Index


SNMPv3 Overview

SNMPv3 adds encryption to the SNMNPv2 communication typically used by Statseeker. SNMPv3 utilizes a user-based security model (USM), and a view-based access control model (VACM).

The USM implements a ‘user’ for both the SNMP agent and the SNMP manager. Each user has a range of security parameters – authentication protocol, encryption method, keys, etc. Messages exchanged between the manager and the agent can have data integrity checking and data origin authentication. USM protects against message delays and message replays by using time indicators and request IDs.

To complement the USM, SNMPv3 uses VACM, a highly-granular access-control model for SNMPv3 applications. Based on the concept of applying security policies to the name of the groups querying the agent, the agent decides whether the group is allowed to view or change specific MIB objects. VACM defines collections of data (called views), groups of data users, and access statements that define which views a particular group of users can read from and write to for a given device.

Statseeker supports:

  • Authentication – username-only, SHA, and MD5
  • Privacy – AES (128, 192 , and 256), DES, and Triple DES
  • Context – a single context

This support is provided for the following combinations:

Authentication Privacy Context
None None No/Yes
Username-only None No/Yes
MD5 None/DES/AES No/Yes
SHA None/DES/AES No/Yes
Note:

  • Monitoring devices via SNMPv3 can negatively impact the performance of under-resourced devices, Statseeker advises you to monitor the CPU load on these devices to determine the extent of that impact
  • Monitoring 1000’s of devices via SNMPv3 can negatively impact the performance of your Statseeker server. To mitigate the processing overheads of large-scale monitoring via SNMPv3, ensure that the server hardware offers hardware assisted encryption/decryption services. This functionality is provided by a range of CPU options including Intel Xeon and i7 based processors.
  • Statseeker can employ any combination of SNMPv1,2 and 3 communications across your network

[top]


Adding a Single SNMPv3 Device

To add an SNMPv3 device:

  • Select Administration Tool > Network Discovery > Add SNMP V3 Devices
  • Specify the:
    • IP Address
    • Device Name – if used, the name will be added to the Hosts File. If your specified naming scheme (see Administration Tool > Network Discovery – Advanced Options > Advanced Options) doesn’t preference the Hosts File, then this name will be overwritten, with the device’s sysName or IP Address (depending on the device manufacturer) on the next discovery/rewalk.
    • Authentication method, username, and password
    • Privacy/Encryption method, username, and password
    • Context – if it is applicable to your SNMPv3 configuration, otherwise leave it blank
  • Click Add Device
IPv6 Address Syntax

Statseeker supports standard IPv6 address formats:

  • Full address – 2001:0db8:85a3:0000:0000:8a2e:0370:7334
  • Leading zeros omitted – 2001:db8:85a3:0:0:8a2e:370:7334
  • Empty group replacement – 2001:db8:85a3::8a2e:370:7334

While any number of consecutive empty groups can be collapsed to the double colon replacement (::), only a single instance of this replacement can be used in an address.

Range statements are not supported for IPv6 addresses.

The specified device will be walked, and the results of the discovery process will be displayed. This log of the discovery process is retained and can be reviewed from the Display Last Log tab.

[top]


Adding Multiple SNMPv3 Devices

Syntax

Multiple SNMPv3 devices can be added at once using a *.csv file detailing the devices using the following format:

{IP_Address}*,{Device_Name},{Authentication_Type}*,{Authentication_Username},{Authentication_Password},{Privacy_Type}*,{Privacy_Password},{Context}

* – field cannot be empty

Valid Values
  • Authentication Type: none, md5, sha
  • Privacy Type: none, aes, aes192, aes256, des, des3
Example:
  • e.g.
    206.45.123.8,Brisbane-rtr-4,md5,MD5Username,password1,aes256,password2,
    206.45.123.9,Brisbane-rtr-5,sha,SHAUsername,password2,aes256,password2,context1
    206.45.123.10,,sha,SHAUsername,password2,none,,
Note:

  • The Device_Name field can be left blank. If Device_Name is used, the name will be added to the Hosts File. If your specified naming scheme (see Administration Tool > Network Discovery – Advanced Options > Advanced Options) doesn’t preference the Hosts File, then this name will be overwritten, with the device’s sysName or IP Address (depending on the device manufacturer) on the next discovery/rewalk.
  • Large-scale monitoring via SNMPv3 can negatively impact the performance of your Statseeker server, provision the server appropriately and contact Statseeker Support for advice if needed

[top]

Adding Multiple Devices
  • Prepare and construct the *.csv file as described and save it locally
  • Select Administration Tool > Network Discovery > Add SNMP V3 Devices
  • Select the Add multiple SNMP V3 Devices tab
  • Click Choose File, browse to the saved *.csv file’s location, select it and click OK
  • Choose whether to modify existing devices with the contents of the *.csv, see Modifying Existing Devices for details
  • Click Add Devices

The specified devices will be walked, and the results of the discovery process will be displayed. This log of the discovery process is retained and can be reviewed from the Display Last Log tab.

Note: for users operating in a Windows environment, *.csv files should be created/saved from a simple text editor (Notepad), not Excel.

[top]

Modifying Existing Devices

The form contains a checkbox labelled Modify the configuration of devices that already exist in Statseeker, behavior related to this setting is as follows:

  • Unchecked
    • If the IP address has not been discovered by Statseeker previously, then the device will be added as an SNMPv3 device
    • If the IP address has been previously discovered by Statseeker, then the row will be discarded, and the configuration of the existing device will not be modified
  • Checked
    • If the IP address has not been discovered by Statseeker previously, then the device will be added as an SNMPv3 device
    • If the IP address has been previously discovered by Statseeker but is not currently being polled, then the device will be added as a new SNMPv3 device
    • If the IP address has been previously discovered by Statseeker and is currently being polled, then the device configuration will be updated


SNMPv3 Discovery Logs

When adding SNMPv3 devices, the results from the process are logged and automatically displayed. A single iteration of the log is retained, with each subsequent process overwriting the old log. Existing logs can be archived and exported for storage via links presented at the end of the log.

The log output from SNMPv3 discoveries can be viewed:

  • Admin Tool > Network Discovery > Add SNMP V3 Devices > Display last log – the most recent SNMPv3 discovery only
  • Admin Tool > Statseeker Administration > Log Viewer > Logfile = Statseeker Discovery log – historical records of recent discovery processes (typically the most recent 75-100 discovery logs)

Towards the end of the log there is a section titled NIM configuration details – [date process was run] containing details of those devices newly discovered/configured as SNMPv3 devices.

[top]

Collecting MAC/IP Data from SNMPv3 Devices

Statseeker will manage MAC/IP data collection from devices via SNMPv2 seamlessly but when accessing VLAN data from the BRIDGE MIB via SNMPv3, each VLAN needs to be assigned to an SNMPv3 context. This configuration is made on the device itself and must be applied to every VLAN that you want Statseeker to monitor for MAC/IP records.

For more details see MAC-IP-Switch Port Tracking > Retrieving Data from SNMPv3 Devices

[top]