On 3/30/2012 12:41 PM, Mathias Wegner wrote:
On Mar 30, 2012, at 1:16 PM, Rob wrote:
Anybody using SNMPV3 in their environments?
We are moving to it in a significant way, and wanted to compare notes.
I'd really like to hear from you if you are using V3.
We're using it for polling about 2000 snmp devices and we've been using it
since Spectrum 6 or so. Most of the polling issues have been worked out pretty
well, but there are still a few gotchas. Devices with more than one IP address
can trigger a false alarm for duplicate IPs with the same snmp v3 engine ID
when the polling IP changes, for instance, but there's a fix for that scheduled
in h07 or 9.2.2. Setting up credentials, discovering devices, changing
credentials on devices is all pretty straightforward.
If it's not too late, don't manually configure engine IDs on your network
devices. You will get duplicates and misconfigurations, it will be a pain.
Let the devices autoconfigure.
Did you have any specific questions?
Mathias Wegner
ISC N&T
University of Pennsylvania
Thanks Mathias,
You pretty much nailed what I'm seeing early on. I've been playing with
4 IBM Datapower devices and V3 for about a week or so. That Admin is on
my team, and we've had the luxury of having him fiddle with things for
us as we explore how things are going to work.
The first thing I did was change the default settings in
$SPECROOT/SS/.vnmrc for the following:
snmpv3_default_auth_protocol=md5
snmpv3_default_priv_protocol=des
To:
snmpv3_default_auth_protocol=SHA
snmpv3_default_priv_protocol=AES
Since we felt those were more secure than the defaults.
The Datapower's modeled fine initially, but like 12 hours later we got a
Duplicate Engine ID alarm on only one of the devices and traps stopped
working. Interestingly I could still walk the Agent MIB with MIBTOOLS on
that device.
Then last night the network team started rolling out their V3 scheme to
325 devices (without telling me, SIGH) and the SNMP NOT... Alarms
started rolling in.
So I got the Creds the Network Team chose (SHA and AES as well) and
started modifying what they changed last night. Two 6509's modeled green
initially, but then one went "SNMP NOT RESPONDING" and the other gave me
a "Duplicate Engine ID". I'll have to doublecheck, but I believe we are
letting the device autoconfigure the Engine ID.
I called support and they confirmed for me what I was seeing was a
known issue and informed me of the fix in H07 (Due next week?) I'm
told there is a PTR which I'll be testing this afternoon.
I read that if you have the above .vnmrc defaults set as I do, and need
to support a device with say md5/des you need to preface those values
before the credentials in the Profile editor. I have not tried that
yet, hope that works OK.
What is your feel for the added load that using AES puts on each side
and the potential latency? My feel is for marginal (CPU loaded) devices
will need to be tweaked for Timeout/Retries whereby V2 it might not have
had to. You seeing this?
Thanks in advance!
-Rob
---
To unsubscribe from spectrum, send email to [email protected] with the body:
unsubscribe spectrum [email protected]
