1) Check current snmp settings. You might remove or alter some of this later. (Commands are shown in bold.)
s run | i snmp-
snmp-server community YourPrivateCommunity RO
snmp-server location Sometown, USA
snmp-server contact IT Guy
snmp-server enable traps
s snmp view
*ilmi system - included nonvolatile active
*ilmi atmForumUni - included nonvolatile active
v1default iso - included permanent active
v1default internet.6.3.15 - excluded permanent active
v1default internet.6.3.16 - excluded permanent active
v1default internet.6.3.18 - excluded permanent active
v1default ciscoMgmt.394 - excluded permanent active
v1default ciscoMgmt.395 - excluded permanent active
v1default ciscoMgmt.399 - excluded permanent active
v1default ciscoMgmt.400 - excluded permanent active
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F ieee802dot11 - included volatile active
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F internet - included volatile active
2) Copy/paste commands below to add version 3 configuration. The exclusions shown here are route tables and arp entries that I didn't want to allow for security reasons.
config t
snmp-server ifindex persist
snmp-server view yourview system included
snmp-server view yourview interfaces included
snmp-server view yourview ip included
snmp-server view yourview ifMIB included
snmp-server view yourview ip.21 excluded
snmp-server view yourview ip.22 excluded
snmp-server view yourview ip.35 excluded
snmp-server view yourview ciscoRttMonMIB included
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server group yourgroup v3 priv read yourview
snmp-server user youruser yourgroup v3 auth md5 <password1> priv des <password2>
snmp-server host 10.13.4.267 version 3 priv youruser
If any of the above commands give errors on the “priv” section, then the device’s IOS version only supports “auth” and you’ll have to use the commands below:
snmp-server group yourgroup v3 auth read yourview
snmp-server user youruser yourgroup v3 auth md5
snmp-server host 10.13.4.267 version 3 auth youruser
3) At this point, before you remove version 1 or 2, run snmpwalk as follows to verify v3 credentials. I use this on my Windows machine http://www.snmpsoft.com/freetools/snmpwalk.html:
C:\snmpwalk> SnmpWalk.exe -r:10.13.4.267 -v:3 -sn:youruser -ap:MD5 -aw:password1 -pp:DES -pw:password2 -os:.1.3.6.1.2.1.2.2.1.1
For images that don't support auth only and not priv:
C:\snmpwalk> SnmpWalk.exe -r:10.13.4.267 -v:3 -sn:youruser -ap:MD5 -aw:password1
-os:.1.3.6.1.2.1.2.2.1.1
4) Copy/paste commands below to remove unneeded v1 or v2c config:
no snmp-server community YourPrivateCommunity RO
no snmp-server community public RO
no snmp-server community public RO
no snmp-server enable traps tty
etc
etc
….
5) Copy/paste commands below to disable any default or hidden Cisco views, you may have more:
snmp-server view *ilmi system excluded
snmp-server view *ilmi atmForumUni excluded
snmp-server view v1default iso excluded
end
6) Verify end result and wr:
s run | i snmp-
snmp-server group yourgroup v3 priv read yourview notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
snmp-server view *ilmi system excluded
snmp-server view *ilmi atmForumUni excluded
snmp-server view yourview system included
snmp-server view yourview interfaces included
snmp-server view yourview ip included
snmp-server view yourview ifMIB included
snmp-server view yourview ip.21 excluded
snmp-server view yourview ip.22 excluded
snmp-server view yourview ip.35 excluded
snmp-server view yourview ciscoRttMonMIB included
snmp-server view yourview lsystem.58.0 included
snmp-server view v1default iso excluded
snmp-server ifindex persist
snmp-server location Yourtown, USA
snmp-server contact IT Guy
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server host 10.13.4.267 version 3 priv youruser
write mem
Notes:
This broke my Cacti graphing when I upgraded to v3 and restricted the view to specific OIDs. Since many people use Cacti I figured I'd share this as well....
This broke my Cacti graphing when I upgraded to v3 and restricted the view to specific OIDs. Since many people use Cacti I figured I'd share this as well....
