Question
How to configure SNMPv3 trap target?
Solution
This article explains the procedure to configure SNMPv3 trap targets on SNMPv3 enabled devices.
authPrivsecurity level- MD5 based user authentication
- DES message encryption
Appliance Pre-requisites
- Ensure that SNMPv3 agent is enabled.
- Run the show confdConfig snmpAgent snmpEngine snmpEngineID CLI command to note the engine ID. or use "vsh engine-id" on latest release.
admin@Branch1-cli(config)% show confdConfig snmpAgent snmpEngine snmpEngineID snmpEngineID 80:00:04:d2:04:76:65:72:73:61; or Run below shell command on latest release [admin@CPE2: ~] # vsh engine-id 80:00:a5:77:01:0a:c0:85:0c
Procedure
Follow these steps to configure SNMPV3 trap.
1. Create a user called test1.
Example:
admin@Branch1-cli(config)% show snmp usm
local {
user test1 {
auth {
md5 {
password versa123;
}
}
priv {
des {
password versa123;
}
}
security name for V3 users. This is configurable under snmp usm local user <> sec-name, but is not saved when it is the same as the user name. ConfD logs might print a debug stating that security name for V3 user is missing. This can be ignored.
2. Create a separate group for v3 users (v3grp) with auth-priv and add usual visibility.
3. Add a user test1 to the group v3grp.
Example:
group v3grp {
member test1 {
sec-model [ usm ];
}
access usm auth-priv {
read-view internet;
write-view internet;
notify-view internet;
}
}
view internet {
subtree 1.2 {
included;
}
subtree 1.3 {
included;
}
subtree 1.3.6.1 {
included;
}
}4. Configure a target for Testv3 that is listening on port 5000.
Example:
target Testv3 {
ip 172.16.11.10;
udp-port 5000;
tag [ std_v3_inform std_v3_trap ];
timeout 1500;
retries 3;
usm {
user-name test1;
sec-level auth-priv;
}
}The target will know the Engine ID and user.
5. Follow these steps to configure snmptrapd (the trap receiver):
a. Configure users with the createUser directive.
b. Associate the user with the remote Engine ID of the agent from where the trap originates (as shown in Pre-Requisites section).
c. If you want to receive traps for a user from more than one agent, you will need a separate createUser config for each.
d. In case of SNMP Inform, Engine ID need not be specified.
Example:
$ cat snmptrapd.conf engineID fromthisstring doNotFork yes # An entry for trap (here, we have to explicitly specify FlexVNF's engine ID) createUser -e 0x800004d2047665727361 test1 MD5 versa123 DES versa123 # An entry for inform (no need for engine ID) createUser test1 MD5 versa123 DES versa123 authUser log,execute,net test1
- The passwords match with usm config on the Versa FlexVNF.
- An Engine ID refers to the the Versa FlexVNF ID with colons stripped and 0x prefix.
- If noAuthPriv is used, add the word noauth at the end.
authUser log,execute,net test1 noauth
Testing SNMPv3 Trap on Versa FlexVNF
Refer to this step to test SNMPv3 traps on Versa FlexVNF.
- Run the VMOD CLI command to test trap on Versa FlexVNF.
From the OS shell enter:
# vsh connect vmod
vmod> test trap appRunning FlexVNF Test3 2 163 3 2 Ani1 Branch1 VMOD
Trap: appRunning
Successfully sent trap appRunning with 11 varbinds :-)
Testing SNMPv3 Trap on Remote Host
Refer to this step to test SNMPv3 Trap on a remote host.
- Run
snmptrapdon the remote host,with the configuration created in the above procedure.
$ snmptrapd -M /tmp/versa-mibs -m ALL -Le -f -C -c snmptrapd.conf 172.16.11.10:5000
-M indicates the directory where versa-mibs.tar.gz has been untar'd. Change the directory appropriately.
Troubleshooting
On FlexVNF
- Enable
developerLogLevel traceunderconfdConfig, and watchdevel.log. - Watch
snmp.logwithsnmpLogLevel info.
On receiver
- Check
snmptrapd.conf if packets are received but not displayed bysnmptrapd. - Use
-dflag tosnmptrapdto check if packet is ignored due to misconfig.