Wired Intelligent Edge

Hello, I'm extremely new to networking in general and I am looking for help configuring SNMPv3 on 2920 switches. All I really need in my configuration is to make sure that iMC can communicate correctly with all my switches in a secure manner. I would like to use ManagerPriv with Sha and AES128 because according to my reading this seems to be the most secure. I also want to make sure there is no SNMPv1/2 access. I thought I had a configuration that seemed to work but I ran into issues when trying to set up autodeployment with iMC. Right now my configuration looks something like this:

snmp-server community "public" unrestricted

snmp-server contact "IT Services x4618" location ${hostname}

snmp-server host 10.248.91.191 community "public" informs trap-level not-info

snmpv3 engineid "00:00:00:0b:00:00:c4:34:6b:89:d0:00"

snmpv3 enable

snmpv3 only

snmpv3 restricted-access

snmpv3 group managerpriv user "iMC" sec-model ver3

snmpv3 user "wrdsb!manAES" auth sha "71c9fc6ed63b0a0d7bc9a8959280" priv aes "f9d61ccfede9865c76a10b7"

I'm quite sure it has many errors. I'm hoping to see some examples of SNMPv3 configurations from the community and perhaps a brief description of how that specific configuration functions. (for example I know precious little about the "server host" and "Trap level" commands). I also do not know if I need to set up an SNMPv3 community along with the managerpriv user.

One more comment - the literature seems to be somewhat contradictory when it comes to using the "include-credentials" command with SNMPv3. I am not clear on whether you can or cannot upload a configuration that includes SNMPv3 into iMC and then subsequently use that configuration when auto-deploying other switches that I want to have the same configuration. Thanks!

There is a post for the older model

http://evilrouters.net/2008/12/22/snmpv3-configuration-for-procurve-5400s/

but I have not managed to get IMC 7.x  to use SNMPv3 configured this way on the 2920 (it always fails when selecting SNMP template)

Failure

Possible causes:

1. The device cannot be pinged.

2. SNMP settings/Telnet settings/SSH settings is incorrect.

3. Invalid characters are found.

4. device returns a failure.

Can not get deployment task (software update) working via SNMP:

Upload software to device from iMC Server.
SNMP Set operation failed.    

1. Check that the SNMP Set community name is correct.
With SNMPv3 adopted, the username, authentication password,
privacy password and privacy mode for the device and the iMC should be the same.
2. Error code such as no such name may occur in the Set operation.
You need to capture packets to analyze whether such error occurs in the response received by the device.

It does finish via script/tftp

What must I do to get SNMPv3 working in IMC?

Did not yet try autodeployment

Seb

Your configured user, wrdsb!manAES, is not assigned to a group. You need to remove this line:

snmpv3 group managerpriv user "iMC" sec-model ver3

And add this line:

snmpv3 group managerpriv user "wrdsb!manAES" sec-model ver3

Or if you intend to use the username "iMC", then it should look like this:

snmpv3 group managerpriv user "iMC" sec-model ver3

snmpv3 user "iMC" auth sha "71c9fc6ed63b0a0d7bc9a8959280" priv aes "f9d61ccfede9865c76a10b7"

Basically, you need to create a user and then assign that user to a group.

Hope this helps.

Well spotted!