[HOWTO] Monitor Cisco switches via SNMP v3

[liimuu]

Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network.
So,we should apply the snmpv3
For example,cisco 3550
First,login the switch,and show the version
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(22)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 20-Aug-04 00:44 by yenanh
Image text-base: 0x00003000, data-base: 0x0083AF00
The version of IOS -- C3550-I5Q3L2-M decides we can use auth.
# configure terminal
#snmp-server group cactigroup v3 auth
#snmp-server user cactiuser cactigroup v3 auth md5 cactipasswd
#end
#copy run start
Second,configuring the cacti for the cisco switch

[liimuu]

For example,cisco 3750
First,login the switch,and show the version
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Mon 16-Jul-07 03:24 by myl
Image text-base: 0x00003000, data-base: 0x01240000
The version of IOS -- C3750-IPSERVICESK9-M decides we can use priv
# configure terminal
#snmp-server group cactigroup v3 priv
#snmp-server user cactiuser cactigroup v3 auth md5 cactipasswd1 priv des56 cactipasswd2
#end
#copy run start
Second,configuring the cacti for the cisco switch

[Mark.]

Does anyone know if something within Cacti needs to be configured, installed, or modified somehow to use AES instead of DES? I have this working using DES but a recent upgrade on our equipment is requiring us to use AES.
I have tried doing an SNMPwalk using AES, getting "Invalid privacy protocol specified after -x flag: AES

No log entry in the equipment I am trying to walk. Cacti isn't even trying to walk the equipment.

Issuing the same command on the same type of equipment (of type, not same exact equipment) that is still using DES-everything works great.

This equipment will be upgraded soon and will be using AES-like the rest of our equipment.
command:

snmpwalk -v 3 -a MD5 -A pass -l authPriv -u Manager -x DES -X pass equip
works

snmpwalk -v 3 -a MD5 -A pass -l authPriv -u Manager -x AES -X pass equip
Invalid privacy protocol specified after -x flag: AES


Centos OS
Version 8.7a
Net-SNMP 5.x
RRD Tool 1.2x
Settings Plugin
Thold Plugin

Thanks in advance.

[Mark.]

OK! I found something that helped. I found some documentation that the "witness" said only AES128 was supported. So, instead of


snmpwalk -v 3 -a MD5 -A pass -l authPriv -u Manager -x AES -X pass equip

I did


snmpwalk -v 3 -a MD5 -A pass -l authPriv -u Manager -x AES128 -X pass equip

It worked. I can SNMPwalk from the CLI but...Cacti isn't graphing anymore data for this host. The graph just seemed to end when I configured Cacti to use SNMPv3. It was using SNMPv2.

Any ideas or pointers would be awesome!
Please..help me out.

[Mark.]

I'm thinking I'm going to need to change a .conf file to be more specific when it choses it's AES version.

I'm using FIPS-197 (AES that supports 128,192, or 256). SNMP.conf?

[Mark.]

Ok...I know it's not SNMP.conf but is probably SNMP.php

I don't know anything about scripts or php...so I'm going to wait until I hear from someone because I'm pretty sure I'm looking in the right direction-but then again I don't know anything about scripts/php.

[Mark.]

Here is some other info..

net-snmp-utils-5.1.2-11.EL4.7
net-snmp-libs-5.1.2-11.EL4.7
net-snmp-5.1.2-11.EL4.7
php-snmp-4.3.9-3.22
net-snmp-devel-5.1.2-11.EL4.7

[root@server net-snmp]# snmpget --version
NET-SNMP version: 5.1.2


I read somewhere that 5.1.2 only supports DES. Using DES, I don't see any data in my graphs. I can snmpwalk via the CLI...

[Mark.]

Created a new topic...

http://forums.cacti.net/viewtopic.php?t=25120