Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Introduction ............................................................................................................................................................... 1
2.
B.
C.
D.
3.
4.
5.
6.
1. Introduction
Information in this document presented with idea of so known spoon feeding approach, mainly providing lots of
screenshots for favourite copy/past type of steps to help reader with basics of SNMPv3 configuration on RuggedNMS
vs various RuggedCom devices. The information flow in this document goes: first SNMPv3 configured on RuggedNMS
(RNMS further in text), then SNMPv3 configurations are done for ROX1, ROS, ROX2, WiMAX BST/CPE devices. Last
couple paragraphs will explain on handy basics of SNMPv3 handshake looked from ROX2 snmp log traces as well as tell
you how to decrypt encrypted SNMPv3 packet captures using Wireshark for any debugging purposes like to understand
the root cause if experiencing problems with SNMPv3 configuration. Roughly, you are looking to spend 15 minutes to
configure SNMPv3 on RNMS and 4 RuggedCom different devices running different OS platforms. OS versions used in
examples here are:
- RuggedNMS
1.5.3
- ROX1
1.14.4
- ROS
3.11.0
- ROX2
2.3.0
- WiMAX BST
4.2
- WiMAX CPE
4.3
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
auth-passphrase="ru99ed7c" auth-protocol="MD5"
privacy-passphrase="s7st3m48" privacy-protocol="DES">
<!-- Single ROX1 router -->
<specific>172.30.16.104</specific>
<!-- Single ROX2 router -->
<specific>192.168.18.9</specific>
<!-- Couple ROS devices configured in range fashion-->
<range begin="172.30.17.107" end="172.30.17.108"/>
</definition>
<definition version="v3" security-name="rugged2"
auth-passphrase="ru99ed7c" auth-protocol="SHA"
privacy-passphrase="s7st3m48" privacy-protocol="DES"
context-name="public">
<!-- Single WiMAX BST -->
<specific>172.19.16.6</specific>
<!-- Single WiMAX CPE -->
<specific>172.19.16.53</specific>
</definition>
</snmp-config>
Brief on above file:
- This file is located in C:/ruggednms/etc/ or /usr/share/opennms/etc/ folders depending if RNMS installation
Windows or Linux accordingly.
- Majority directives callouts in xml tags are self-explanatory.
- The way how RNMS reads this configuration is that anything in opening <snmp-config > tag considered as
default global settings for all devices. Devices which are specified in between
<definition></definition> tags would use snmp configuration specified in corresponding definition
tag. You can have multiple definitions.
- Note, there are 2 definitions - first definition with security-name= rugged for ROS/ROXI/ROXII devices
and second definition with security-name= rugged2 for WiMAX Base station SNMPv3 authorization. In
second definition user required to use context-name as public for correct operation of SNMPv3 on CPE and
BST with RNMS.
- The information between opening tag <! and closing tag --> is considered a comment
- More on SNMPv3 configuration variations can be read here:
http://www.opennms.org/wiki/SNMPv3_protocol_configuration
A. ROX1 (1.14.4) SNMPv3 settings:
1) Navigate to Maintenance / SNMP Configuration / Access control and configure SNMPv3 user
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
2) In Maintenance / SNMP Configuration / Trap Configuration - add SNMP V3 Trap Destination, where
172.30.20.151 is you RNMS server IP
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
2) In Main menu / Administration / Configure SNMP / Configure SNMP Users, specify settings as illustrated:
Notes:
Use same SNMPv3 credentials as in RNMS configuration accordingly.
The IP address field should be set to RNMS IP - IP is used for traps as well as solves additional authentication
factor. ROS deice will be replying to SNMP queries only sent from this IP. No other IP addresses will be receiving
replies on their SNMP queries using name specified here as rugged other than configured IP.
3) In Main menu / Administration / Configure SNMP / Configure SNMP Security to Group Maps, specify settings as
illustrated:
Note: Once configured SNMP settings, SNMP communication activity may be verified with build in ROS trace
utility.
