Send netdisco-users mailing list submissions to
netdisco-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/netdisco-users
or, via email, send a message with subject or body 'help' to
netdisco-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
netdisco-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of netdisco-users digest..."
Today's Topics:
1. Re: [EXTERNAL] SNMPv3 Catalyst/Nexus/Arista/Palo Alto/ASR
(Damian R. Cleveland)
2. Re: SNMPv3 Catalyst/Nexus/Arista/Palo Alto/ASR (Entwistle, Bruce)
--- Begin Message ---
Thanks for this, Eric.
It has been a while since I first attempted v3, failed, and resorted to v2. Now
v3 is a requirement, so I'll be jumping back in.
Your instructions and recommendations are duly noted, and I'll consult them
during the implementation.
Thanks again.
-------
Damian Cleveland
Networking Engineering
Institute For Defense Analyses, Princeton, NJ
Office:609-279-6265
Mobile:609-235-8870
--------
From: "Eric Bates" <eba...@whoi.edu>
To: "Damian R. Cleveland" <dcl...@idaccr.org>
Cc: "netdisco-users" <netdisco-users@lists.sourceforge.net>
Sent: Tuesday, May 13, 2025 9:37:33 AM
Subject: Re: [EXTERNAL] [Netdisco] SNMPv3 Catalyst/Nexus/Arista/Palo Alto/ASR
We use v3 exclusively. And, from your list, we have comms working to cisco,
Juniper and PAN.
Um...
On the Netdisco side, I'm pretty sure I just followed the documentation. It was
quite a while ago; so I don't really remember what was difficult.
We made it a practice to use a separate v3 login for each of our tools; so
NetDisco has a single unique login shared with all the remote devices. So each
of our devices ends up with about a 1/2 dozen separate logins configured.
Best debugging tool I found was simply snmpwalk. There's kind of a lot of work
to do on a given machine before snmpwalk works smoothly. I'm attaching a
sanitized version of the doc I wrote up for myself about configuring snmp on an
Ubuntu server (it's an emacs org-mode file; but it's readable as plain text;
just not as pretty as it is in emacs).
Sanitized NetDisco snippet from deployments.yaml:
#device_auth:
snmp_auth:
- tag: JPsnmp
user: *********
auth:
pass: ********
proto: SHA
priv:
pass: *********
proto: AES
When I was new to snmp v3, I tried really hard to define a view which would
satisfy everything that NetDisco (et al.) needs to be able to read; but that's
actually quite difficult. So, instead, (per recommendation in NetDisco docs) we
use a view which simply allows the entire tree starting with the iso root of 1.
snmp-server view VIEW_WHOI iso included
You need to then define a group with read-only permission on that view:
ip access-list standard SNMP
remark ACL for SNMP access to this device.
permit 10.137.132.0 0.0.0.255
permit 10.149.1.0 0.0.0.255
permit 172.30.8.0 0.0.3.255
deny any log
snmp-server group GROUP_WHOI_MON v3 priv read VIEW_WHOI access SNMP
snmp-server group GROUP_WHOI_MON v3 priv context vlan- match prefix
I don't remember what the 2nd "context" line actually does...
And finally, you define the individual user auths. cisco is a little weird.
Most of the config for snmp is part of the switch config; but the actual users
are not. You add them via "conf t"; but they seem to be stored in some sort of
separate data structure. You can view the list with "sho snmp users", but they
are basically not backed-up when you save the config.
snmp-server user MONITORProg1 GROUP_WHOI_MON v3 auth sha AUTHPASS1 priv aes 128
ENCPASS1
snmp-server user NETDISCO GROUP_WHOI_MON v3 auth sha AUTHPASS2 priv aes 128
ENCPASS2
snmp-server user MONITORProg3 GROUP_WHOI_MON v3 auth sha AUTHPASS3 priv aes 128
ENCPASS3
snmp-server user MONITORProg4 GROUP_WHOI_MON v3 auth sha AUTHPASS4 priv aes 128
ENCPASS4
When you can't connect to the machine it's usually one of the same 2 things:
ACL is missing (we weren't using SDN a decade ago), snmp user had to be
re-entered (not clear whether the latter problem was a cisco bug or just a
copy/paste error; but re-installing the users frequently fixes authentication
problems). VERY handy to be able to execute snmpwalk to test.
Pretty much the same drill for the other hardware platforms.
Note that if you're using Juniper Mist to configure from the cloud, the Mist
implementation is buggy for snmp v3 (you can only add one user to a given
group). This might have been fixed by now (I haven't looked in about a year);
but our snmp v3 section ignores the Mist snmp template and is simply written
out as a text section.
On 5/13/25 08:03, Damian R. Cleveland wrote:
This email originated outside of WHOI. Please use caution if clicking on links
or opening attachments.
Hello,
I know this is a broad ask, but has anyone successfully implemented SNMPv3
communication between ND and any of these platforms? I've failed miserably.
Any guidance would be appreciated.
Thanks,
-------
Damian Cleveland
Networking Engineering
Institute For Defense Analyses, Princeton, NJ
Office:609-279-6265
Mobile:609-235-8870
--------
--- End Message ---
--- Begin Message ---
We attempted to get ND working with our SNMPv3 network but despite trying all
the recommended solutions we could find online; we were never successful. We
are primarily a Cisco shop so if you do find a solution please share it so we
could get past this bump in the road.
Thank you
Bruce Entwistle
Network Manager
University of Redlands
From: Damian R. Cleveland <dcl...@idaccr.org>
Sent: Tuesday, May 13, 2025 4:47 AM
To: netdisco-users <netdisco-users@lists.sourceforge.net>
Subject: [Netdisco] SNMPv3 Catalyst/Nexus/Arista/Palo Alto/ASR
EXTERNAL EMAIL: This email originated from outside of the University of
Redlands email system. Do not click links or open attachments unless you
recognize the sender and know the content is safe.
Hello,
I know this is a broad ask, but has anyone successfully implemented SNMPv3
communication between ND and any of these platforms? I've failed miserably.
Any guidance would be appreciated.
Thanks,
-------
Damian Cleveland
Networking Engineering
Institute For Defense Analyses, Princeton, NJ
Office:609-279-6265
Mobile:609-235-8870
--------
--- End Message ---
_______________________________________________
Netdisco mailing list - Digest Mode
netdisco-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netdisco-users
