Ad – Amazon Networking Products
Last updated on November 16th, 2022 at 04:26 pm
Today, network and data security are more important than ever, so many products and technologies help us with security. If you manage your network and devices with a Network Management tool, you are most likely using SNMP.
SNMP is available in versions 1, 2, or 3, and today version 3 (v3) is most common. Version 3 is a requirement by many government and other industry compliances to include company policy.
The setup of SNMP v3 on an Arista Networks switch is very similar to Cisco.
Here are my notes for the setup of SNMP v3 on an Arista Networks switch.
SNMP with a VRF
When available, I always place the management interface in its own VRF.
The following commands are for if you are using SNMP on the management interface and if that interface is in a VRF. In this example, the interface is in VRF named mgmt1. If you need an understanding of VRF, this post is based on Cisco, though the VRF concept is the same for Cisco and Arista: Cisco Virtual Routing & Forwarding (VRF).
If you need further configuration information on placing the management interface in a VRF, you can view this post: New Arista Switch Setup.
no snmp-server vrf default
snmp-server vrf mgmt1
Allowed Host(s)
SNMP access should be locked down with regard to the source host accessing SNMP on the switch. In this example, we use an access list named snmp-ro with the allowed host of 10.25.1.2. Note: the last command is based on SNMP on the management interface in the mgmt1 VRF.
ip access-list standard snmp-ro
permit host 10.25.1.2
snmp-server ipv4 access-list snmp-ro vrf mgmt1
SNMP View
Next, we create what can be viewed via SNMP. Here we create a view named snmpv3; though you can have multiple views, this can be helpful if a view, maybe only interface information, is locked down to be viewed by a specific host.
I included the .1, system, and iso, which are all resources on the switch. If all resources need to be viewed via SNMP, probably only one of these three is necessary for the configuration.
snmp-server view snmpv3.1 included
snmp-server view snmpv3 system included
snmp-server view snmpv3 iso included
SNMP Group
The group variable ties together other SNMP variables and, in this case, the view, snmpv3. You can have multiple views and groups if there is a need for hosts to view different properties of the switch.
snmp-server group snmpview v3 priv read snmpv3
SNMP User for v3
SNMP version 3 uses a user with an authentication (auth) password and privacy (priv) password. The username should not be short and consideration for the auth and priv encryption levels. In this example, auth uses SHA1 (sha), and priv uses AES. The user name NWMgmtOnly! is using the snmp-server group snmpview.
snmp-server user NWMgmtOnly! snmpview v3 auth sha P@ssW0rd priv aes P@ssW0rD1
SNMP Location
With SNMP, I’ve always used a location variable which helps if the Network Management software uses this to place the device in a location, group, geographic map, etc… Another variable is “snmp-server contact” in which contact information can be used, for example, NOC phone number.
snmp-server location Address; City ST
Complete Configuration
The configuration can be a little confusing, so I color-coded some of the variables to show their relation to another command or configuration.
Commands in Text:
no snmp-server vrf default
snmp-server vrf mgmt1
ip access-list standard snmp-ro
permit host 10.25.1.2
snmp-server ipv4 access-list snmp-ro vrf mgmt1
snmp-server view snmpv3 .1 included
snmp-server view snmpv3 system included
snmp-server view snmpv3 iso included
snmp-server group snmpview v3 priv read snmpv3
snmp-server user NWMgmtOnly! snmpview v3 auth sha P@ssW0rd priv aes P@ssW0rD1
snmp-server location Address; City ST
References:
Copyright © Packet Passers 2024