To enable SNMP tracing utility:
o Press CTRL+S, this will switch user input to CLI mode
o Type the following two commands (no quotes) each in new line trace snmp allon trace
To stop trace utility and exit CLI:
o Press CTRL+C keys
o Type command (no quotes) trace snmp alloff
o Press CTRL+S
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Be sure to create your own complex password for the user and assign guest role.
3) Configure SNMP User to group (in example here User Name=rugged, Group=v3full) in admin /snmp /snmpsecurity-to-group
- First add a key settings for:
o Security Model =v3
o UserName =rugged
,by pressing <Add snmp-security-to-group>
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Then select newly created key v3/rugged specifying in it additional settings for Group=v3full , with all-rights
which is default setting (pic below).
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Then select newly created key v3full/v3/authPriv and add additional settings: set all-of-mibs for all option
under SNMP Group Access Configuration table as illustrated.
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Select created key and configure additional key parameters set on SNMPv3 Target Configuration table:
o Enabled= checked
o Target Address = RNMS_IP
o Security Model = v3
o User Name = rugged
o Security Level = authPriv
o Trap Type List = snmpv3_trap
10
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
11
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Add new SNMPv3 entry and configure the following fields accordingly to match with 2nd <definition> tag settings
in RNMS configuration shown as per paragraph 2.
- Username =rugged2
- Authentication Passphrase = ru99ed7c
- Authentication Protocol = HMAC-SHA1
- Privacy Passphrase = s7st3m48
- Privacy Protocol = CBC-DES
- Access Group = NMS Access Group
Note: SNMPv3 Configuration is same for RuggedMAX CPE and BST as of 4.3.X firmware release for both.
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
Not to forget in admin /snmp / SNMP USM Statistics [table] there is quite helpful SNMP statistics counters
available for SNMP troubleshooting purposes. Mainly for SNMPv3 (USM- User-based Security Model )
13
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
ROX1
RNMS_quering_ROX1_sample_SNMPv3_handshake.pcapng
ROS
RNMS_quering_ROS_sample_SNMPv3_handshake.pcapng
WiMAX BST
RNMS_quering_BST_sample_SNMPv3_handshake.pcapng
WiMAX CPE
RNMS_quering_CPE_sample_SNMPv3_handshake.pcapng
Note: Use further explained, in paragraph 5 below, payload decryption method to read encrypted PDU content in
captures.
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
1) Select SNMP packet; Right click on Simple Network Management Protocol layer; Click on Protocol
Preferences
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
4) Click Apply button for wire shark to attempt decrypt SNMPv3 packets. Now your SNMPv3 packets encrypted PDU
portion should be decrypted, try clicking +on encrypted PDU to reveal its content, illustration below:
16
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
17
Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
In the uncategorized log try to look for SNMP related information using following search pattern IP, Port: 161 in
some text editor of your preferences like notepad++ e.g. /172.19.16.53, Port: 161
Illustration below:
- Here is an example of log message for incorrectly configure SNMPv3 record for 172.19.16.53 IP
2012-11-20 13:23:30,197 INFO [Configd:ConfigdEventProcessor]
RuggedNMS.ConfigMgtd.org.opennms.netmgt.snmp.snmp4j.Snmp4JWalker: Walking
GenericData for /172.19.16.53 using version SNMPv3 with config:
AgentConfig[Address: /172.19.16.53, Port: 161, Community: public, Timeout:
10000, Retries: 3, MaxVarsPerPdu: 10, MaxRepititions: 2, Max request size:
65535, Version: 3, ProxyForAddress: null, Security level: 3, Security name:
rugged2, auth-passphrase: ru99ed7c, auth-protocol: SHA, priv-passprhase:
s7st3m48, priv-protocol: DES, context-name:, context-engine-ID: ]
From above log message you can tell that context engine ID is missing during snmp request assembly. The very next
message reply sent to RNMS from 172.19.16.53 quite likely may be with some specific error code suggesting that
Context Name is missing. This Log analysis technique may be also helpful to pin point on root of various SNMPv3
problems which you may run in to typically pointing to incorrect configuration.
2012-11-20 13:23:30,197 DEBUG [Configd:ConfigdEventProcessor]
RuggedNMS.ConfigMgtd.org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy:
Snmp4JAgentConfig: Context Name
18