Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Network Automation and Compliance (NetMRI)

Reply

Request for improved SNMPv3 usability in NetMRI

Expert
Posts: 69
8978     0

Although NetMRI has supported SNMPv3 for a long time, the standard tools and discovery settings do not accomodate it very well.  Specifically,

1) The Discovery Diagnostic tool only offers a password/community field; no v3 option.

2) The SNMPwalk tool defaults to v2.  What's needed is an Advanced parameter to choose the default.

3) The global Advanced setting for discovery method allows a selection of v1 or v2, but not v3.  I've wondered what happens in discovery of new devices when they only are configured for v3.

 

Re: Request for improved SNMPv3 usability in NetMRI

Authority
Posts: 7
8979     0

Marty, 

 

In regards to item #3, we are migrating to v3 from v2c, and I have both versions currently configured on my network devices. As NetMRI has gone through polling cycles, it seems to have preferred v3 over v2c, and switched on it's own. I find this useful as it highlights those devices that appear to be configured properly for v3, but aren't responding back.

 

 

Regards,


Mark

Re: Request for improved SNMPv3 usability in NetMRI

Expert
Posts: 69
8979     0

Thanks for sharing that, Mark.  At my primary customer, we have not deleted v2 from the device configs.  For ones not yet discovered, v3 is definitely tried first.  In fact, I heard back from a TAC person who confirmed that regardless of the Advanced v1/v2 selection, v3 would still be the first guess for a new device.

 

What doesn't seem to happen is that for existing devices working via v2, v3 will not be attempted without manually forcing it.  That's why I wrote a short Perl script that uses API calls to update the v3 credentials in the DB, followed by causing a discovery of the same.

Re: Request for improved SNMPv3 usability in NetMRI

Expert
Posts: 69
8979     0

I need to correct my previous statement about the order of SNMP credential guessing.  As a result of a recent TAC case, the CSE confirmed from the source code that guessing will try v2 before v3.  I think that's a bad decision and have RFE-9748 open to change that.  If you agree, please add your weight to that RFE.  For comparison, other products (CA Spectrum, AKiPS) always attempt the most secure method first.

 

More background: while transitioning to SNMPv3 everywhere, management wants to keep the v2 config statements in the devices  When a device becomes unreachable for a number of hours, NetMRI fires "SNMP Access Lost".  It then begins guessing and switches to v2.  Since we are down to a small number of devices that are not v3 enabled, we were able to delete the v2 string from the global credential list, while maintaining the v2 cred at the device level.

Re: Request for improved SNMPv3 usability in NetMRI

Authority
Posts: 7
8979     0

Well that's a kick in the pants. Doesn't make it easy to transition. We just upgraded to 7.3.2 over the weekend, and checking my SNMPv3 credentials, it appears that most of our devices have been rediscvoered by v2. I'll reach out to add us to the RFE as well. 

Re: Request for improved SNMPv3 usability in NetMRI

Expert
Posts: 69
8979     0

Hey Mark,

 

If it will help, I have s small Perl script that I wrote months ago to migrate devices to v3.  You enter the desired credentials and it changes those for the selected devices via the API.  It does a Discover_Next to cause those to be used.

 

To help identify the devices, I created two basic device groups -- SNMPv2c and SNMPv3.  The membership criterion is $Community.  You can then easily select the ones you want and run the script on them (i.e., the misnamed Execute Command).

 

HTH,

-Marty

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You