Packeteer Home Page Choose a PacketGuide version    

 Feedback

 Search

 Index

 Contents

What's New?

 Home

 PolicyCenter Home

 Overviews

 Recommendations

 Tasks
    Setup
      Run Guided Setup
      Modify Settings
      Basic Settings
      Traffic Shaping
      Security
      HTTPS Settings
      SSH Settings
      RADIUS
      TACACS+
      Management Port
      Flow Detail Records
      Date and Time
      Upgrade Software
      Download Plug-Ins
      Email
      SNMP
      Failover
      High Availability
      Reset Tree
      Reboot Unit
      Reset Unit
      System Variables
      Frame Relay
      ATM
      WCCP
    Classification
    Traffic Tree Mgmt.
    Monitoring
    Partitions
    Policies
    Policy Manager
    Graphs & Reports
    Measurement
    Event Notification
    Response Time
    Xpress
    Administration
    Customer Portal
    Adaptive Response
    Direct Standby
    Watch Mode

 PolicyCenter Tasks

 Reference

 Product Information
   Documents



 

Configure PacketWise for SNMPv3 Support

The Simple Network Management Protocol (SNMP) is a widely used method of monitoring computer networks. Unlike earlier versions of SNMP, SNMPv3 provides secure access to devices by providing authentication, encryption and access control.

You can configure PacketWise to automatically send messages, such as event notifications or warnings of alarm conditions (such as Link Down), to any SNMP trap listener. Several PacketWise features (Adaptive Response and user events) can be configured to send SNMP traps; before you can do this, however, you need to configure SNMP remote users to receive trap and inform notifications.

This PacketGuide page describes how to perform the following tasks:

Simple Mode Configuration vs Complex Mode Configuration

There are two SNMPv3 configuration modes, simple mode and complex mode. In the default simple mode, SNMPv3 settings can be configured via the command-line or browser interfaces of the individual PacketShaper or, for units in shared mode, via that unit's PolicyCenter configuration. Simple mode also displays the engine ID of the unit as a read-only hexadecimal string. Complex mode allows you to add or edit individual SNMP table entries via the command-line interface only, using a separate set of setup snmp complex commands.

Warning: Complex mode configuration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does not display error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex mode should only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3 values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Note: To perform the following tasks from PolicyCenter, you must first select a configuration in the Configurations window. Then select the setup tab from the right pane of this window, and proceed to step 2 of the procedure below.

Change SNMPv3 Configuration Modes

When you change the SNMPv3 configuration mode from simple to complex, the Setup SNMP screen no longer displays the browser interface for configuring SNMPv3 or SNMPv1 community strings and traps destinations. Note that simple mode and complex mode configurations are completely separate. When in simple mode, the PacketShaper will ignore any previously configured complex mode settings, and vice versa.

To toggle SNMPv3 between simple and complex configuration modes:

  1. Click the setup tab.

  2. From the Choose Setup Page list, select SNMP. The current SNMP configuration mode appears on the Setup screen.  show screen

  3. Click the SNMP Configuration Mode drop-down list, and select new configuration mode.

  4. Click apply changes to save your settings.

Configure SNMP Access Tables

You must define entries in each of the SNMP Access Configuration tables in order to allow or limit SNMP users' access to MIB information. Click on any of the links below for details on configuring the those SNMPv3 tables in simple mode, or refer to the SNMP User's Guide, available for download in the Software Utilities section of the Packeteer Support website. Note that each SNMPv3 table supports up to 32 separate entries.

Configure the Views Table

An SNMP view filters objects from the entire MIB and defines a subset of MIB objects. Every SNMP access group has views for read and write access which either allow or limit that group's access to MIB objects. There are two predefined views; isoAll and isoNone. The isoAll view gives a group access to all MIB information, and the isoNone view blocks all access.

If you want your SNMP groups to have either complete access or no access to all MIB information, your groups only need to use the built-in isoAll or isoNone views. If, however, you want a group to access just a subset of MIB information, you will have to create a new view that describes those MIB object identifiers (OIDs) that should be included or excluded.

Create a New View

To define a new SNMP view:

  1. Click the setup tab.

  2. From the Choose Setup Page list, select SNMP.

  3. Click the new button beside the Views heading. The Add a New View window opens.  show screen

  4. In the View Name field, enter a name for the new view. A view name can have up to 32 characters; hyphens, underscores, and periods are acceptable. Each SNMP view name must be unique.

