SNMP v2c to v3 conversion

[jamie4361]

Hi there,
I have an SNMP Manager that supports only v2c, and now I have to manage multiple devices that only support v3. Would it be possible for you to post an example configuration showing how to do this using SNMP Forwarder?

[etingof]

I can do that of course. Meanwhile, if you take the reverse example comfiguration and flip SNMP config between client and server files, that should suffice.

This part goes from client to server:

  snmp-community-name: public
  snmp-security-name: public
  snmp-security-model: 2
  snmp-security-level: 1

This part goes from server to client:

  snmp-security-model: 3
  snmp-security-level: 3

  snmp-security-name: test-user
  snmp-usm-user: test-user
  snmp-usm-auth-protocol: md5
  snmp-usm-auth-key: authkey1
  snmp-usm-priv-protocol: des
  snmp-usm-priv-key: privkey1

I may overlook some details, but may be not. ;-)

[jamie4361]

Wow! Now that is what I call a quick response. Many thanks, I will give it a try. Regards Jamie Lewis Senior Software Developer ROHDE & SCHWARZ UK Ltd. Ancells Business Park, Fleet, Hampshire. GU51 2UZ Tel: +44 (0) 1252 818 855, Fax: +44 (0) 1252 811 447, Mob: +44 (0) 7770 620 209 Sales and Service Tel: +44 (0) 1252 818 888, Email: contact.uk@rohde-schwarz.com Customer Support Tel: +44 (0) 1252 818 900, Email: customersupport@rohde-schwarz.com Website: https://www.rohde-schwarz.com/uk Twitter: https://twitter.com/rohde_schwarzUK The contents of this email and any attachments are sent for the attention of the addressee(s) only and may contain confidential and/or privileged material. If you have received this email in error, please notify the sender immediately and delete it from your system. If you are not the addressee, any review, re-transmission, disclosure, copying or other use of this email and any attachments is prohibited. Statements and opinions expressed in this email may not represent those of the company and any representations or commitments in this email are subject to contract. From: Ilya Etingof <notifications@github.com> Sent: Tuesday, September 18, 2018 7:57 PM To: etingof/snmpfwd <snmpfwd@noreply.github.com> Cc: Lewis Jamie 5UKPS2 <Jamie.Lewis@rohde-schwarz.com>; Author <author@noreply.github.com> Subject: *EXT* [Newsletter] Re: [etingof/snmpfwd] SNMP v2c to v3 conversion (#25) I can do that of course. Meanwhile, if you take the reverse example comfiguration<http://snmplabs.com/snmpfwd/configuration/examples/command-forwarding-snmpv3-to-snmpv1.html> and flip SNMP config between client and server files, that should suffice. This part goes from client to server: snmp-community-name: public snmp-security-name: public snmp-security-model: 2 snmp-security-level: 1 This part goes from server to client: snmp-security-model: 3 snmp-security-level: 3 snmp-security-name: test-user snmp-usm-user: test-user snmp-usm-auth-protocol: md5 snmp-usm-auth-key: authkey1 snmp-usm-priv-protocol: des snmp-usm-priv-key: privkey1 I may overlook some details, but may be not. ;-) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#25 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAyFedJhcht6t3Ss2V_MNquxs21r3BBCks5ucUHggaJpZM4WugTM>. Content provided within this e-mail including any attachments, is for the use of the intended recipients and may contain Rohde & Schwarz company restricted information. Any unauthorized use, disclosure, or distribution of this communication in whole or in part is strictly prohibited. If you are not the intended recipient, please notify the sender by reply email or by telephone and delete the communication in its entirety.

[etingof]

Here is SNMPv2c -> SNMPv3 proxy example configuration.

Hope this helps.

[jamie4361]

Hi Ilya, Thank you very much for this. I shall study this example and try it out. Regards Jamie Lewis Senior Software Developer ROHDE & SCHWARZ UK Ltd. Ancells Business Park, Fleet, Hampshire. GU51 2UZ Tel: +44 (0) 1252 818 855, Fax: +44 (0) 1252 811 447, Mob: +44 (0) 7770 620 209 Sales and Service Tel: +44 (0) 1252 818 888, Email: contact.uk@rohde-schwarz.com Customer Support Tel: +44 (0) 1252 818 900, Email: customersupport@rohde-schwarz.com Website: https://www.rohde-schwarz.com/uk Twitter: https://twitter.com/rohde_schwarzUK The contents of this email and any attachments are sent for the attention of the addressee(s) only and may contain confidential and/or privileged material. If you have received this email in error, please notify the sender immediately and delete it from your system. If you are not the addressee, any review, re-transmission, disclosure, copying or other use of this email and any attachments is prohibited. Statements and opinions expressed in this email may not represent those of the company and any representations or commitments in this email are subject to contract. From: Ilya Etingof <notifications@github.com> Sent: Tuesday, September 18, 2018 10:05 PM To: etingof/snmpfwd <snmpfwd@noreply.github.com> Cc: Lewis Jamie 5UKPS2 <Jamie.Lewis@rohde-schwarz.com>; Author <author@noreply.github.com> Subject: *EXT* [Newsletter] Re: [etingof/snmpfwd] SNMP v2c to v3 conversion (#25) Here is SNMPv2c -> SNMPv3 proxy example configuration<http://snmplabs.com/snmpfwd/configuration/examples/command-forwarding-snmpv2c-to-snmpv3.html>. Hope this helps. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#25 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAyFefNht9NHcCugvRe1v476SXiXJXNwks5ucV_7gaJpZM4WugTM>. Content provided within this e-mail including any attachments, is for the use of the intended recipients and may contain Rohde & Schwarz company restricted information. Any unauthorized use, disclosure, or distribution of this communication in whole or in part is strictly prohibited. If you are not the intended recipient, please notify the sender by reply email or by telephone and delete the communication in its entirety.

