Header Only - DO NOT REMOVE - Extreme Networks

Configuring the Matrix N-Series (DFE) for SNMPv3 Informs or Traps


Userlevel 3
Article ID: 5390

Products
DFE
NetSight
Atlas Console

Goals
Sample configuration

Symptoms
"USM Unknown Security Name" error when NetSight receives an Inform or Trap

Solution
Configuring SNMP v3 Informs and Traps (5721) on the DFE and other platforms is a little bit tricky. Here is a sample DFE configuration:
set snmp view viewname All subtree 1
set snmp user v3user authentication md5 md5passwd privacy despasswd
set snmp group v3group user v3user security-model usm
set snmp access v3group security-model usm privacy exact read All write All notify All
set snmp notify v3notify tag v3tag inform
set snmp targetaddr v3TA 134.141.209.73 param v3TP taglist v3tag
set snmp targetparams v3TP user v3user security-model usm message-processing v3 privacy

[/code]The instructions below utilize the two snmptrapd.conf files that exist with any given NetSight installation. Their locations will potentially vary, but once located (a system filename search works well) they clearly have two different functions: One contains the oldEngineID value, and the other is for defining new users.

Informs

Here starts the most tricky part of this procedure. The receiver's EngineID value is used by both the sender and receiver for propagation of Inform notifications, so a user ID and corresponding receiver (NetSight Atlas Console, in this case) EngineID must be configured on the sender (DFE, in this case).

You can see the EngineID of Netsight Atlas Console in this file:

C:\Program Files\Enterasys Networks\NetSight Atlas Shared\snmptrapd.conf

(your location can vary according to your setup)

The EngineID is defined with the following line

oldEngineID 0x800007e5804f190000d232aa40

(your EngineID will be different)

You will need to define the same user (v3user in our example) again with this EngineID and with the same Auth/Priv passwords you used in the first definition:

set snmp user v3user remote 800007e5804f190000d232aa40 authentication md5 md5passwd privacy despasswd

(Note that we omitted the "0x" from the EngineID. You can also use the colon notation like this:
80:00:07:e5:80:4f:19:00:00:d2:32:aa:40)

The last step you need to take is to configure the user on the management station. We assume that you have already created the user in Netsight Atlas Console, so you will only need to add it to the configuration file of the Trap Daemon:

C:\Program Files\Enterasys Networks\NetSight Atlas Console\Bin\snmptrapd.conf

Add this line with any plain-text editor:

createuser v3user MD5 md5passwd DES despasswd

Save the file and restart the SNMPTrap Service via Netsight Atlas Services Manager.

Congratulations, at this point you are ready to send and receive SNMP v3 Informs in their most secure form (Authentication and Privacy enabled).

Traps

For those of you wanting to use Traps instead of Informs: you will need to change your notify line:

set snmp notify v3notify tag v3tag trap

(notice "trap" instead of "inform" at the end)

and then, because the sender's EngineID value ('show snmp engineid') is used by both the sender and receiver for propagation of Trap notifications, a user ID and corresponding sender (DFE, in this case) EngineID must be configured on the receiver (NetSight Atlas Console's snmptrapd.conf file, in this case). The easiest way to do this is to right-click on the device, "Configure Traps" -> "snmptrapd configuration", check Status (should be "Received" or "In the file"), "Save". You can manually check if the entry has been added to the file:

C:\Program Files\Enterasys Networks\NetSight Atlas Console\Bin\snmptrapd.conf

The entry should look like this

createuser -e 0x800015f80300e06314d79c v3user MD5 md5passwd DES despasswd

Don't forget to restart the SNMPTrap Service via Netsight Atlas Services Manager.
Note: When installed on a Unix platform, the NetSight server must be manually restarted.

See also: 5086, 5116, 5610, 6645, and 7158.

0 replies

Be the first to reply!

Reply