= SNMP Hands - On = === Goals === - Install and learn to use the SNMP commands - Install vendor specific MIBs and use those with the SNMP commands === Notes === - For below hands-on we will be using Ubuntu 20.04 version. - If you are installing snmp client (manager) tools on a remote server/computer you will need to connect the server through a SSH connection. == Installing SNMP Client (Manager) tools == Connect to the server which will be used as the NMS (Network Management Station) and Open the Terminal program. Update your software package repository {{{ $ sudo apt-get update }}} This might take a few moments if everyone in class is doing this at the same moment. Install the net-snmp tools: {{{ $ sudo apt-get install snmp $ sudo apt-get install snmp-mibs-downloader }}} The second of the two commands downloads the standard IETF and IANA SNMP MIBs which are not included by default. Now, edit the file /etc/snmp/snmp.conf: {{{ $ sudo vi /etc/snmp/snmp.conf }}} Note: Here we are using '''vi''' editor. You can use any text editor you are familiar with Change this line: {{{ mibs : }}} so that it looks like: {{{ # mibs : }}} (You are "commenting out" the empty mibs statement, which was telling the snmp* tools not to automatically load the mibs in the /usr/share/mibs/ directory) === User specific SNMP configurations === Now, in your home directory make a .snmp directory with file snmp.conf inside it, make it readable only be you, and add the credentials to it: {{{ $ cd $ mkdir .snmp $ chmod 700 .snmp/ $ vi .snmp/snmp.conf }}} Put the following contents in the file: {{{ defVersion 3 # SNMP v3 Configurations defSecurityLevel authNoPriv defSecurityName admin defAuthPassphrase defAuthType SHA # SNMP v2c default community string defCommunity }}} == Configuration of SNMP Agent on Routers and Switches == ==== Cisco Router ==== connect to your router and go to configure mode. {{{ Router> enable Router# configure terminal }}} Now we need to add an Access Control List rule for SNMP access, turn on SNMP, assign a read-only SNMP community string as well as a SNMPv3 group and user and tell the router to maintain SNMP information across reboots. To do this we do: {{{ Router(config)# access-list 99 permit 192.248.6.0 255.255.255.0 Router(config)# snmp-server community NetCommunity ro 99 Router(config)# snmp-server group GroupR v3 auth access 99 Router(config)# snmp-server user admin GroupR v3 auth sha Router(config)# snmp-server ifindex persist After all make sure to save the configuration to the router. Router(config)# exit Router# write memory Router# exit }}} === Cisco Switch === {{{ Router(config)# access-list 99 permit 192.248.6.0 255.255.255.0 Switch(config)# snmp-server group GroupR v3 auth access 99 Switch(config)# snmp-server community NetCommunity ro 99 Switch(config)# snmp-server user admin GroupR v3 auth sha NetAdmin Switch(config)# snmp-server contact Lalantha Switch(config)# snmp-server location ICT-Center, Peradeniya ==== HP Router ==== Connect to the Router and go to config mode {{{ system-view }}} Add the following configurations {{{ [Router]acl number 2000 [Router-acl-basic-2000]rule 0 permit source 192.248.6.0 0.0.0.255 [Router]snmp-agent [Router]snmp-agent community read [Router]snmp-agent sys-info version all [Router]snmp-agent group v3 ReadGroup authentication acl 2000 [Router]snmp-agent usm-user v3 admin ReadGroup authentication-mode sha }}} === HP Aruba/Procurve === {{{ Switch-HP#conf Switch-HP(config)# snmpv3 enable SNMPv3 Initialization process. Creating user 'initial' Authentication Protocol: MD5 Enter authentication password: ******** Privacy protocol is DES Enter privacy password: ******** User 'initial' has been created Would you like to create a user that uses SHA? [y/n] y Enter user name: admin Authentication Protocol: SHA Enter authentication password: ******** Privacy protocol is DES Enter privacy password: ******** User creation is done. SNMPv3 is now functional. Would you like to restrict SNMPv1 and SNMPv2c messages to have read only access (you can set this later by the command 'snmp restrict-access')? [y/n] n }}} Now you can add the user to the group GroupR, {{{ Switch-HP(config)# snmpv3 group GroupR user admin sec-model ver3 }}} Later you can remove initial user, {{{ Switch-HP(config)#no snmpv3 user initial }}} == Testing SNMP == Now we have both a SNMP Manager and SNMP Agent. To check that your SNMP installation works, run the snmpstatus command on the SNMP Manager host. {{{ $ snmpstatus }}} Note that you just used was the SNMPv3 because we set the default version as SNMPv3. Try again, adding "-v2c" as a parameter. Notice that the command automatically uses the community string in the snmp.conf file instead of the v3 user credentials. Try "-v1". To use the SNMP v2 or v1 we can add an option as below. Which will override the settings in the configuration file(/.snmp/snmp.conf). snmpstatus -v2c snmpstatus -v1 Again we didn't want set Community string as it was set in the manager configuration file. For the Router, {{{ #snmpstatus }}} For the Switch, {{{ #snmpstatus }}} == Configuration of SNMP Agent on a Linux server == We also need to monitor the servers and workstations. Here we do this by installing and configuring a SNMP agent on a server. Install the SNMP agent (daemon) on your host {{{ $ sudo apt install snmpd $ sudo apt install libsnmp-dev }}} Before making any changes to configurations files of a new installation it is a good practice to backup the original configuration. {{{ $ cd /etc/snmp $ sudo mv snmpd.conf snmpd.conf.orig $ sudo nano snmpd.conf }}} Now enter the below configurations, {{{ # Listen for connections on all interfaces (both IPv4 *and* IPv6) agentAddress udp:161,udp6:[::1]:161 # For SNMPv2: Configure Read-Only community and restrict who can connect rocommunity 192.248.6.0/24 rocommunity 127.0.0.1 # Information about this host sysLocation LEARN Workshop sysContact sysadm@ws.ac.lk # Which OSI layers are active in this host # (Application + End-to-End layers) sysServices 72 # Include proprietary dskTable MIB (in addition to hrStorageTable) includeAllDisks 10% }}} Now save and exit from the editor. Now we will add the same SNMPv3 user to your PC. We need to stop snmpd before adding the user, and restart it to read the above changes as well as the new user: {{{ $ sudo service snmpd stop $ sudo net-snmp-create-v3-user -a SHA -A admin $ sudo service snmpd start }}} Check that snmpd is working: {{{ $ snmpstatus localhost }}} Test your neighbors {{{ $ snmpstatus }}}