Last week we looked at how to get started with monitoring your switches using PRTG. A number of you got in touch to ask about best practice for SNMP configuration so we thought we’d show how its done. We’ve split this in to two posts and this time we’ll be looking at:
- the basics of SNMP.
- how to configure SNMP V2c and V3.
- what extra steps can you take to secure your devices?
What is SNMP? A brief review
When talking about SNMP there are four terms you need to be aware of. The first two are Agent and Manager.
The SNMP Agent runs on your network device (switches, firewalls, routers, servers etc.) and deals with requests and commands received from an SNMP Manager. The Manager is any external device that queries, or send commands to, the device in question (In our case, this is the PRTG server).
The other key terms are Object and Management Information Base (MIB). Simply put, Objects refer to one aspect of the device. As an example, CPU usage, temperature, device name and uptime would each have a unique Object ID (OID). All of the OIDs are stored and organised in a MIB, which makes it easier for machines to reference the correct object.
There’s loads of software out there to help you deal with MIBs and OIDs. Our favourite is MIB Importer from Paessler (though we are partners so we might be biased!) but Loriot Pro is also good, and has a free version here.
When looking at the interaction between agents and managers, the most important decision you have to make is whether to use V2c or V3. Essentially you have a trade-off between the added security of V3 and the increase in its complexity and resource-usage. You can check out our previous post for a discussion on this, but for now we’ll crack on and look at configuration.
SNMP configuration: V2c
For V2c, the configuration is very simple. Firstly define a community string which is shared between the agent and manager. Associate that community string with a permission level and you are all set. Using HP (Aruba) switches you would type:
This enables any manager with the COMMUNITY-STRING to communicate with the agent with the permissions of an “operator”. The manager can use this permission to request the value of the devices objects for use in monitoring.
On Cisco devices the command is very similar:
Most vendors will ship with a default “public” string set. You should remove this:
And that is all there is to configuring SNMP V2c. We will look at a few other commands that you should consider implementing once we’ve dealt with V3.
SNMP configuration: V3
V3 is a more involved process. We’ll look at HP ProCurve switches here to show the basic steps, but most vendors are quite similar in their approach. Firstly, you enable V3. Once enabled, set up a user for your PRTG server and a group with the correct permissions (just as the community string was associated with a permission level for V2c).
This enables SNMP V3 and creates an initial user account “initial”. We recommend deleting this user account, but first create the account which will allow PRTG to comunicate with the switch and a group to set its permissions.
AUTHPASSWORD and PRIVPASSWORD are the passwords that are used to authenticate and encrypt the communication between agent and manager. It is always best practice to choose complex passwords for this purpose, but especially so here.
Now remove the “initial” user that was created when we enabled SNMP V3:
And there you have it. Now you can access your switch securely using SNMP V3. However, we recommend you don’t stop there, as a number of other settings will help you secure your switch further.
Final security considerations
First things first. If you are using V3, disable V1 and V2c:
If you want to restrict access to your switch via SNMP to a single subnet (for example, your management VLAN) use this command:
This will only allow SNMP connections from devices that have an IP address between 192.168.100.1 and 192.168.100.254.
Recap and next week’s post
So, we have shown you how to configure SNMP on your network devices and how to secure it. Next week we’ll finish off this topic by looking at:
- How to test your configuration.
- The configuration required on PRTG.
- A look at some resources and further reading.
We hope to see you there and, as always, get in touch if you have any questions!