  5. In the Subtree OID field, enter an OID name, number, or an initial OID name and a number, such as packeteerMibs, 1.3.6.1.4.1.2334.2, or packeteerMibs.1.4. This parameter also supports the use of asterisks as wildcards for OID numbers, for example, interfaces.*.*.1

    Note: The Add a New View window only allows you to specify a single OID. You can, however, add additional OIDs to an existing view. To display a list of available SNMP MIB OID names and numbers, use the CLI command setup snmp oids.

  6. Click the Type drop-down list, and select included if the OID name or number should be included in this view, or excluded if it should be excluded from the view.

  7. Click OK to save your settings. The new view will appear in the Views table on the SNMP setup screen.

Add Additional OIDs to a View

When you first create a view, you can only specify a single OID name or number for that view. To add additional OIDs to an existing view:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the add oid button beside the Views table entry you want to edit. The Add an OID to View window opens.  show screen

  3. In the Subtree OID field, enter an OID name, number, or an initial OID name and a number, such as packeteerMibs, 1.3.6.1.4.1.2334.2, or packeteerMibs.1.4. This parameter also supports the use of asterisks as wildcards for OID numbers, for example, interfaces.*.*.1.

  4. Click OK to save your settings. The updated view will appear in the Views table on the SNMP setup screen.

Edit an SNMP View

Change the view type from included to excluded, or replace a view's existing OID(s) with a new OID.

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the edit button beside the Views table entry you want to edit. The Edit View window opens.  show screen

  3. Update the view's Subtree OID or type settings (described in Create a new View).

    Note: When you edit an SNMP view, all its previously configured OIDs are cleared, and are replaced by the single OID in this field. Any additional OIDs for this view must be manually added again using the procedure described above.

  4. Click OK to save your settings. The updated view will appear in the Views table on the SNMP setup screen.

Delete an SNMP View

Before you delete an unwanted SNMP view, verify that no access groups or targets are using that view. You will not be able to delete a view referenced by other SNMP tables. To delete an SNMP view:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the delete button beside the view you want to remove. A popup window asks you to verify that the view should be deleted.

  3. Click OK.

Configure the Access Groups Table

Each SNMP access group is defined by a group name, a security model (and level), and a set of views that specifies which types of MIB data that access group can read or write.

Create a New Access Group

To create a new access group:

  1. Click the setup tab.

  2. From the Choose Setup Page list, select SNMP.

  3. Click the new button beside the Access Groups heading. The Add a New Access Group window opens.  show screen

  4. In the Group Name field, enter the name of the new access group. An access group name can be up to 32 characters; hyphens, underscores, and periods are acceptable. Each access group name must be unique.

  5. Click the Security Level drop-down list, and select one of the following security levels for that group.

    • noAuthNoPriv: Identifies a user for access control, but does not provide authentication.

    • authNoPriv: Identifies a user for access control, and authenticates the user's password.

    • authPriv: Identifies a user for access control, authenticates the user's password, and provides encryption.

  6. Access groups have read (look) access to the information specified by the read view. Click the Read View Name drop-down list and select the predefined view isoAll (to allow complete read access) or isoNone (to block all access), or click the name of a user-defined custom view.

  7. Access groups have write (touch) access to the information specified by the write view. Click the Write View Name drop-down list and select the predefined view isoAll (to allow complete write access) or isoNone (to block all access), or click the name of a user-defined custom view.

  8. Click OK to save your settings. The new access group will appear in the Access Groups table on the SNMP setup screen.

Edit an Access Group

Modify security models or levels, or change a group's read and write views. To edit an access group:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the edit button beside the Access Groups table entry you want to edit. The Edit Access Group window opens.  show screen.

  3. Update the access group's security and view settings (described in Create a new Access Group).

  4. Click OK to save your settings. The updated access group will appear in the Access Groups table on the SNMP setup screen.

Delete an Access Group

You cannot delete an access group that is being used by any SNMP user. Before you attempt to delete an access group, check the Group Name column of the Users table, and verify that no user is referencing the access group you want to delete. Note that you can edit SNMP users and reassign them to different access groups if necessary.

To delete an access group from the Access Groups table:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the delete button beside the group you want to remove. A popup window asks you to verify that the access group should be deleted.

  3. Click OK.

Configure the Users Table

Each SNMP user entry defines a user (login) name, an association with an existing access group, and authentication and privacy keys that a management system can use to access the PacketShaper. This user name is not related to any other user names such as those defined for RADIUS or PolicyCenter access.

