SNMP

MIB Browser - http://ireasoning.com/mibbrowser.shtml

SNMP v3

Cisco Config

Reference: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol 

snmp-server view MYVIEW iso included
snmp-server group myGroupName_RO v3 priv read MYVIEW access 2
snmp-server user myUserName myGroupName _RO v3 auth sha pa$$word priv aes 128 myEncryptionKey! access 2

Note: the 'access 2' in above config refers to access list 2 - where the IP address of the client is detailed.

How to view the SNMP user details once configured

router#show snmp user
User name: myUserName
Engine ID: 500000000000000000000001
storage-type: nonvolatile        active access-list: 2
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: myGroupName_RO

Note: SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For SNMP notifications such as inform requests, the authoritative SNMP agent is the remote agent. You must configure the SNMP engine ID of the remote agent in the SNMP database before you can send proxy requests or inform requests to it.

This is the case for all SNMP v3 devices -i.e. part of the standard.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/snmp-xe-3se-3850-book/nm-snmp-snmpv3.html

SNMP Trace

  • Not all traffic is encrypted.
  • You can see the engineID and the username in clear text even in the encrypted packets.
  • The client requires the engine ID to encrypt the password

Packet 1: It asks the router for via SNMP for its engine ID (Unqiue for every router) – needed to encrypted the password.

Packet 2: Router replies with EngineID

Packet 3: we send an encrypted PDU (note username and engineID are in header and are not encrypted)

Packet 4: we get a report back in clear text of “The total number of packets received by the SNMP engine which were dropped because they appeared outside of the authoritative SNMP engine's window.” – reference: https://oidref.com/1.3.6.1.6.3.15.1.1.2 This is because have not set the EngineTime in our requests (as we don’t know what it should be set to!) The response also include the EngineTime, i.e. contains:

  • msgAutoritativeEngineID
  • msgAutoritativeEngineBoots
  • msgAutoritativeEngineTime

Packet 5: we sent the request again (encrypted) but now also with the correct EngineBoot and EngineTime values.

Packet 6: We get a successful response (encrypted)

  • tech-notes/snmp.txt
  • Last modified: 2021/01/08 13:30
  • by gerardorourke