Index


SNMP v3 Overview

In addition to all functionality available via SNMP2, SNMPv3 supports authentication and encryption but at the cost of network load and server performance. SNMPv3 utilizes a user-based security model (USM) for message security, and a view-based access control model (VACM) for access control.

USM implements a ‘user’ for both the SNMP agent and the SNMP manager. Each user has a range of security parameters (authentication protocol, encryption method, keys, etc) specified. Messages exchanged between the manager and the agent can have data integrity checking and data origin authentication. USM protects against message delays and message replays by using time indicators and request IDs.

To complement the USM, SNMPv3 uses the VACM, a highly granular access-control model for SNMPv3 applications. Based on the concept of applying security policies to the name of the groups querying the agent, the agent decides whether the group is allowed to view or change specific MIB objects. VACM defines collections of data (called views), groups of data users, and access statements that define which views a particular group of users can use for reading from, and writing to, a device.

Statseeker supports:

  • Authentication – username-only, SHA, and MD5
  • Privacy – AES (128, 192 , and 256), DES, and Triple DES
  • Context – a single context

Statseeker supports the following configurations when communicating with SNMPv3 devices:

Authentication Privacy Context
None None No
Yes
Username-only None No
Yes
MD5 None No
Yes
DES No
Yes
AES No
Yes
SHA None No
Yes
DES No
Yes
AES No
Yes
Note: monitoring devices via SNMPv3 can negatively impact the performance of those devices. It is advised that you monitor the CPU load on these devices to determine the extent of that impact. In addition, monitoring a large number of devices via SNMPv3 can negatively impact the performance of your Statseeker server. To mitigate the processing overheads of large-scale monitoring via SNMPv3, ensure that the server hardware offers hardware assisted encryption/decryption services. This functionality is provided by a range of CPU options including Intel Xeon and i7 based processors.

[top]


Adding a Single SNMPv3 Device

To add an SNMPv3 device:

  • Select Administration Tool > Network Discovery > Add SNMP V3 Devices
  • Specify the:
    • IP Address
    • Device Name: if used, the name will be added to the Hosts File. If your specified naming scheme (see Administration Tool > Network Discovery – Advanced Options > Advanced Options) doesn’t preference the Hosts File, then this name will be overwritten, with the device’s sysName or IP Address (depending on the device manufacturer) on the next discovery/rewalk.
    • Authentication method, username and password
    • Privacy/Encryption method, username and password
    • Context, if it is applicable to your SNMPv3 configuration, otherwise leave it blank
  • Click Add Device

The specified device will be walked and the results of the discovery process will be displayed. This log of the discovery process is retained and can be reviewed from the Display Last Log tab.

Note: adding SNMPv3 monitoring may have a performance impact on your device. Monitor your devices CPU load do determine the extent of that impact.

[top]


Adding Multiple SNMPv3 Devices

Multiple SNMPv3 devices can be added at once using a *.csv file detailing the devices using the following format:

  • {IP_Address},{Device_Name},{Authentication_Type},{Authentication_Username},{Authentication_Password},{Privacy_Type},{Privacy_Password},{Context}
  • e.g.
    206.45.123.8,Brisbane-rtr-4,md5,MD5Username,password1,aes256,password2,
    206.45.123.9,Brisbane-rtr-5,sha,SHAUsername,password2,aes256,password2,context1
Note:

  • The Device Name and Context fields can be left blank, all other fields are mandatory. If Device Name is used, the name will be added to the Hosts File. If your specified naming scheme (see Administration Tool > Network Discovery – Advanced Options > Advanced Options) doesn’t preference the Hosts File, then this name will be overwritten, with the device’s sysName or IP Address (depending on the device manufacturer) on the next discovery/rewalk.
  • Adding SNMPv3 monitoring for a large number of devices may negatively impact the performance of your Statseeker server
  • Valid Privacy_Type are none, aes, aes192, aes256, des, or des3

[top]

Modifying Existing Devices

The form contains a checkbox labelled Modify the configuration of devices that already exist in Statseeker, behavior related to this setting is as follows:

  • Unchecked
    • If the IP address has not been discovered by Statseeker previously, then the device will be added as an SNMPv3 device
    • If the IP address has been previously discovered by Statseeker, then the row will be discarded and the configuration of the existing device will not be modified
  • Checked
    • If the IP address has not been discovered by Statseeker previously, then the device will be added as an SNMPv3 device
    • If the IP address has been previously discovered by Statseeker but is not currently being polled, then the device will be added as a new SNMPv3 device
    • If the IP address has been previously discovered by Statseeker but is currently being polled, then the device will be modified and configured as an SNMPv3 device

Adding Multiple Devices
  • Prepare and construct the *.csv file as described and save it locally
  • Select Administration Tool > Network Discovery > Add SNMP V3 Devices
  • Select the Add multiple SNMP V3 Devices tab
  • Click Choose File, browse to the saved *.csv file’s location, select it and click OK
  • Choose whether to modify existing devices with the contents of the *.csv
  • Click Add Devices

The specified devices will be walked and the results of the discovery process will be displayed. This log of the discovery process is retained and can be reviewed from the Display Last Log tab.

Note: for users operating in a Windows environment, *.csv files should be created/saved from a simple text editor (Notepad), not Excel.

[top]


SNMP3 Logs

When adding SNMPv3 devices, the results from the process are logged and automatically displayed. A single iteration of the log is retained, with each subsequent process overwriting the old log. Existing logs can be archived and exported for storage via links presented at the end of the log.

The log pertaining to the last time the Add SNMP V3 Devices was run can be viewed from:

  • Administration Tool > Network Discovery > Add SNMP V3 Devices > Display last log

Towards the end of the log there is a section titled NIM configuration details – [date process was run] containing details of those devices newly discovered/configured as SNMPv3 devices.

[top]