[jamie4361]

Hi Ilya, One more question: if I need to perform this conversion for 1 v2c manager interfacing to multiple v3 Agents, how do I achieve this? This is what I think I need to do: Server configuration Add an snmp-credentials-group { } for each v3 Agent Client configuration Add an peers-group { } for each v3 Agent snmp-engine-id For each v3Agent, the associated snmp-credentials-group { } and peers-group { } must share a unique snmp-engine-id Does this sound correct or are there other changes required? Regards Jamie Lewis Senior Software Developer ROHDE & SCHWARZ UK Ltd. Ancells Business Park, Fleet, Hampshire. GU51 2UZ Tel: +44 (0) 1252 818 855, Fax: +44 (0) 1252 811 447, Mob: +44 (0) 7770 620 209 Sales and Service Tel: +44 (0) 1252 818 888, Email: contact.uk@rohde-schwarz.com<mailto:contact.uk@rohde-schwarz.com> Customer Support Tel: +44 (0) 1252 818 900, Email: customersupport@rohde-schwarz.com<mailto:customersupport@rohde-schwarz.com> Website: http://www.rohde-schwarz.co.uk<http://www.rohde-schwarz.co.uk/> Twitter: http://twitter.com/rohde_schwarzUK The contents of this email and any attachments are sent for the attention of the addressee(s) only and may contain confidential and/or privileged material. If you have received this email in error, please notify the sender immediately and delete it from your system. If you are not the addressee, any review, re-transmission, disclosure, copying or other use of this email and any attachments is prohibited. Statements and opinions expressed in this email may not represent those of the company and any representations or commitments in this email are subject to contract. From: Ilya Etingof <notifications@github.com> Sent: Tuesday, September 18, 2018 10:05 PM To: etingof/snmpfwd <snmpfwd@noreply.github.com> Cc: Lewis Jamie 5UKPS2 <Jamie.Lewis@rohde-schwarz.com>; Author <author@noreply.github.com> Subject: *EXT* [Newsletter] Re: [etingof/snmpfwd] SNMP v2c to v3 conversion (#25) Here is SNMPv2c -> SNMPv3 proxy example configuration<http://snmplabs.com/snmpfwd/configuration/examples/command-forwarding-snmpv2c-to-snmpv3.html>. Hope this helps. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#25 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAyFefNht9NHcCugvRe1v476SXiXJXNwks5ucV_7gaJpZM4WugTM>. Content provided within this e-mail including any attachments, is for the use of the intended recipients and may contain Rohde & Schwarz company restricted information. Any unauthorized use, disclosure, or distribution of this communication in whole or in part is strictly prohibited. If you are not the intended recipient, please notify the sender by reply email or by telephone and delete the communication in its entirety.

[etingof]

There are multiple ways to do that mostly depending on how do you want to represent each of the v3 agents at the snmpfwd server side. Choices include:

• Based on server transport endpoint (dedicated address/port at v2c agent per v3 agent)
• Based on distinct SNMPv2c community names
• Based on v2c client source transport endpoint
• Based on something matching in the request var-binds

For the first two approaches you would need (as you say) distinct transport or community settings bound to snmp-credentials-id: key e.g.

snmp-credentials-group {
  snmp-engine-id: 0x0102030405070809

  snmp-transport-domain: 1.3.6.1.6.1.1.100
  snmp-bind-address: 127.0.0.1:1161

  snmp-security-model: 2
  snmp-security-level: 1

  # block names never matter, what matters is the scoping and the IDs
  agent-1 { 
    snmp-community-name: public
    snmp-security-name: public

    snmp-credentials-id: snmp-credentials-1
  }

  agent-2 { 
    snmp-community-name: cilbup
    snmp-security-name: cilbup

    snmp-credentials-id: snmp-credentials-2
  }
}

Similarly for snmp-bind-address.

Then you need to route those distinct snmp-credentials-id to your client similarly to how it's done for a single entry.

On the client side you need to define blocks for each of your v3 agents with distinct snmp-peer-id IDs.

You could use a single snmp-engine-id or many of them - this should not matter unless your v3 agents care about that (what's unlikely).

