Question: How do I configure and verify SNMPv3 with an ArubaOS controller?
Product and Software: This article applies to all Aruba controller models, ArubaOS 5.0 and later, and may be applicable to older versions.
This example will configure the highest level of security, authenticated and encrypted SNMP queries.
1) Using the ArubaOS CLI, configure SNMPv3:
snmp-server user "netadmin_ro" auth-prot sha PASSWORD priv-prot aes PASSWORD
Working example:
snmp-server user "netadmin_ro" auth-prot sha netadmin_pass3 priv-prot aes netadmin_pass3
2) Using net-snmp, query using SNMP as follows:
snmpwalk -Ov -v 3 -u netadmin_ro -a SHA -x AES -A netadmin_pass3 -X netadmin_pass3 -l authPriv <controller IP>
Working example:
snmpwalk -v 3 -u netadmin_ro -a SHA -x AES -A netadmin_pass3 -X netadmin_pass3 -l authPriv 192.168.17.248 1.3.6.1.4.1.14823.2.2.1.4
WLSX-USER-MIB::wlsxTotalNumOfUsers.0 = Gauge32: 0
WLSX-USER-MIB::wlsxUserSessionTimeCount."campus_alcatel_cp".1 = Counter32: 0
WLSX-USER-MIB::wlsxUserSessionTimeCount."campus_alcatel_cp".5 = Counter32: 0
WLSX-USER-MIB::wlsxUserSessionTimeCount."campus_alcatel_cp".15 = Counter32: 2
WLSX-USER-MIB::wlsxUserSessionTimeCount."campus_alcatel_cp".30 = Counter32: 0
WLSX-USER-MIB::wlsxUserSessionTimeCount."campus_alcatel_cp".60 = Counter32: 0
WLSX-USER-MIB::wlsxUserSessionTimeCount."campus_alcatel_cp".120 = Counter32: 0
WLSX-USER-MIB::wlsxUserSessionTimeCount."campus_alcatel_cp".240 = Counter32: 0
WLSX-USER-MIB::wlsxNumOfUsers8021x.0 = Gauge32: 0
WLSX-USER-MIB::wlsxNumOfUsersVPN.0 = Gauge32: 1
WLSX-USER-MIB::wlsxNumOfUsersCP.0 = Gauge32: 0
WLSX-USER-MIB::wlsxNumOfUsersMAC.0 = Gauge32: 0
WLSX-USER-MIB::wlsxNumOfUsersStateful8021x.0 = Gauge32: 0
3) Now create an SNMPv3 inform host to receive informs (traps):
snmp-server host 192.168.17.30 version 3 netadmin_ro inform interval 5 retrycount 3 udp-port 162
Note the "user" field using the same SNMPv3 username created in the user table above: "netadmin_ro"
The interval and retrycount should be set to easily allow informs to reach the host and the acknowledgement to come back to the controller, even in less-than-perfect network conditions.
Caution: SNNPv3 informs require acknowledgement from the inform host. Be sure that the host is configured appropriately to avoid situations where the controller sends informs that are not acknowledged.
4) Check the inform host in the trap-hosts table:
(cx620-1.wob.baynetworks.com) (config) #show snmp trap-hosts
SNMP TRAP HOSTS
---------------
HOST VERSION SECURITY NAME PORT TYPE TIMEOUT RETRY
---- ------- ------------- ---- ---- ------- -----
192.168.17.14 SNMPv1 public 162 Trap N/A N/A
192.168.17.15 SNMPv1 public 162 Trap N/A N/A
192.168.17.15 SNMPv2c public 162 Inform 60 3
192.168.17.30 SNMPv1 public 162 Trap N/A N/A
192.168.17.30 SNMPv3 netadmin_ro 162 Inform 5 3
(cx620-1.wob.baynetworks.com) (config) #show snmp inform stats
Inform queue size is 250.
SNMP INFORM STATS
-----------------
HOST PORT INFORMS-INQUEUE OVERFLOW TOTAL INFORMS
---- ---- --------------- -------- -------------
192.168.17.15 162 0 FALSE 164
192.168.17.30 162 0 FALSE 0
To test SNMPv3 inform function, follow these steps:
1) Check the snmp-server trap list for a trap we can generate easily:
show snmp trap-list | include auth
authenticationFailure Yes Enabled
We'll use this trap as a simple example to force SNMPv3 informs to be sent.