Note: If you have not yet defined access groups for your SNMP users, create one or more access groups before you add users to these groups.

Create a New User

To create a new SNMP user:

  1. Click the setup tab.

  2. From the Choose Setup Page list, select SNMP.

  3. Click the new button beside the Users heading. The Add a New User window opens.  show screen

  4. Enter a name for the user in the User Name field (up to 31 characters; hyphens, underscores, and periods are acceptable).

  5. Click the Group Name drop-down list and select the access group for the new user.

  6. If the new user's access group uses the usm (SNMPv3) security model with the authNoPriv or authpriv security levels, Click the Authentication drop-down list and select either the MD5 or SHA authorization protocol. Next, enter an authentication password for the user in the Authentication Password and Retype Authentication Password fields.

    Note: If the user's access group uses the v1 (SNMPv1) or v2 (SNMPv2c) security model or the noAuthNoPriv security level, keep the default none authentication setting.

  7. If the new user's access group uses the usm (SNMPv3) security model with the authpriv security level, Click the Privacy drop-down list and select one of the following privacy protection protocols:
  • des: CBC-DES Symmetric Encryption Protocol
  • 3des: 3DES-EDE Symmetric Encryption Protocol
  • aes128: 128- bit AES (Advanced Encryption Standard)
  • aes192:192- bit AES
  • aes256: 256-bit AES

    Next, enter an privacy password for the user in the Privacy Password and Retype Privacy Password fields. If the user's access group uses the v1 (SNMPv1) or v2 (SNMPv2c) security model or the noAuthNoPriv or authNoPriv security levels, keep the default none privacy setting.

7. Click OK to save your settings. The new user will appear in the Users table on the SNMP setup screen.

Edit an SNMP User

Modify a user's access group, or change authentication and privacy settings. To edit an SNMP user:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the edit button beside the Users table entry you want to edit. The Edit User window opens.
     show screen.

  3. Update the user's access group and security settings (described in Create a new User).

  4. Click OK to save your settings. The updated user will appear in the Users table on the SNMP setup screen.

Delete an SNMP User

To delete an SNMP user from the Users table:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the delete button beside the user you want to remove. A popup window asks you to verify that the user should be deleted.

  3. Click OK.

Configure SNMP Notify Tables

You must define entries in each of the SNMP Notify Configuration tables in order to send SNMPv3 trap notifications to remote users. Click on any of the links below for details on configuring the those SNMPv3 tables in simple mode, or refer to the SNMP User's Guide, available for download in the Software Utilities section of the Packeteer Support website. Note that each SNMPv3 table supports up to 32 separate entries.

Configure the Remote Users Table

A SNMP remote user defines a user or a management system that receives notification of SNMPv3 traps and informs. Unlike a local SNMP user, a remote user is not associated with an access group and therefore has only a notify view, rather than a read or write view.

Create a new Remote User

To create a new remote user:

  1. Click the setup tab.

  2. From the Choose Setup Page list, select SNMP.

  3. Click the new button beside the Remote Users heading. The Add a New Remote User window opens.  show screen

  4. In the Remote User Name field, enter the name of the new remote user. Remote user names can have up to 32 characters; hyphens, underscores, spaces and periods are acceptable. Each SNMP remote user name must be unique.

  5. (Optional) An SNMP Engine ID identifies an SNMP engine that will receive trap and inform notifications. The default Engine ID for a remote SNMP user is LocalSnmpId, the SNMP agent's own SNMP Engine. If the SNMP Engine ID field is left blank, the remote user will user this default LocalSnmpId Engine ID.

    To specify a different remote SNMP engine with which this user can communicate, enter the 24-digit hexadecimal Engine ID of a remote SNMP engine in the SNMP Engine ID field.

  6. If the remote user requires authentication, click the Authentication drop-down list specify either the MD5 or SHA authorization protocol. If the remote user does not require authentication, use the default value none.

  7. If you selected MD5 or SHA authorization in the previous step, enter an authentication password in the Authentication Password field and again in the Retype Authentication Password field.

  8. If the remote user requires privacy protection, click the Privacy drop-down list and specify any of the following privacy protection protocols. (If the remote user does not require privacy protection, use the default value none.)

    des: CBC-DES Symmetric Encryption Protocol
    3des: 3DES-EDE Symmetric Encryption Protocol
    aes128: 128- bit AES (Advanced Encryption Standard)
    aes192:192- bit AES
    aes256: 256-bit AES

  9. If you selected a privacy protocol in the previous step, enter an privacy password in the Privacy Password field and again in the Retype Privacy Password field.


