Re: SNMPv3 installation - need to also allow SNMPv1 readers

[Chris Bartram]

It did indeed work, no issues.

Thanks.

-Chris Bartram
 
"The purpose of life is not to be happy. It is to be useful, to be honorable, 
to be compassionate, to have it make some difference that you have lived and 
lived well". (Ralph Waldo Emerson)


>
> From: Fredrik Björk 
>To: Chris Bartram  
>Cc: "net-snmp-users@lists.sourceforge.net" 
> 
>Sent: Thursday, April 18, 2013 2:47 AM
>Subject: Re: SNMPv3 installation - need to also allow SNMPv1 readers
> 
>
>
>Hi!
>
>First of all the obvious: is the manager REALLY coming from IP
  192.168.1.50 when the packets hit the RHEL box? No NAT in between?
  No dual NICs or IPs? Just to make sure:
>
>tcpdump -nnvv -c 10 port 161
>
>Then try to access the RHEL box with SNMP from the manager. If
  source IP is really 192.168.1.50 we can proceed...
>
>Try adding this:
>
>
>com2sec  ita    127.0.0.0/8  ITACommunity
>Restart the snmpd service and do this (on the RHEL box):
>
>snmpwalk -v 1 -c ITACommunity 127.0.0.1
>snmpwalk -v 1 -c ITACommunity 127.0.0.1 enterprises
>
>This will make the RHEL attempt to access its own snmp stack over
  the loopback interface. If you don't get any response, well then
  we have to go figure why!
>
>I'm not an expert in snmpd.conf but I think you get the idea here.
>
>/Fredrik
>
>On 2013-04-18 00:48, Chris Bartram wrote:
>
>
>>
>>I have a working SNMPv3 installation (NET-SNMP version 5.3.2.2 on RHEL5:) but 
>>find we must also allow SNMPv1 gets from another tool (Dell OpenManage 
>>Essentials) which doesn't support SNMPv3.
>>
>>
>>Below is what Dell recommends using in the standard snmpd.conf file; I tried 
>>adding this to my existing snmpd.conf and (not surprisingly) it didn't 
>>work... 
>>
>>
>>#sec.name  source    community
>>com2sec  ita    192.168.1.50  ITACommunity
>> 
>>#group.name sec.model sec.name
>>group    itagroup   v1    ita
>>group    itagroup   v2c   ita
>> 
>>#    name   incl/excl subtree mask(optional)
>>view all    included  .1
>> 
>>#    group.name   context  sec.model   sec.level   prefix   read   
>>write   notif
>>access   itagroup ""   any noauth  exact    all    
>>all none
>> 
>># Added for support of bcm5820 cards.
>>pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
>> 
>># Send traps to the ita box.
>>trapsink 192.168.1.50 ITACommunity
>> 
>># Allow Systems Management Data Engine SNMP to connect to using SMUX
>>smuxpeer .1.3.6.1.4.1.674.10892.1
>>
>>
>>Any pointers?
>>
>>
>>-Thanks,
>> Chris Bartram
>> 
>>"The purpose of life is not to be happy. It is to be useful, to be honorable, 
>>to be compassionate, to have it make some difference that you have lived and 
>>lived well". (Ralph Waldo Emerson)
>>
>
>
>--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Re: SNMPv3 installation - need to also allow SNMPv1 readers

[Chris Bartram]

I changed the IP address when I tested it, but I'll try a test from the 
localhost as well.

My thoughts were that since I had the SNMPv3 security model in effect already 
on this host, that the SNMPv1/2 community string models would conflict.

-Chris
 
"The purpose of life is not to be happy. It is to be useful, to be honorable, 
to be compassionate, to have it make some difference that you have lived and 
lived well". (Ralph Waldo Emerson)


