This will be a quick post in regards to adding a Cisco IOS device to a Solarwinds Orion Network Management System (NMS). Of course, there are other NMS products available so this tutorial will focus more on the IOS side of configuration and less on the NMS side.
The negative side of SNMP v3 that I am running into though is on the NMS side. I can’t speak for all NMS products, but to send SNMP V3 traps requires the NMS to support this feature.
Currently, the Windows Server Operating System does not support SNMP V3 traps, and at present, neither does Orion.
Solarwinds has mentioned that they are building their own SNMP trap service for SNMP V3 but it is not out yet.
If anyone knows of an NMS that can accept SNMP V3 traps please let me know.
I believe CiscoWorks now supports SNMP V3 but I have not used it in years.
Here we go into the configuration.
We will start off with the configuration of the Cisco Router and then fill in the form shown above. In this example, we will just be enabling READ Access for polling; there will be no WRITE Access. As well, we will be only allowing our NMS host to poll the IOS device.
Let’s create a standard named access-list that will permit our NMS only and deny everything else. We will use the implicit deny for this. Our NMS host will have the IP address of 10.10.10.10:
ip access-list standard ACL_SNMP_ACCESS
permit host 10.10.10.10
Now we will go into the configuration of the SNMP V3 settings. We first start with creating an SNMP View. A view defines which SNMP objects can be accessed on the device.
A defined view can then be assigned to a group, and of course the users can be added to that group. The internet SNMP object is one that encompasses all of the SNMP objects and that is what we will use here. Refer to the cisco documentation to discover the other MIB names that can be assigned.
snmp-server view SNMP_VIEW _RO internet included
We will define a group and link the view created above to this group. We will also attach the access-list created earlier to this group so that only our NMS can access this group for SNMP read access.
If you don’t assign a read view to a group, all SNMP objects are allowed to be read. If you don’t assign a write view, then all SNMP objects will deny any write access.
There is another view called notify and if this is not defined then no SNMP objects can send notifications to the members within the group.
The other important aspect of the group configuration is whether you want authentication and encryption. We will use the keyword “priv” to define that we want both authentication and encryption.
snmp-server group SNMP_RO_GROUP v3 priv read SNMP_VIEW_RO access acl_snmp_access
A user can now be defined and added to the group we just configured. Note that you will have to see what encryption and hashing algorithms are available on the NMS at this point.
Cisco offers a good range of choices depending on the model and IOS version of the device.
Orion offers des or aes 128 for the encryption at present.
We will use aes 128 for our setup here.
snmp-server user SNMP_RO_USER SNMP_RO_GROUP v3 auth sha secret_auth priv aes 128 secret_priv
You could also assign an access-list to the user if needed, but we have one configured for the group so this will also apply to all users of the group.
I also like to add some other snmp commands to the router and these are:
snmp-server ifindex persist
This command will keep interfaces assigned the same identifier as there is a possibility that it may change between reloads.
snmp-server location Calgary Alberta
snmp-server contact firstname.lastname@example.org
This is just basic snmp commands to set administrative details for informational use.
Going back to the Orion form for adding a new device, we will fill in the details and make sure the IOS device can be added to the NMS and polled.
You should be able to poll the device and get SNMP statistics such as CPU and memory usage, etc. Hope you enjoyed this quick implementation of SNMP v3 on an IOS device along with NMS polling. Stay tuned for the implementation of SNMP V3 traps/informs setup.