MARS 6.0.6 Support for SNMP Version 3

One of the both noteworthy and valuable features of the Cisco MARS appliance is its ability to do resource monitoring via SNMP. With this component active, a network administrator can be alerted to conditions indicating the over-utilization of a device from either excessive traffic, denial-of-service attempts, or both. Until just recently, the SNMP monitoring was confined to version 1, arguably insecure because of its lack of authentication AND encryption.

With the recent release of 6.0.6 code, the MARS appliance now supports SNMP version 3 for both network discovery and resource monitoring (IOS routers and switches) and resource monitoring (ASA appliances with version 8.2 OS). We will briefly examine the differing means of support between the IOS and ASA platforms.

The IOS router and switch have supported SNMP Version 3 since 12.0T revisions of code. What is unique to the IOS implementation as compared to that on the ASA is the inclusion of an SNMP engine ID, a 24 hexadecimal digit value which itself must be unique on the managed network. The syntax for configuring this component is:

snmp-server engineID [local engineid-string] | [remote ip-address udp-port port-number engineid-string]

The remote designation is required for SNMP v3 inform messages to be sent, especially used in SNMP monitoring with VPNs.  This needs to be supplemented by the following two configuration lines:

snmp-server group [groupname {v1 | v2c | v3{auth | noauth | priv}}] [read readview] [write writeview]
[notify notifyview] [access access-list]
snmp-server user username group-name [remote host [udp-port port]] {v1v2cv3 [encrypted] [auth
{md5 | shaauth-password]} [access [ipv6 nacl] [priv {des3desaes {128 | 192 |256}} privpassword]
{acl-number | acl-name}]

Last, but not least, the receiver of the SNMP traps/informs messages must be configured:

snmp-server host [host [traps | informs]] [version {1 | 2c | 3 [{auth | noauth | priv}]] community-string
[udp-port port] [notification-type]

On the ASA platform, the engine ID is not required. The following screenshot displays what needs to be configured for SNMP Version 3 support:

As can be seen above, under Device Management > Management Access the SNMP user and group information can be added as well as the level of security chosen from a drop-down menu. The administrator has the option of configuring both no authentication and no encryption, authentication only, or authentication and encryption.

Author: Doug McKillip

References

In this article

Join the Conversation