Feature
|
Description
|
SNMP encryption passphrase
|
Starting from Cisco NFVIS Release 4.10.1, there is an option to add an optional passphrase for SNMP that can generate a different
priv-key other than the auth-key.
|
Though SNMP v1 and v2c uses community-based string, the following is still required:
To create SNMP community:
configure terminal
snmp community <community_name> community-access <access>
SNMP community name string supports [A-Za-z0-9_-] and maximum length of 32. NFVIS
supports only readOnly access.
To create SNMP Group:
configure terminal
snmp group <group_name> <context> <version> <security_level> notify <notify_list> read <read_list> write <write_list>
Variables
|
Description
|
group_name
|
Group name string. Supporting string is
[A-Za-z0-9_-] and maximum length is 32.
|
context
|
Context string, default is snmp. Maximum length
is 32. Minimum length is 0 (empty context).
|
version
|
1, 2 or 3 for SNMP v1, v2c and v3.
|
security_level
|
authPriv, authNoPriv, noAuthNoPriv
Note
|
SNMP v1 and v2c uses noAuthNoPriv only.
|
|
notify_list/read_list/write_list
|
It can be any string. read_list and notify_list
is required to support data retrieval by SNMP
tools. write_list can be skipped because NFVIS
SNMP does not support SNMP write access.
|
To create SNMP v3 user:
When security level is authPriv
configure terminal
snmp user <user_name> user-version 3 user-group <group_name> auth-protocol <auth> priv-protocol <priv> passphrase <passphrase_string>
configure terminal
snmp user <user_name> user-version 3 user-group <group_name> auth-protocol <auth> priv-protocol <priv> passphrase <passphrase_string> encryption-passphrase <encryption_passphrase>
When security level is authNoPriv:
configure terminal
snmp user <user_name> user-version 3 user-group <group_name> auth-protocol <auth> passphrase <passphrase_string>
When security level is noAuthNopriv
configure terminal
snmp user <user_name> user-version 3 user-group <group_name>
Variables
|
Description
|
user_name
|
User name string. Supporting string is
[A-Za-z0-9_-] and maximum length is 32. This name
has to be the same as community_name.
|
version
|
1 and 2 for SNMP v1 and v2c.
|
group_name
|
Group name string. This name has to be same as
the group name configured in the NFVIS.
|
auth
|
md5 or sha
|
priv
|
aes or des
|
passphrase_string
|
Passphrase string. Supporting string is [A-Za-z0-9\-_#@%$*&! ].
|
encryption_passphrase
|
Passphrase string. Supporting string is [A-Za-z0-9\-_#@%$*&! ]. The user must configure passphrase first to configure encryption-passphrase.
|

Note
|
Do not use auth-key and priv-key. The auth and priv passphrases are
encrypted after configuration and saved in NFVIS.
|
To enable SNMP traps:
configure terminal
snmp enable traps <trap_event>
trap_event can be linkup or
linkdown
To create SNMP trap host:
configure terminal
snmp host <host_name> host-ip-address <ip_address> host-port <port> host-user-name <user_name> host-version <version> host-security-level noAuthNoPriv
Variables
|
Description
|
host_name
|
User name string. Supporting string is
[A-Za-z0-9_-] and maximum length is 32. This is
not FQDN host name, but an alias to IP address of
traps.
|
ip_address
|
IP address of traps server.
|
port
|
Default is 162. Change to other port number
based on your own setup.
|
user_name
|
User name string. Must be the same as user_name
configured in NFVIS.
|
version
|
1, 2 or 3 for SNMP v1, v2c or v3.
|
security_level
|
authPriv, authNoPriv, noAuthNoPriv
Note
|
SNMP v1 and v2c uses noAuthNoPriv only.
|
|
SNMP Configuration Examples
The following example shows SNMP v3 configuration
configure terminal
snmp group testgroup3 snmp 3 authPriv notify test write test read test
!
snmp user user3 user-version 3 user-group testgroup3 auth-protocol sha privprotocol aes passphrase changePassphrase encryption-passphrase encryptPassphrase
! configure snmp host to enable snmp v3 trap
snmp host host3 host-ip-address 3.3.3.3 host-version 3 host-user-name user3
host-security-level authPriv host-port 162
!!
The following example shows SNMP v1 and v2 configuration:
configure terminal
snmp community public community-access readOnly
!
snmp group testgroup snmp 2 noAuthNoPriv read read-access write write-access notify
notify-access
!
snmp user public user-group testgroup user-version 2
!
snmp host host2 host-ip-address 2.2.2.2 host-port 162 host-user-name public host-version 2 host-security-level noAuthNoPriv
!
snmp enable traps linkup
snmp enable traps linkDown
The following example shows SNMP v3 configuration:
configure terminal
snmp group testgroup3 snmp 3 authPriv notify test write test read test
!
snmp user user3 user-version 3 user-group testgroup3 auth-protocol sha priv-protocol aes passphrase changePassphrase
! configure snmp host to enable snmp v3 trap
snmp host host3 host-ip-address 3.3.3.3 host-version 3 host-user-name user3
host-security-level authPriv host-port 162
!!
To change the security level:
configure terminal
!
snmp group testgroup4 snmp 3 authNoPriv notify test write test read test
!
snmp user user4 user-version 3 user-group testgroup4 auth-protocol md5 passphrase
changePassphrase
! configure snmp host to enable snmp v3 trap
snmp host host4 host-ip-address 4.4.4.4 host-version 3 host-user-name user4
host-security-level authNoPriv host-port 162
!!
snmp enable traps linkUp
snmp enable traps linkDown
To change default context SNMP:
configure terminal
!
snmp group testgroup5 devop 3 authPriv notify test write test read test
!
snmp user user5 user-version 3 user-group testgroup5 auth-protocol md5 priv-protocol des passphrase changePassphrase
!
To use empty context and noAuthNoPriv
configure terminal
!
snmp group testgroup6 "" 3 noAuthNoPriv read test write test notify test
!
snmp user user6 user-version 3 user-group testgroup6
!

