This post is more than 5 years old
247 Posts
0
12319
How to configure RO SNMPv3 access on Cisco NX-OS?
Hi all,
We want to start monitoring our port states and performance on our Cisco SAN switches (SAN-OS and NX-OS) via SNMP. Since SNMPv3 is a lot more secure than SNMPv2, I want to enforce SNMPv3 all the way: authentication and privacy/encryption of SNMP traffic. However, I'm starting to get rather confused on how to configure it correctly. Security is a big thing, so I want to close the config down as much as I can.
I've tried configuring it via Fabric Manager: I created a user with the network-operator (=RO) role. Secondly, I created a community string, again with role network-operator.
Now, I can't believe this is all I need to do. Nowhere in the GUI it's enforced that I actually create a user and I can't map a user to a community string. Which leads me to believe that, yes I can use SNMPv3 and authenticate when querying the community string, but i can ALSO just query the community string using v1/v2c and get on with it. Does that make sense?
Asking Google nicely, I found a piece of Nexus config:
1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7010-1(config)# snmp-server user NMS auth sha Cisc0123! priv Cisc0123! engineID
00:00:00:63:00:01:00:10:20:15:10:03
N7010-1(config)# snmp-server host 10.100.22.254 informs version 3 auth NMS
N7010-1(config)# snmp-server community public ro
N7010-1(config)# snmp-server community nxos rw
N7010-1(config)# show snmp
[...]
Community Group / Access context acl_filter
--------- -------------- ------- ----------
nxos network-admin
public network-operator
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
admin md5 des(no) network-admin
nxos-admin sha des(no) network-operator
______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
______________________________________________________________
User Auth Priv
____ ____ ____
NMS sha des
(EngineID 0:0:0:63:0:1:0:10:20:15:10:3)
SNMP Tcp Authentication Flag : Enabled.
[...]
-----------------------------------------------------------------------------------
SNMP protocol : Enabled
-------------------------------------------------------------------
Context [Protocol instance, VRF, Topology]N7010-1# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________User Auth Priv(enforce) Groups
____ ____ _____________ ______
admin md5 des(no) network-adminnxos-admin sha des(no) network-operator
______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
______________________________________________________________User Auth Priv
____ ____ ____
NMS sha des
(EngineID 0:0:0:63:0:1:0:10:20:15:10:3)
N7010-1(config)# exit
N7010-1# copy running-config startup-config
[########################################] 100%
N7010-1#
Again, I can see a user and community strings being created. Inbetween I can see a mapping between a host, the freshly created user and SNMPv3. But this is for SNMP informs, which (if I'm not mistaken) are event-based "pushes" from the switch to the management station that needs to send out an alert. NOT the other way around: a server periodically polling the switch for statistics.
I'm confused. Who can help me out on how to configure this securely?
JonK1
247 Posts
0
September 19th, 2012 08:00
Ok, that was actually much easier than I expected!
I configured a user with RO access and a community string with RO access. To create the user, I used the following syntax:
I then downloaded SNMPtester. The name of the tool says it all: you can test SNMP queries against a device. You can also select the SNMP version you want to use. I selected V3, entered the credentials and encryption key, the switch IP address I just configured and requested the uptime. Voila, result: SNMPv3 was working.
To test security, I then switched back to SNMPv1. I entered the community string, requested uptime again -> result! Damn, that's not what I want...
I noticed a change in the interface though; apparently you do NOT need to enter a community string for SNMPv3, only user/pwd/encryptionkey! To retest, I removed the community string from the switch config. I ran the SNMPv3 uptime check -> result. SNMPv1/v2c -> timeout. Voila! Just what I wanted
So to clarify: at this time, you have ONLY added a new user. There are no community strings present at all; it seems they are not needed with SNMPv3!