If you notice that one of the graphs on Cacti has stopped returning data for a certain graph, like my Free Memory graph, you'll need to find out exactly which OID or family the graph uses:
Since you’ve restricted the view to only include certain OIDs, you need to drill down and find the OID being polled by Cacti.
Console> Devices> RTR1> GraphList> RTR1 – Free Memory
On this page you'll see "RTR1 - Proc Mem Free"
Now that you know the Cacti OID name (Proc Mem Free) find the OID number:
Console> Data Templates> Cisco Router – Proc Mem Free
(Don’t forget to walk this OID with snmpwalk to verify you have the right OID.)
So, you add this OID to the config:
RTR1(config)# snmp-server view yourview 1.3.6.1.4.1.9.9.48.1.1.1.6.1 included
RTR1(config)# s snmp view
Look what it added:
yourview ciscoMemoryPoolEntry.6.1 - included nonvolatile active
Now you know the MIB family that the device is using! This is very helpful because MIBs get deprecated or replaced with different names.
Now you might need to add the entire family, but check what other OIDs are in that family first. Go to Cisco’s SNMP Object Navigator website http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en and enter
ciscoMemoryPoolEntry. You should get this OID back: 1.3.6.1.4.1.9.9.48.1.1.1
So, walk that to determine if you can add the entire family:
C:\snmpwalk> SnmpWalk.exe -r: 10.13.4.267 -v:3 -sn:youruser -ap:MD5 -aw:password1 -pp:DES -pw: password2 -os:.1.3.6.1.4.1.9.9.48.1.1.1
OID=.1.3.6.1.4.1.9.9.48.1.1.1.2.1, Type=OctetString, Value=Processor
OID=.1.3.6.1.4.1.9.9.48.1.1.1.2.2, Type=OctetString, Value=I/O
OID=.1.3.6.1.4.1.9.9.48.1.1.1.3.1, Type=Integer, Value=0
OID=.1.3.6.1.4.1.9.9.48.1.1.1.3.2, Type=Integer, Value=0
OID=.1.3.6.1.4.1.9.9.48.1.1.1.4.1, Type=Integer, Value=1
OID=.1.3.6.1.4.1.9.9.48.1.1.1.4.2, Type=Integer, Value=1
OID=.1.3.6.1.4.1.9.9.48.1.1.1.5.1, Type=Gauge32, Value=27303960
OID=.1.3.6.1.4.1.9.9.48.1.1.1.5.2, Type=Gauge32, Value=5792672
OID=.1.3.6.1.4.1.9.9.48.1.1.1.6.1, Type=Gauge32, Value=103653048
OID=.1.3.6.1.4.1.9.9.48.1.1.1.6.2, Type=Gauge32, Value=19373152
OID=.1.3.6.1.4.1.9.9.48.1.1.1.7.1, Type=Gauge32, Value=101099660
OID=.1.3.6.1.4.1.9.9.48.1.1.1.7.2, Type=Gauge32, Value=19239868
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.2.1, Type=Integer, Value=0
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.3.1, Type=Gauge32, Value=2
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.4.1, Type=Gauge32, Value=3
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.5.1, Type=Gauge32, Value=3
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.6.1, Type=Gauge32, Value=2
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.7.1, Type=Gauge32, Value=3
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.8.1, Type=Gauge32, Value=3
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.9.1, Type=Gauge32, Value=5
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.10.1, Type=Gauge32, Value=2
OID=.1.3.6.1.4.1.9.9.109.1.1.1.1.11.1, Type=Gauge32, Value=1
Total: 22
Now remove the previous entry and add this entire family:
RTR1(config)# no snmp-server view yourview 1.3.6.1.4.1.9.9.48.1.1.1.6.1 included
RTR1(config)# snmp-server view yourview ciscoMemoryPoolEntry included
Verify it’s there and save config:
RTR1(config)# s snmp view
RTR1(config)# write mem
No comments:
Post a Comment