wiki:NSM2021/Agenda/SNMP-Hands-on

SNMP Hands - On

Goals

  • Configure SNMP Agent on managed devices like Routers, Switches and Linux servers
  • Configure SNMP Client Tools (Manager) in Linux servers.
  • Install and learn to use the SNMP commands
  • Install vendor specific MIBs and use those with the SNMP commands

Notes

  • For below hands-on we will be using Ubuntu 20.04 version.
  • You may use Putty or any kind supported terminal programs to connect remote devices.

Installing SNMP Client (Manager) tools

Connect to the server which will be used as the NMS (Network Management Station) and Open the Terminal program.

Update your software package repository

$ sudo apt-get update

This might take a few moments if everyone in class is doing this at the same moment.

Install the net-snmp tools:

$ sudo apt-get install snmp
$ sudo apt-get install snmp-mibs-downloader

The second of the two commands downloads the standard IETF and IANA SNMP MIBs which are not included by default.

Now, edit the file /etc/snmp/snmp.conf:

$ sudo vi /etc/snmp/snmp.conf

Note: Here we are using vi editor. You can use any text editor you are familiar with

Change this line:

mibs :

so that it looks like:

# mibs :

(You are "commenting out" the empty mibs statement, which was telling the snmp* tools not to automatically load the mibs in the /usr/share/mibs/ directory)

User specific SNMP configurations

Now, in your home directory make a .snmp directory with file snmp.conf inside it, make it readable only be you, and add the credentials to it:

$ cd
$ mkdir .snmp
$ chmod 700 .snmp/
$ vi .snmp/snmp.conf

Put the following contents in the file:

defVersion 3
defSecurityLevel authPriv
defSecurityName admin
defAuthPassphrase NetAdmin@1
defAuthType SHA
defPrivPassphrase NetPrivacy@1
defPrivType DES

# Default community when using SNMP v2c
defCommunity NetCommunity
defaultPort 161

Configuration of SNMP Agent on Routers and Switches

Cisco Router/Switch?

connect to your router and go to configure mode.

Router> enable

Router# configure terminal

Now we need to add an Access Control List(ACL) for controlling SNMP access to the router. This ACL will be used in both SNMPv2c and SNMPv3 configurations.

Router(config)# access-list 99 permit 192.248.4.0 0.0.0.255
SNMPv1 and SNMPv2c Configuration

Below shows how to configure SNMPv1/v2c for the Cisco router.

Router(config)# snmp-server community NetCommunity ro 99
SNMPv3 Configuration

Below shows how to configure SNMPv3 for the Cisco router.

Router(config)# snmp-server group GroupR v3 priv access 99
Router(config)# snmp-server user admin GroupR v3 auth sha NetAdmin@1 priv des NetPrivacy@1

After all make sure to save the configuration to the router.

Router(config)# exit
Router# write memory            
Router# exit       

HP Router

Connect to the Router and go to config mode

<Router> system-view

Add the following to create an ACL. This also can be used in both SNMPv2c and SNMPv3 configurations.

[Router]acl basic 2000
[Router-acl-ipv4-basic-2000]rule 0 permit source 192.248.4.0 0.0.0.255
[Router-acl-ipv4-basic-2000]rule 5 deny
SNMPv1 and SNMPv2c Configuration

Below shows how to configure SNMPv1/v2c for the HP router.

[Router]snmp-agent
[Router]snmp-agent community read NetCommunity acl 2000
SNMPv3 Configuration

Below shows how to configure SNMPv3 for the HP router.

[Router]snmp-agent sys-info version all
[Router]snmp-agent group v3 GroupR privacy acl 2000
[Router]snmp-agent usm-user v3 admin GroupR simple authentication-mode sha NetAdmin@1 privacy-mode des56 NetPrivacy@1

HP Aruba/Procurve?

