Question

How to check SNMPv3 walk?

Solution

This article explains the process to check SNMPv3 walk.

Pre-requisites to Check SNMP v3 walk

Follow these steps before checking SNMP v3 walk.

1. Run the following set command on CLI, to add an SNMP V3 user, vuser using MD5 Auth, AES priv, and password versa123.

   Example:

   set snmp usm local user vuser auth md5 password versa123
   set snmp usm local user vuser priv aes password versa123

2. Run the show snmp vacm view CLI command to display VACM views. Here, the view internet provides access to all the OIDs under tree 1.2,1.3 and 1.3.6.1.
   

   Example:

   % show snmp vacm view
   view internet {
       subtree 1.2 {
           included;
       }
       subtree 1.3 {
           included;
       }
       subtree 1.3.6.1 {
           included;
       }
   }

3. Run the set snmp vacm group all-rights access any auth-priv notify-view internet read-view internet write-view internet CLI command to create a View-based Access Control (VACM) view called all-rights.
   

   Example:

   set snmp vacm group all-rights access any auth-priv notify-view internet read-view internet write-view internet
                       ^^^(1)^^^^        ^2^  ^^(3)^^   ^^^(4)^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    VACM has these properties:

   • a group called all-rights 
   • all-rights group is used by users accessing via any version (v1/v2/usm) of the protocol
   • applicable only when both auth and priv are used
   • Restricts their views to the one defined by internet (shown in 2.)
4. Run the set snmp vacm group all-rights member vuser sec-model CLI command to add vuser to the all-rights group.
5. Run the set nacm groups group admin user-name vuser CLI command to add  vuser to the NACM group.

   Example:

   set nacm groups group admin user-name vuser
                         ^^^^^  admin has full access to everything in our case (via his NACM rules)

6. Add a v2 community to test.
   Example:

   % set snmp community public name public
   % set snmp vacm group all-rights member public sec-model v2c

   v2c is without auth and priv. This also demonstrates the use of community name [instead of user-name] in v2/v1.
7. Run the snmpwalk -v2c -c public -m ALL -M ./versa-mibs 10.40.15.56 SNMPv2-MIB::system Linux command to check v2 walk.
   

   Example:

   HTML
   HTML

   $ snmpwalk -v2c -c public -m ALL -M ./versa-mibs 10.40.15.56  SNMPv2-MIB::system
   SNMPv2-MIB::sysDescr.0 = STRING: Versa Appliance
   SNMPv2-MIB::sysObjectID.0 = OID: VERSA-MIB::applications.2.2
   SNMPv2-MIB::sysUpTime.0 = Timeticks: (4773) 0:00:47.73
   SNMPv2-MIB::sysContact.0 = STRING:
   SNMPv2-MIB::sysName.0 = STRING:
   SNMPv2-MIB::sysLocation.0 = STRING:
   SNMPv2-MIB::sysServices.0 = INTEGER: 72
   SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

Checking v3 Walk

1. Run the show confdConfig snmpAgent snmpEngine snmpEngineID CLI command to check EngineID. or use "vsh engine-id" on latest release.

   Example

   admin@flexvnf-cli(config)% show confdConfig snmpAgent snmpEngine snmpEngineID
   snmpEngineID 80:00:a5:77:01:0a:28:0f:38;
   [ok][2015-11-14 15:04:54]
   
   Or 
   Run below command on latest release
   
   [admin@flexvnf: ~] # vsh engine-id
   80:00:a5:77:01:0a:28:0f:38

   
   

2. Run the snmpwalk -v 3 -E 8000a577010a280f38 -n "" -u vuser -l authPriv -a MD5 -A versa123 -x AES -X versa123 -m ALL -M ./versa-mibs 10.40.15.56 SNMPv2-MIB::system command to check v3 walk. Use the EngineID with the "colons" when using with snmpwalk.

   $ snmpwalk -v 3 -E 8000a577010a280f38 -n "" -u vuser -l authPriv -a MD5 -A versa123 -x AES -X versa123 -m ALL -M ./versa-mibs  10.40.15.56  SNMPv2-MIB::system
   SNMPv2-MIB::sysDescr.0 = STRING: Versa Appliance
   SNMPv2-MIB::sysObjectID.0 = OID: VERSA-MIB::applications.2.2
   SNMPv2-MIB::sysUpTime.0 = Timeticks: (81467) 0:13:34.67
   SNMPv2-MIB::sysContact.0 = STRING:
   SNMPv2-MIB::sysName.0 = STRING:
   SNMPv2-MIB::sysLocation.0 = STRING:
   SNMPv2-MIB::sysServices.0 = INTEGER: 72
   SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

   
   

Sample Configuration

Refer to this sample configuration to configure SNMPv3 walk:

snmp {
    agent {
        enabled;
        ip               10.40.15.56;
        udp-port         161;
        version {
            v1;
            v2c;
            v3;
        }
        engine-id {
            enterprise-number 42359;
            from-ip           10.40.15.56;
        }
        max-message-size 50000;
    }
    usm {
        local {
            user vuser {
                auth {
                    md5 {
                        password versa123;
                    }
                }
                priv {
                    aes {
                        password versa123;
                    }
                }
            }
        }
    }
    community public {
        sec-name public;
    }
    vacm {
        group all-rights {
            member public {
                sec-model [ v2c ];
            }
            member vuser {
                sec-model [ usm ];
            }
            access any no-auth-no-priv {
                read-view   internet;
                write-view  internet;
                notify-view internet;
            }
            access any auth-priv {
                read-view   internet;
                write-view  internet;
                notify-view internet;
            }
        }
        view internet {
            subtree 1.2 {
                included;
            }
            subtree 1.3 {
                included;
            }
            subtree 1.3.6.1 {
                included;
            }
        }
    }
}