIN>
Setting up SNMP User
!snmp-server user <USERNAME> <GROUPNAME> v3 auth sha <PASSWORD> priv aes 256 <ACL-Poller>
snmp-server user ADMIN ADMINGroup v3 auth sha P@$$w0rd priv aes 128 P@$$w0rd access ADMIN_Poller
Setting up SNMP Group
!snmp-server group <GROUP-NAME> v3 priv access <SNMP-VIEW> access type <ACL-Poller>
snmp-server group ADMINGroup v3 priv read ADMINview write ADMINview access ADMIN_Poller
SNMPv3 View Syntax
snmp-server view
Creates an SNMP view.
Syntax
snmp-server view view-name mib-subtree { excluded | included }
no snmp-server view view-name mib-subtree { excluded | included }
Command Default
All MIB objects are automatically excluded from any view unless they are explicitly included.
Parameters
view-name
Configures the alphanumeric name to identify the view. The names cannot contain spaces.
mib-subtree
Configures the name of the MIB object or family. You can use a wildcard (*) in the numbers to specify a sub-tree family.
excluded
Configures the MIB family identified to be excluded from the view.
included
Configures the MIB family identified to be included in the view.
Troubleshooting SNMP Issues
Verify Switch is Using ACL
switch# sh snmp user
Verify Access List
switch# sh access-list
Verify ACL changes
switch# sh access-list