SNMP is the main protocol for monitoring network hardware which may be used in Zabbix — an all-in-one solution for monitoring a large number of objects in static (changing slowly) networks.

The earlier versions of the protocol—SNMPv1 and SNMPv2—had security vulnerabilities that led to attacks and data breaches.  In order to protect sensitive data, SNMPv3 should be enabled.

I’ll demonstrate how to configure SNMPv3 in Zabbix to monitor network hardware, how to create proper templates in Zabbix, and what you can achieve by organizing a distributed alert system in a large network.

About SNMPv3

SNMP is the main protocol for monitoring network hardware used to monitor network devices and to manage them by sending simple commands (for example, to reboot a device, to enable or disable network interfaces, etc.).

The main difference between SNMPv3 and the previous versions — the classic security functions [1-3]:

  • authentication, which allows us to determine if a request came from a trusted source;
  • encryption, which prevents any third party from reading data if it is intercepted in transit;
  • integrity, which helps to ensure that a data packet hasn’t been tampered with during transit.

SNMPv3 allows using security models where different users and user groups have an authentication strategy assigned to them (while, in a request from a server to a monitored device, the previous versions of SNMP only checked the community string, which was transmitted as plain text and served as a password).

SNMPv3 also introduces security levels that define acceptably secure device settings and SNMP agent behavior. The combination of a security model and a specific level determines which security mechanism will be used to process an SNMP data packet [4].

Combinations of security models and levels in SNMPv3

Level Authentication Encryption What Happens
noAuthNoPriv Username No Authentication with a username (strongly not recommended)
authNoPriv Message Digest Algorithm 5 (MD5) or Secure Hash Algorithm (SHA) No Authentication based on Hashed Message Authentication Code (HMAC)-MD5 or HMAC-SHA (not recommended)
authPriv MD5 or SHA Data Encryption Standard (DES) or Advanced Encryption Standard (AES) Authentication based on HMAC-MD5 or HMAC-SHA + encryption based on DES or AES (best practice)

How to

To monitor a network device, we must set up SNMPv3 both on the server and the monitored device.

Setting up network device

  • The basic Cisco network device configuration in the CLI:

1. Define a group of SNMPv3 users (‘snmpv3group‘), the access mode (‘read‘), and access privilege for the ‘snmpv3group‘ to view certain branches of the device’s MIB tree.

snmp-server group snmpv3group v3 priv read snmpv3name

2. Define the user — ‘snmpv3user‘, the user group — ‘snmpv3group‘, and state authentication based on MD5 (with’md5v3v3v3‘ as the password) and encryption based on DES (with ‘des56v3v3v3‘ as the password).

snmp-server user snmpv3user snmpv3group v3 auth md5 md5v3v3v3 priv des des56v3v3v3

NOTE. It is preferable to use AES. DES here is used as an example only.

NOTE. When defining a user,  Access Control List can be added to specify IP addresses of servers that can monitor this device.

3. Define codename (‘snmpv3name‘) for specific branches of MIB tree so that ‘snmpv3group‘ could access them. ISO, instead of limiting it to a single branch, allows ‘snmpv3group‘ to access all MIB objects of the monitored device.

snmp-server view snmpv3name iso included
  • The basic Huawei network device configuration in the CLI:
snmp-agent mib-view included snmpv3name iso

snmp-agent group v3 snmpv3group privacy read-view snmpv3name

snmp-agent usm-user v3 snmpv3user group snmpv3group

snmp-agent usm-user v3 snmpv3user authentication-mode md5

md5v3v3v3

snmp-agent usm-user v3 snmpv3user privacy-mode des56

des56v3v3v3

Setting up access

After network devices are configured, to ensure that the monitoring server can access them by SNMPv3, you can run ‘snmpwalk‘:

snmpwalk -v 3 -u snmpv3user -l authPriv -A md5v3v3v3 -a md5 -x des -X des56v3v3v3 10.10.10.252

To request specific objects, you can also run ‘snmpget‘, which relies on MIB files and gives a more concise output:

Configuring an item to use SNMPv3

We need to configure a standard item that will use SNMPv3 on the Zabbix template level. The simplest way is to use MIB-independent numerical forms of OIDs.

Data elements

You can use user macros since they will be the same for every template item. If all of your network devices have the same SNMPv3 parameters, macros are defined on a template level, otherwise — on a host level.

Templates

NOTE. Keep in mind that the monitoring system has usernames and passwords for authentication and encryption only. The user group and access to MIB objects are defined on each monitored device.

Zabbix Polling template

It is recommended to make any polling templates as detailed as possible:

Polling template

Configuring triggers

Triggers

If trigger names include a system macro {HOST.CONN}, alerts on the dashboard would display not only device names but also their IP addresses.

SNMP may be used to determine whether a device is not available, besides a regular echo request.

Sometimes a device responds only to ICMP requests, which may mean that different devices have the same IP address because of firewall or SNMP settings. Still, you might not get all monitoring data to investigate a network incident if you use only ICMP to check host availability.

Network interface discovery

Network interface discovery is the most important monitoring function for networking hardware. Since a single network device can have hundreds of interfaces, we must filter unneeded interfaces out, so that they don’t clutter up the database and data visualization.

Standard discovery function for SNMP with many detectable parameters allows for more flexible filtration:

discovery[{#IFDESCR},1.3.6.1.2.1.2.2.1.2,{#IFALIAS},1.3.6.1.2.1.31.1.1.1.18,{#IFADMINSTATUS},1.3.6.1.2.1.2.2.1.7]

Discovery rules

Network interfaces can be discovered and filtered by their type, user description, and the administrative state of their ports.

Filters

Regular expression

So, excluded interfaces will be those that:

  • have been manually disabled (‘adminstatus<>1‘), because of ‘IFADMINSTATUS‘;
  • don’t have a text description, because of ‘IFALIAS‘;
  • have an asterisk (*) in their text description, because of ‘IFALIAS‘;
  • are service/technical interfaces, because of ‘IFDESCR‘ (when regular expressions are applied in discovery, one regular expression, alias, will check on both ‘IFALIAS‘ and ‘IFDESCR‘).

Monitoring results

So, we’ve got a list of network devices:

List of network devices

Creating templates for each series of hardware makes analysis of monitoring results more convenient as it allows to see information grouped by series on:

  • up-to-date software,
  • serial numbers, and
  • presence of a janitor in the server room (indicated by low uptime percentage).

Various templates may give different views on your network, for example:

Hardware series templates

Main monitoring dashboard with triggers divided by level of importance

If you create templates for each device model in your network, your monitoring system can become a tool for forecasting malfunctions and failures (if you have necessary sensors and metrics). Zabbix is a good solution for monitoring network, server, and service infrastructures, and leveraging Zabbix for maintaining network hardware demonstrates the system’s capabilities.

References

  1. Hucaby D. CCNP Routing and Switching SWITCH 300-115 Official Cert Guide. Cisco Press, 2014. pp. 325-329.
  2. RFC 3410. https://tools.ietf.org/html/rfc3410
  3. RFC 3415. https://tools.ietf.org/html/rfc3415
  4. SNMP Configuration Guide, Cisco IOS XE Release 3SE.
    Chapter: SNMP Version 3.
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/snmp-xe-3se-3850-book/nm-snmp-snmpv3.html

The post is translated from the habr.com article.

0 CommentsClose Comments