WhiteTiger Blogs

Reluctant to deploy SNMPv3?

Often I hear organizations complain about SNMPv3 being too complex to deploy. A lot of TCP/IP protocols in networks today have some level of complexity, encryption, hashed passwords, double authentication, shared key, triple handshake mechanism, etc.
But yet SNMPv2 still has community strings sent in “clear text” over the network.

In a Cisco network, you can tighten SNMPv2 security by binding it to an ACL, but isn’t that just telling a potential hacker who the NMS systems are? I always say: Whoever owns the NMS server(s), owns the network.

Recently I have deployed SNMPv3 onto a Cisco Network and surprisingly to my delight, found that I needed only to spend two hours on research.
The following SNMPv3 configuration is for a Cisco IOS device and it turned out to be very useful, secure and versatile for various NMS systems to manage the network.

I think the core concept to understand about SNMPv3 is users, groups and views. Some of the online PDFs and bulletins I’ve come across so far, has this in common when it comes to creating a SNMP v3 configuration.
–
Conceptually, here are the steps, in this exact order.

1. Assign an Engine ID for the SNMP Entity (its optional, but a very good idea)
2. Define a view and select a MIB
3. Define a group and tie it to a “view”
4. Define a user, add it to a group and add a password.

Example:
1. server engineID local 111100000000000000000000
2.
a. snmp-server view NOCview mib-2 included
b. snmp-server view NOCview cisco included
c. snmp-server view NOCview v1default included

3. snmp-server group NOCengineers v3 auth write NOCview
4. snmp-server user NMSops NOCengineers v3 auth md5 passW0rd20systemX487

Of course, there are more options available with regards to security like adding the “priv” command to the group for instance. All it means is that data will be encrypted: des56 encryption is such an option.

Oh yes, when you display the configuration, you won’t see any users – they’re hidden. The only way you can “see” them is through the “show snmp users/groups” command. I truly hope my explanation was understandable and simple enough to tame the perception of SNMPv3.
All the best.

Cheers
Pierre

[wp_campaign_2]

(4 votes, average: 4.50 out of 5)
 Loading ...

1. With a 5000 device license,  Campus Manager will only manage 5500 devices.  After that -  no more.
2. The Windows Remote Management service can conflict with RME. Always check that it’s not running. (The WinRM service starts automatically on Windows Server 2008)
3. LMS 3.2 can run on Windows 2008 Server but,  You should disable the FIPS compliance for the CiscoWorks to work properly, because the SSL authentication might fail:

. To enable/disable FIPS on Windows 2003 and Windows 2008 servers:

1. Open  Start > Settings > Control Panel > Administrative tools > Local Security Policy.
2. Click Local Polices > Security Options.
3. Select System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
4. Right-click the selected policy and click Properties.
5. Select Enabled or Disabled to enable or disable FIPS compliant algorithms.
6. Click Apply.
7. Reboot the server for the changes to take effect.

Cheers

[wp_campaign_1]

(3 votes, average: 3.67 out of 5)
 Loading ...

Hi there  -  here’s a great tip for CiscoWorks Campus Manger administrators and users.

Suppose you have a lot of network devices and you spent hours on moving all those little icons on your Topology Map.

Maybe you added all your important  devices (Core and Distribution for Data Centre) to the critical device poller; and maybe you even added a nice background wallpaper showing them geographically  – nice.

And then you get a call from another network administrator or user,  saying his map doesn’t look like the one you created. Well, that’s how LMS Campus Manager works. Every user account has its own map and settings.

BUT,  you copy your map to his account like this:

the admin user's Topology maps

For LMS running on Windows, simply go to the Campus maps folder and find the right map to copy.  Suppose you created our mapas the “admin” user, the goto:  “C:\Program Files\CSCOpx\campus\etc\users\admin”. Now it might take some investigating which xml file is the right one.  In this example the file was called  ” 453.xml ”

Now copy that file to the other users folder. If  the user account was “george” then C:\Program Files\CSCOpx\campus\etc\users\george is where maps are located for george.  (Oh, yes. Remember that the user must at least save one map for the folder to exists)

Easy hey?.  If your running on solaris , you might consider running a crontab job to copy your map to other users on a scheduled time/date, depending on the users.

Cheers.