>
> From: Fredrik Björk 
>To: Chris Bartram  
>Cc: "net-snmp-users@lists.sourceforge.net" 
> 
>Sent: Thursday, April 18, 2013 2:47 AM
>Subject: Re: SNMPv3 installation - need to also allow SNMPv1 readers
> 
>
>
>Hi!
>
>First of all the obvious: is the manager REALLY coming from IP
  192.168.1.50 when the packets hit the RHEL box? No NAT in between?
  No dual NICs or IPs? Just to make sure:
>
>tcpdump -nnvv -c 10 port 161
>
>Then try to access the RHEL box with SNMP from the manager. If
  source IP is really 192.168.1.50 we can proceed...
>
>Try adding this:
>
>
>com2sec  ita    127.0.0.0/8  ITACommunity
>Restart the snmpd service and do this (on the RHEL box):
>
>snmpwalk -v 1 -c ITACommunity 127.0.0.1
>snmpwalk -v 1 -c ITACommunity 127.0.0.1 enterprises
>
>This will make the RHEL attempt to access its own snmp stack over
  the loopback interface. If you don't get any response, well then
  we have to go figure why!
>
>I'm not an expert in snmpd.conf but I think you get the idea here.
>
>/Fredrik
>
>On 2013-04-18 00:48, Chris Bartram wrote:
>
>
>>
>>I have a working SNMPv3 installation (NET-SNMP version 5.3.2.2 on RHEL5:) but 
>>find we must also allow SNMPv1 gets from another tool (Dell OpenManage 
>>Essentials) which doesn't support SNMPv3.
>>
>>
>>Below is what Dell recommends using in the standard snmpd.conf file; I tried 
>>adding this to my existing snmpd.conf and (not surprisingly) it didn't 
>>work... 
>>
>>
>>#sec.name  source    community
>>com2sec  ita    192.168.1.50  ITACommunity
>> 
>>#group.name sec.model sec.name
>>group    itagroup   v1    ita
>>group    itagroup   v2c   ita
>> 
>>#    name   incl/excl subtree mask(optional)
>>view all    included  .1
>> 
>>#    group.name   context  sec.model   sec.level   prefix   read   
>>write   notif
>>access   itagroup ""   any noauth  exact    all    
>>all none
>> 
>># Added for support of bcm5820 cards.
>>pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
>> 
>># Send traps to the ita box.
>>trapsink 192.168.1.50 ITACommunity
>> 
>># Allow Systems Management Data Engine SNMP to connect to using SMUX
>>smuxpeer .1.3.6.1.4.1.674.10892.1
>>
>>
>>Any pointers?
>>
>>
>>-Thanks,
>> Chris Bartram
>> 
>>"The purpose of life is not to be happy. It is to be useful, to be honorable, 
>>to be compassionate, to have it make some difference that you have lived and 
>>lived well". (Ralph Waldo Emerson)
>>
>
>
>--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Re: SNMPv3 installation - need to also allow SNMPv1 readers

[Fredrik Björk]

Hi!

First of all the obvious: is the manager REALLY coming from IP 
192.168.1.50 when the packets hit the RHEL box? No NAT in between? No 
dual NICs or IPs? Just to make sure:


tcpdump -nnvv -c 10 port 161

Then try to access the RHEL box with SNMP from the manager. If source IP 
is really 192.168.1.50 we can proceed...


Try adding this:

com2sec  ita127.0.0.0/8 ITACommunity

Restart the snmpd service and do this (on the RHEL box):

snmpwalk -v 1 -c ITACommunity 127.0.0.1
snmpwalk -v 1 -c ITACommunity 127.0.0.1 enterprises

This will make the RHEL attempt to access its own snmp stack over the 
loopback interface. If you don't get any response, well then we have to 
go figure why!


I'm not an expert in snmpd.conf but I think you get the idea here.

/Fredrik

On 2013-04-18 00:48, Chris Bartram wrote:


I have a working SNMPv3 installation (NET-SNMP version 5.3.2.2 on 
RHEL5:) but find we must also allow SNMPv1 gets from another tool 
(Dell OpenManage Essentials) which doesn't support SNMPv3.


Below is what Dell recommends using in the standard snmpd.conf file; I 
tried adding this to my existing snmpd.conf and (not surprisingly) it 
didn't work...


# sec.name  sourcecommunity
com2sec  ita 192.168.1.50  ITACommunity
# group.name  sec.model sec.name
groupitagroup v1ita
group itagroup   v2c   ita
# name   incl/excl subtree mask(optional)
view allincluded  .1
# group.name   context  sec.model   sec.level   prefix read   write   
notif
access   itagroup ""   any noauth  exactall
all none

# Added for support of bcm5820 cards.
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
# Send traps to the ita box.
trapsink 192.168.1.50 ITACommunity
# Allow Systems Management Data Engine SNMP to connect to using SMUX
smuxpeer .1.3.6.1.4.1.674.10892.1

Any pointers?

-Thanks,
 Chris Bartram
"The purpose of life is not to be happy. It is to be useful, to be 
honorable, to be compassionate, to have it make some difference that 
you have lived and lived well". (Ralph Waldo Emerson)


--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

SNMPv3 installation - need to also allow SNMPv1 readers

[Chris Bartram]

I have a working SNMPv3 installation (NET-SNMP version 5.3.2.2 on RHEL5:) but 
find we must also allow SNMPv1 gets from another tool (Dell OpenManage 
Essentials) which doesn't support SNMPv3.

Below is what Dell recommends using in the standard snmpd.conf file; I tried 
adding this to my existing snmpd.conf and (not surprisingly) it didn't work... 

#sec.name  source    community
com2sec  ita    192.168.1.50  ITACommunity
 
#group.name sec.model sec.name
group    itagroup   v1    ita
group    itagroup   v2c   ita
 
#    name   incl/excl subtree mask(optional)
view all    included  .1
 
#    group.name   context  sec.model   sec.level   prefix   read   
write   notif
access   itagroup ""   any noauth  exact    all    all  
   none
 
# Added for support of bcm5820 cards.
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
 
# Send traps to the ita box.
trapsink 192.168.1.50 ITACommunity
 
# Allow Systems Management Data Engine SNMP to connect to using SMUX
smuxpeer .1.3.6.1.4.1.674.10892.1

Any pointers?

-Thanks,
 Chris Bartram
 
"The purpose of life is not to be happy. It is to be useful, to be honorable, 
to be compassionate, to have it make some difference that you have lived and 
lived well". (Ralph Waldo Emerson)--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter___
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users