2) Generate an SNMP inform by making an SSH connection to the controller using incorrect login credentials. The controller should generate an SNMPv3 inform as show in the output of a sniffer trace taken at the inform host:
No. Time Source Destination Protocol Info
12 1.026805 192.168.17.248 192.168.17.30 SNMP encryptedPDU: privKey Unknown
Frame 12: 290 bytes on wire (2320 bits), 290 bytes captured (2320 bits)
Arrival Time: Oct 5, 2011 14:30:39.448945000 CEST
Epoch Time: 1317817839.448945000 seconds
[Time delta from previous captured frame: 0.099596000 seconds]
[Time delta from previous displayed frame: 0.099596000 seconds]
[Time since reference or first frame: 1.026805000 seconds]
Frame Number: 12
Frame Length: 290 bytes (2320 bits)
Capture Length: 290 bytes (2320 bits)
[Frame is marked: True]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:snmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: ArubaNet_63:4b:d0 (00:0b:86:63:4b:d0), Dst: Micro-St_16:35:07 (00:24:21:16:35:07)
Destination: Micro-St_16:35:07 (00:24:21:16:35:07)
Address: Micro-St_16:35:07 (00:24:21:16:35:07)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: ArubaNet_63:4b:d0 (00:0b:86:63:4b:d0)
Address: ArubaNet_63:4b:d0 (00:0b:86:63:4b:d0)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.17.248 (192.168.17.248), Dst: 192.168.17.30 (192.168.17.30)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 276
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x9572 [correct]
[Good: True]
[Bad: False]
Source: 192.168.17.248 (192.168.17.248)
Destination: 192.168.17.30 (192.168.17.30)
User Datagram Protocol, Src Port: 32789 (32789), Dst Port: snmptrap (162)
Source port: 32789 (32789)
Destination port: snmptrap (162)
Length: 256
Checksum: 0xd619 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 38
msgMaxSize: 2048
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001f8880f21224107f0df44d
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: f2122410
Engine ID Data: Creation Time: Jun 12, 2011 02:51:11 CEST
msgAuthoritativeEngineBoots: 7
msgAuthoritativeEngineTime: 1529747
msgUserName: netadmin_ro
msgAuthenticationParameters: cbe630be0dca500c726f5e78
msgPrivacyParameters: 4e8c2dfc12b73afb
msgData: encryptedPDU (1)
The SNMP inform host responds with an acknowledgement of the inform:
No. Time Source Destination Protocol Info
13 1.027798 192.168.17.30 192.168.17.248 SNMP report 1.3.6.1.6.3.15.1.1.3.0
Frame 13: 156 bytes on wire (1248 bits), 156 bytes captured (1248 bits)
Arrival Time: Oct 5, 2011 14:30:39.449938000 CEST
Epoch Time: 1317817839.449938000 seconds
[Time delta from previous captured frame: 0.000993000 seconds]
[Time delta from previous displayed frame: 0.000993000 seconds]
[Time since reference or first frame: 1.027798000 seconds]
Frame Number: 13
Frame Length: 156 bytes (1248 bits)
Capture Length: 156 bytes (1248 bits)
[Frame is marked: True]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:snmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Micro-St_16:35:07 (00:24:21:16:35:07), Dst: ArubaNet_63:4b:d0 (00:0b:86:63:4b:d0)
Destination: ArubaNet_63:4b:d0 (00:0b:86:63:4b:d0)
Address: ArubaNet_63:4b:d0 (00:0b:86:63:4b:d0)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Micro-St_16:35:07 (00:24:21:16:35:07)
Address: Micro-St_16:35:07 (00:24:21:16:35:07)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.17.30 (192.168.17.30), Dst: 192.168.17.248 (192.168.17.248)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 142
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x95f8 [correct]
[Good: True]
[Bad: False]
Source: 192.168.17.30 (192.168.17.30)
Destination: 192.168.17.248 (192.168.17.248)
User Datagram Protocol, Src Port: snmptrap (162), Dst Port: 32789 (32789)
Source port: snmptrap (162)
Destination port: 32789 (32789)
Length: 122
Checksum: 0x0846 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 38
msgMaxSize: 65507
msgFlags: 00
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...0 = Authenticated: Not set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001f8880f21224107f0df44d
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: f2122410
Engine ID Data: Creation Time: Jun 12, 2011 02:51:11 CEST
msgAuthoritativeEngineBoots: 7
msgAuthoritativeEngineTime: 1529747
msgUserName: netadmin_ro
msgAuthenticationParameters: <MISSING>
msgPrivacyParameters: <MISSING>
msgData: plaintext (0)
plaintext
contextEngineID: 80001f8880f21224107f0df44d
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: f2122410
Engine ID Data: Creation Time: Jun 12, 2011 02:51:11 CEST
contextName: <MISSING>
data: report (8)
report
request-id: 0
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
1.3.6.1.6.3.15.1.1.3.0: 75
Object Name: 1.3.6.1.6.3.15.1.1.3.0 (iso.3.6.1.6.3.15.1.1.3.0)
Value (Counter32): 75
3) Check the SNMP inform queue to verify the informs sent:
(cx620-1.wob.baynetworks.com) (config) #show snmp inform stats
Inform queue size is 250.
SNMP INFORM STATS
-----------------
HOST PORT INFORMS-INQUEUE OVERFLOW TOTAL INFORMS
---- ---- --------------- -------- -------------
192.168.17.15 162 0 FALSE 255
192.168.17.30 162 0 FALSE 91