Note
|
SNMP v3 context
snmp
is added automatically when configured from the web portal. To use a different context value or empty context string, use
NFVIS CLI or API for configuration.
NFVIS SNMP v3 only supports single passphrase for both auth-protocol and priv-protocol.
Do not use auth-key and priv-key to configure SNMP v3 passphrase. These keys are generated differently between different NFVIS
systems for the same passphrase.
|

Note
|
NFVIS 3.11.1 release enhances the special character support for passphrase. Now the following characters are supported: @#$-!&*
|

Note
|
NFVIS 3.12.1 release supports the following special characters: -_#@%$*&! and whitespace. Backslash (\) is not supported.
|
Verify the Configuration for SNMP Support
Use the
show snmp agent
command to verify the snmp agent description and ID.
nfvis# show snmp agent
snmp agent sysDescr "Cisco NFVIS "
snmp agent sysOID 1.3.6.1.4.1.9.12.3.1.3.1291
Use the
show snmp traps
command to verify the state of snmp traps.
nfvis# show snmp traps
TRAP TRAP
NAME STATE
--------------------
linkDown disabled
linkUp enabled
Use the
show snmp stats
command to verify the snmp stats.
nfvis# show snmp stats
snmp stats sysUpTime 57351917
snmp stats sysServices 70
snmp stats sysORLastChange 0
snmp stats snmpInPkts 104
snmp stats snmpInBadVersions 0
snmp stats snmpInBadCommunityNames 0
snmp stats snmpInBadCommunityUses 0
snmp stats snmpInASNParseErrs 0
snmp stats snmpSilentDrops 0
snmp stats snmpProxyDrops 0
Use the
show running-config snmp
command to verify the interface configuration for snmp.
nfvis# show running-config snmp
snmp agent enabled true
snmp agent engineID 00:00:00:09:11:22:33:44:55:66:77:88
snmp enable traps linkUp
snmp community pub_comm
community-access readOnly
!
snmp community tachen
community-access readOnly
!
snmp group tachen snmp 2 noAuthNoPriv
read test
write test
notify test
!
snmp group testgroup snmp 2 noAuthNoPriv
read read-access
write write-access
notify notify-access
!
snmp user public
user-version 2
user-group 2
auth-protocol md5
priv-protocol des
!
snmp user tachen
user-version 2
user-group tachen
!
snmp host host2
host-port 162
host-ip-address 2.2.2.2
host-version 2
host-security-level noAuthNoPriv
host-user-name public
!
Upper limit for SNMP configurations
Upper limit for SNMP configurations:
-
Communities: 10
-
Groups: 10
-
Users: 10
-
Hosts: 4
SNMP Support APIs and Commands
APIs
|
Commands
|
|
-
agent
-
community
-
trap-type
-
host
-
user
-
group
|