  10. Click OK to save your settings. The new remote user will appear in the Remote Users table on the SNMP setup screen.

Edit a Remote User

Change authentication and privacy settings, or update a remote user's engine ID. To edit a remote user:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the edit button beside the Remote User table entry you want to edit. The Edit Remote User window opens.  show screen.

  3. Update the remote user's authentication, privacy or engine id settings (described in Create a new Remote User).

  4. Click OK to save your settings. The updated remote user will appear in the Remote Users table on the SNMP setup screen.

Delete a Remote User

To delete a remote user from the Remote Users table:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the delete button beside the remote user you want to remove. A popup window asks you to verify that the remote user should be deleted.

  3. Click OK.

Configure the Notify Targets Table

SNMP notify targets determine where SNMPv3 notifications should be sent. Note that you must define one or more remote users before you can create a target that uses the SNMPv3 protocol version and the usm security model.

Create a new Notify Target

To create a new notify target:

  1. Click the setup tab.

  2. From the Choose Setup Page list, select SNMP.

  3. Click the new button beside the Notify Targets heading. The Add a New Notify Target window opens.  show screen

  4. In the Target Name field, enter a name for the new target. A target name can have up to 32 characters; hyphens, underscores, and periods are acceptable. Each SNMP target name must be unique.

  5. In the Host field, enter the IP address of a remote IP host, in dotted-decimal format.

  6. Click the Protocol Version drop-down list and select either v1 (for SNMPv1), v2 (for SNMPv2c), or v3 (for SNMPv3) to specify which version of SNMP notifications the user will receive. If you selected the v3 option in the Protocol Version field, click the Security Model drop-down list and specify the security model for this notification by selecting v1 (for SNMPv1), v2 (for SNMPv2c), or usm (for SNMPv3).

  7. If you selected the v3 protocol version with the usm security model, you must also define a remote user for the target.

    • To associate an existing user with this target, select Existing Remote User Name and choose an existing remote user name from the drop-down list.

    • To create a new remote user for this target with a localSnmpId and no authorization or privacy protection, enter a name for the new remote user in the New Remote User Name field. This localSnmpId user must correspond to a user defined on the remote SNMP machine that will be receiving the traps and notifiations.

  8. If your target uses a v1 or v2 SNMP protocol or a v1 or v2 security model, you can (optionally) enter a new community name in the Community Name field. If you don't specify a different community name, the notify target will use the default community name public.

  9. Click the Notify Type drop-down list and select trap or inform to specify whether the remote user should receive trap notifications or just informs. Note that targets configured to use the v1 protocol version only support trap notifications.

  10. Next, select a Notify View.

    • To allow the target to receive all types of MIB notifications, use the default Notify View setting isoAll.

    • To block the target's access to all data, click the Notify View drop-down list and select the predefined view isoNone.

    • To limit the remote user's access to a subset of available MIB notifications, click the Notify View drop-down list and select a previously defined view.

  11. In the Port field, enter the port number on the remote host to which the notifications will be sent. The default is port number 162.

  12. In the Timeout field, enter the maximum round trip time for communications between the PacketShaper and the SNMP target address, in seconds. Valid timeout values 1-60, and the default value is 10.

  13. In the Retry field, enter the number of times the PacketShaper should attempt to retransmit a trap or inform message when it does not receive a response. Valid retry values are 1-10, and the default value is to 3 retries.

  14. Click OK to save your settings. The new notify target will appear in the Notify Targets table on the SNMP setup screen.

Edit a Notify Target

Change the parameters of a current notify target, including SNMP protocol and security model settings, remote user or community name. To edit a notify target:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the edit button beside the Notify Targets table entry you want to edit. The Edit Notify Target window opens.  show screen.

  3. Update the values in each field you want to modify (each field is described above in Create a new Notification Target ).

  4. Click OK to save your settings. The updated notify target will appear in the Notify Targets table on the SNMP setup screen.

Delete a Notify Target

To delete a target from the Notify Targets table:

  1. If you are not already on the SNMP setup page, click the setup tab, and select SNMP from the Choose Setup Page list.

  2. Click the delete button beside the notify target you want to remove. A popup window asks you to verify that the target should be deleted.

  3. Click OK

See also:

SNMP Overview

Configure PacketWise for SNMPv1/v2c Support

PacketGuide™ for PacketWise® 8.3