Answers: SNMPv3 2
This lab asks you to use both authentication and privacy with SNMPv3, so it takes a few longer commands compared to some SNMP configurations. Focus on the basics, because there are many basics with SNMPv3 configuration. Especially for this lab, it is very important to try the lab first, to make your brain think through the options.
Answers
Figure 72.16: Topology Used for SNMPv3 Labs
Example 3: Router R1 and R2 – Identical Config
snmp-server group Certskills v3 priv access ServerOnly snmp-server user Youdda Certskills v3 auth sha mysecretpassword priv aes 128 mysecretpassword ! snmp-server enable traps snmp-server host 172.20.2.9 informs version 3 priv Youdda ! ip access-list standard ServerOnly permit host 172.20.2.9
Commentary
The four configuration commands show the correct syntax that then matches the logic shown in the requirements. Working through the sample answer’s four commands in the same order as listed in Example 3:
Command 1: snmp-server group
The first command creates an SNMP group, which is a configuration concept which gathers some SNMPv3 parameters for easy reference by the snmp-user user command. It is simply the way Cisco’s team built the SNMPv3 configuration.
The command lists these key parameters:
group Certskills: defines the name of the group with a name that I made up, and that you used based on the requirements for the lab.
v3: keyword that defines the version.
priv: defines that this group performs authentication and privacy
access ServerOnly: references IPv4 ACL ServerOnly, which will be used to filter incoming SNMP messages. This ACL matches packet with source address 172.20.2.9, which is the SNMP server’s IP address.
Also, this command can be the starting point for some common mistakes. In this case, note the absence of a write viewname set of parameters, which means that this group does not support writing to the MIB (that is, it does not support the Set command). Also, note that the use of the priv keyword on this command means that both auth and priv must be used on any snmp-server user commands that refer to this group.
Command 2: snmp-server user
The second command completes the work to enable support for Get commands. This command defines the user (Youdda per the instructions) and links it to the first command. Specifically:
Certskills: refers to the name listed in the snmp-server group Certskills command.
v3: keyword that defines the version.
auth sha mysecretpassword: defines that the user should use authentication, with SHA as the protocol, with a password of mysecretpassword.
priv aes 128 mysecretpassword: defines that the user should use privacy, with AES using 128 bit keys, with a password of mysecretpassword.
Command 3: snmp-server enable traps
The third command is simple: it enables the router to send Trap (and Inform) messages assuming the rest of the related configuration in command 4 is completed. The fourth command is the one that defines whether Traps or Informs are sent (Informs for this lab).
Command 4: snmp-server host
The last command completes the configuration to enable the sending of Inform messages. Traps (and Informs) require that the router know to what IP address to send the Trap or Inform message, that is, the address of the SNMP manager. This command defines the address, and whether to send Traps or Informs, as follows:
host 172.20.2.9: Identifies the IP address of the SNMP manager.
informs: keyword that tells IOS this command is enabling the sending of Inform messages rather than Trap messages.
version 3: keywords that define the version.
priv: defines that the user should both authentication and privacy
Youdda: defines the username (per the snmp-server user command) used for SNMPv3 authentication and privacy.
Good day Wendell, thank you for this SNMPv3 2 valuable lab resource!
I noticed that there is no explicit access-list configured in the answer, so I wanted to submit my config extract and gather your thoughts about it.
R2: ip access-list extended ServerOnly
R2(access-list): permit udp host 172.16.2.9 any eq snmp
R2: int gig0/1
R2(int-config): ip access-class ServerOnly in
As I fear that my ACL would deny all the other ip traffic coming in the referred-to interface, how can we best satisfy the requirement and allow only the mentioned NMS to send SNMP messages to the routers?
Guiseppe,
Thanks for the note – glad you like the labs!
First, on your suggested ACL: I like the ACL itself. However, you don’t need to enable it on an interface with the “ip access-class” command. Note that the reference to the ACL “ServerOnly” in the snap-server group command tells IOS to use that ACL to filter incoming SNMP traffic going to the SNMP server/agent in the router.
Going a bit further, in fact, given that fact, you could just match the could host address, without even nothing to match SNMP ports, because by definition, it’s filtering only messages the router wants to pass to the SNMP agent.
Note that I added a sample ACL to the config in response to your comment – thanks for letting me know.
Finally, the lab post and this answer used some incorrect IP address references – I cleaned them all up. Some had used 172.16, some 172.20. The lab and answer should be consistent now.
Thanks for the note!
Wendell Odom
Hello, Wendell,
I suppose ….
In the Comments 1. In the Command 1 we use “priv”(not “auth”), because if we support both authentication and encryption it would be enough to use “priv”
2. Command 2 should be snmp-server USER and command 4 – snmp-HOST
I confirm with you, the configuration of the snmp-server host statement should use the keyword “priv” not “auth”, otherwise communication fails, and without throwing up any errors!
Hi Wendell,
To confirm with Viktor, the configuration of the snmp-server host statement should use the keyword “priv” not “auth”, otherwise communication fails, and without throwing up any errors!
Hi John,
Nice catch – I agree! Just changed it. Thanks much.
Wendell
Hi Wendell,
Sorry to be a stickler, but as Viktor also mentioned, under the commentary, command 1 section the parameters, the keyword should be priv not auth.
It’s ok, I learn more from finding mistakes than from getting it right first time.
I don’t know why but when I configure the snmp-server group Certskills v3 priv with a read v1default access ServerOnly command. When I use the MIB Browser and click Get snmp variable it says request failed to Get response PDU from 172.20.2.2 error indication in response. There is no such object in this MIB. But when I take out the read v1default from the snmp-server group Certskills v3 priv access ServerOnly command. When I click on Get snmp variable I can get the status of the object Id without read v1default command. I just want to know why is it doing that? I am running on cisco 1841 router with IOS C1841-ADVENTERPRISEK9-M Version 15.1(4)M8.
I missed this on both SNMP labs. So if I don’t put the SNMP enable traps but I put the snmp-server host (4th) command, what happens? Doesn’t the putting the snmp-server host command enable sending the informs?
I need more explanation please.
Jon,
I haven’t tested that combination, and don’t have a place to do a quick test. That said, my expectation is that neither traps nor informs would be sent to the server. That “informs” keyword on line 5 of the example (4th line of config – the one you noted) means “when sending, use the inform message, not the trap message”. But you need “snmp-server enable” to enable the sending of either traps or informs.
IOS doc appears to back up the above, quoting:
The snmp-server host command is used in conjunction with the snmp-server enable command. Use the snmp-server enable command to specify which SNMP notifications are sent globally. For a host to receive most notifications, at least one snmp-server enable command and the snmp-server host command for that host must be enabled.