Switch-HP#conf
Switch-HP(config)# snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: ********
Privacy protocol is DES
Enter privacy password: ********
User 'initial' has been created
Would you like to create a user that uses SHA? [y/n] y
Enter user name: admin
Authentication Protocol: SHA
Enter authentication password: ********
Privacy protocol is DES
Enter privacy password: ********
User creation is done. SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmp restrict-access')? [y/n] n

Now you can add the user to the group GroupR,

Switch-HP(config)# snmpv3 group GroupR user admin sec-model ver3

Later you can remove initial user,

Switch-HP(config)#no snmpv3 user initial  

Aruba Virtual Controller

Go to Configuration --> System --> Monitoring and under SNMP, you may add SNMPv2 or SNMPv3 string details. If SNMPv3, use Authentication MD5 and AES Privacy.

Testing SNMP

Now we have both a SNMP Manager and SNMP Agent. To check that your SNMP installation works, run the snmpstatus command on the SNMP Manager host.

$ snmpstatus <IP_ADDRESS> 

Note that you just used was the SNMPv3 because we set the default version as SNMPv3. Try again, adding "-v2c" as a parameter. Notice that the command automatically uses the community string in the snmp.conf file instead of the v3 user credentials. Try "-v1".

To use the SNMP v2 or v1 we can add an option as below. Which will override the settings in the configuration file(/.snmp/snmp.conf).

$ snmpstatus -v2c <IP_ADDRESS> 
$ snmpstatus -v1 <IP_ADDRESS> 

Again we didn't want set Community string as it was set in the manager configuration file.

For the Router,

#snmpstatus <Router IP>

For the Switch,

#snmpstatus <Switch IP>

More useful OIDs for Cisco devices

System Name:

snmpget -v 2c 192.248.4.22 sysName.0 (SNMPv2-MIB)

System Up time,

snmpget -v 2c 192.248.4.22 sysServices.0 (SNMPv2-MIB)

Interface Status:

snmpwalk -v 2c 192.248.4.22 ifOperStatus
snmpwalk -v 2c 192.248.4.22 IF-MIB::ifOperStatus

Average CPU load in 5 minutes:

snmpget -v 2c 192.248.4.22  .1.3.6.1.4.1.9.2.1.58.0 (OLD-CISCO-CPU-MIB::avgBusy5)

Free memory:

snmpget -v 2c 192.248.4.22 1.3.6.1.4.1.9.2.1.8.0 (OLD-CISCO-MEMORY-MIB::freeMem)

Configuration of SNMP Agent on a Linux server

We also need to monitor the servers and workstations. Here we do this by installing and configuring a SNMP agent on a server.

Install the SNMP agent (daemon) on your host

$ sudo apt install snmpd
$ sudo apt install libsnmp-dev

Before making any changes to configurations files of a new installation it is a good practice to backup the original configuration.

$ cd /etc/snmp
$ sudo mv snmpd.conf snmpd.conf.orig
$ sudo nano snmpd.conf

Now enter the below configurations,

#  Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:127.0.0.1:161,udp:192.248.4.23:161

# For SNMPv2: Configure Read-Only community and restrict who can connect
rocommunity NetCommunity  192.248.4.0/24
rocommunity NetCommunity  127.0.0.1

# Information about this host
sysLocation    LEARN Workshop
sysContact     sysadm@ws.ac.lk

# Which OSI layers are active in this host
# (Application + End-to-End layers)
sysServices    72

# Include proprietary dskTable MIB (in addition to hrStorageTable)
includeAllDisks  10%

Now save and exit from the editor.

Now Go to the SNMP Manager and enter below,

snmpwalk -v 2c 192.248.4.23 upTime

The request should be successful. Now enter the below,

snmpwalk -v 3 192.248.4.23 upTime

It should give an error. This is because we haven't created a SNMP v3 user at the Agent. Now we will add the same SNMPv3 user to your PC. We need to stop snmpd before adding the user, and restart it to read the above changes as well as the new user:

$ sudo systemctl stop snmpd.service
$ sudo net-snmp-config --create-snmpv3-user -a NetAdmin@1 -A SHA -x NetPrivacy@1 -X DES admin
$ sudo systemctl start snmpd.service

Now check whether SNMP v3 is working:

$ snmpwalk -v 3 192.248.4.23 upTime
$ snmpwalk 192.248.4.23 sysServices
Last modified 5 weeks ago Last modified on May 17, 2021, 12:51:50 PM