The crucial part at the client side is to route the queries coming from server to client towards proper v3 agent. You can do that by either:

• Matching v1 manager parameters as seen by the server (see orig-snmp-peer-id key)
• Matching configuration IDs chosen by the server when serving the v1 manager (see server-classification-id key)

Here is the example configuration I am referring to here.

There is also some documentation on these settings.

Does it make sense?

If your v3 agents sit on different/distant networks, the other option could be that you have one snmpfwd-client peering with many snmpfwd-servers over TCP/IP links what should work a bit more reliably perhaps. With that layout you would probably have to route v2c messages at the snmpfwd-server side over trunks based on similar conditions. Your snmpfwd-client configuration would be very straightforward then.

[jamie4361]

Many thanks. I will check this out. Regards Jamie Lewis Senior Software Developer ROHDE & SCHWARZ UK Ltd. Ancells Business Park, Fleet, Hampshire. GU51 2UZ Tel: +44 (0) 1252 818 855, Fax: +44 (0) 1252 811 447, Mob: +44 (0) 7770 620 209 Sales and Service Tel: +44 (0) 1252 818 888, Email: contact.uk@rohde-schwarz.com<mailto:contact.uk@rohde-schwarz.com> Customer Support Tel: +44 (0) 1252 818 900, Email: customersupport@rohde-schwarz.com<mailto:customersupport@rohde-schwarz.com> Website: http://www.rohde-schwarz.co.uk<http://www.rohde-schwarz.co.uk/> Twitter: http://twitter.com/rohde_schwarzUK The contents of this email and any attachments are sent for the attention of the addressee(s) only and may contain confidential and/or privileged material. If you have received this email in error, please notify the sender immediately and delete it from your system. If you are not the addressee, any review, re-transmission, disclosure, copying or other use of this email and any attachments is prohibited. Statements and opinions expressed in this email may not represent those of the company and any representations or commitments in this email are subject to contract. From: Ilya Etingof <notifications@github.com> Sent: Thursday, September 20, 2018 2:53 PM To: etingof/snmpfwd <snmpfwd@noreply.github.com> Cc: Lewis Jamie 5UKPS2 <Jamie.Lewis@rohde-schwarz.com>; Author <author@noreply.github.com> Subject: *EXT* [Newsletter] Re: [etingof/snmpfwd] SNMP v2c to v3 conversion (#25) There are multiple ways to do that mostly depending on how do you want to represent each of the v3 agents at the snmpfwd server side. Choices include: * Based on server transport endpoint (dedicated address/port at v2c agent per v3 agent) * Based on distinct SNMPv2c community names * Based on v2c client source transport endpoint * Based on something matching in the request var-binds For the first two approaches you would need (as you say) distinct transport or community settings bound to snmp-credentials-id: key e.g. snmp-credentials-group { snmp-engine-id: 0x0102030405070809 snmp-transport-domain: 1.3.6.1.6.1.1.100 snmp-bind-address: 127.0.0.1:1161 snmp-security-model: 2 snmp-security-level: 1 # block names never matter, what matters is the scoping and the IDs agent-1 { snmp-community-name: public snmp-security-name: public snmp-credentials-id: snmp-credentials-1 } agent-2 { snmp-community-name: cilbup snmp-security-name: cilbup snmp-credentials-id: snmp-credentials-2 } } Similarly for snmp-bind-address. Then you need to route those distinct snmp-credentials-id to your client(s) similarly to how it's done for a single entry. On the client side you need to define blocks for each of your v3 agents with distinct snmp-peer-id IDs. You could use a single snmp-engine-id or many of them - this should not matter unless your v3 agents care about that (what's unlikely). The crucial part at the client side is to route the queries coming from server to client towards proper v3 agent. You can do that by either: * Matching v1 manager parameters as seen by the server (see orig-snmp-peer-id key) * Matching configuration IDs chosen by the server when serving the v1 manager (see server-classification-id key) Here is the example configuration<http://snmplabs.com/snmpfwd/configuration/examples/command-forwarding-snmpv2c-to-snmpv3.html#server-configuration> I am referring to here. There is also some documentation<http://snmplabs.com/snmpfwd/configuration/index.html#configuration-files> on these settings. Does it make sense? If your v3 agents sit on different/distant networks, the other option could be that you have one snmpfwd-client peering with many snmpfwd-servers over TCP/IP links what should work a bit more reliably perhaps. With that layout you would probably have to route v2c messages at the snmpfwd-server side over trunks based on similar conditions. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#25 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAyFeW7-GaQ50YY_8OVKE2A_9PKFhaooks5uc52tgaJpZM4WugTM>. Content provided within this e-mail including any attachments, is for the use of the intended recipients and may contain Rohde & Schwarz company restricted information. Any unauthorized use, disclosure, or distribution of this communication in whole or in part is strictly prohibited. If you are not the intended recipient, please notify the sender by reply email or by telephone and delete the communication in its entirety.