Vendor Tips
- Aruba Model 6000
- Neighbor Relations on Juniper EX
- Neighbor Relations on D-Link
- CDP advertised IP on Cisco
- snmpbulkwalk and d-link
- VRFs and Cisco with SNMP
- VRFs and NXOS
- cisco 2960 and 3750 series giving incomplete results
- Report Cisco as Single Device Instead of Stacked (37xx/29xx/etc)
- Truncated (short) interface descriptions
- SNMP Support on Huawei Quidway and CloudEngine
- SNMP Support on Linksys and Cisco Linksys
- SNMPv3 Support on Cisco IOS
- SNMPv3 on Cisco with non-standard priv algorithms
- Linux SNMP Service (Agent)
- Configuring sysObjectID and layers on Teltonika
SNMP failed error without the following config on the device:
snmp-server vrf default
The LLDP configuration should look like:
lldp {
management-address 10.0.0.1;
port-id-subtype interface-name;
interface all;
}
Add the following to your devices (changing the port numbers appropriately):
config lldp ports 1-28 mgt_addr ipv4 enable
or
config lldp ports 1-28 mgt_addr ipv4 1.2.3.4 enable
Which you use will depend on the device OS version.
To set the management IP advertised over CDP, use this command:
cdp mgmt-address ipv4 1.2.3.4
we have received reports that newer d-link devices (dgs 1100 series) don’t reply when using snmp bulkwalk. see bulkwalk_off and bulkwalk_no for mitigation options.
When you want to perform an arpnip with multiple VRFs on a Cisco device, you
need to create an SNMP context for each VRF with the same name as the VRF:
snmp-server context vpc-keepalive vrf vpc-keepalive
After that, the IP addresses and ARP entries for VLANs inside this VRF will be discovered automatically.
Note that Netdisco at this time does not support VRFs. In particular, overlapping IP address spaces will not be shown in the interface.
If you’re running Cisco NXOS and do not have overlapping IP address space, then you can use the NXOS SSHCollector profile for that platform.
Note that Netdisco at this time does not support VRFs. In particular, overlapping IP address spaces will not be shown in the interface.
stacked cisco switches (3750, 2960, etc) sometimes give incomplete or incorrect results. this could be due to snmp polling timeouts. while single switches tend to reply in less than a second to most requests, stacks can take their time to get a reply back. polling power values seems to be the best way to reproduce this.
to check if you are affected by this issue you can use the following command (when using bash, since this is using the bash builtin time function. if you are using another shell the output might differ. you can use gnu time instead but to override your shell function you will need to specify the full path, most likely /usr/bin/time. gnu time needs to be invoked with the -p option to produce output similar to this example.):
time snmpbulkwalk -t 20 -v 2c -c your_snmp_community ip_or_hostname_of_switch .1.3.6.1.2.1.105.1.3.1
the relevant output is the real time. in this example:
real 0m6.597s
polling the power status of the entire stack took 6.6seconds, while the standard timeout is lower (https://github.com/netdisco/netdisco/wiki/Configuration#snmptimeout)
to solve this either increase the snmptimeout to a value larger as the real time of the snmpbulkwalk and/or disable snmpbulkwalk (https://github.com/netdisco/netdisco/wiki/Configuration#bulkwalk_off (disable bulkwalk global) & https://github.com/netdisco/netdisco/wiki/Configuration#bulkwalk_no (disable bulkwalk per device/group))
attention: run the snmpbulkwalk several times, since the runtime can change substantially each run. the switch used in this example had runtimes ranging from 3 seconds to 8 seconds.
Add this to your device config:
no snmp-server sysobjectid type stack-oid
On some platforms the default size returned by the ifAlias OID is 64 characters.
If you run this command on the device(s) you are monitoring, the ifAlias OID will be able to return up to 256 characters:
snmp ifmib ifalias long
Where mycommunity is your community string. Note iso means everything
is visible to readers!
snmp-agent mib-view included all iso snmp-agent community read cipher mycommunity mib-view all snmp-agent packet max-size 17940 snmp-agent extend error-code enable
Where mycommunity is your community string. Note this results in everything
being visible to readers!
snmp-server view test iso included snmp-server view test system included snmp-server view test interfaces included snmp-server view test ip included snmp-server view test icmp included snmp-server view test tcp included snmp-server view test udp included snmp-server view test transmission included snmp-server view test snmp included snmp-server view test rmon included snmp-server view test dot1dBridge included snmp-server view test ifMIB included snmp-server view test dns included snmp-server view test radiusMIB included snmp-server view test traceRouteMIB included snmp-server view test powerEthernetMIB included snmp-server community mycommunity ro view test
To access per-VLAN MAC address tables we use SNMPv3 contexts. In Cisco IOS the access control is per-context so for each context (VLAN) you need to permit access from the poller.
You should already have something like the following to enable SNMPv3 from Netdisco at 192.0.2.1:
snmp-server view myv3view iso included snmp-server group myv3group v3 priv read myv3view snmp-server user myv3user myv3group v3 auth sha PASSWORD priv aes PASSWORD snmp-server host 192.0.2.1 version 3 auth myv3user
Older switches might require md5 for auth, for priv they might need des or 3des.
Then set the authorization:
snmp-server group myv3group v3 auth snmp-server group myv3group v3 auth context vlan- match prefix
If the second command above is rejected, you have an older version of IOS and must enter a statement for each active VLAN on the device:
snmp-server group myv3group v3 priv context vlan-1 snmp-server group myv3group v3 priv context vlan-2 snmp-server group myv3group v3 priv context vlan-3 ... etc
Several of Cisco’s operating systems support additional encryption methods, sometimes depending on the hashing algorithm used. If you have issues with your Cisco device with a combination of "SHA" and "AES256"/"AES192" you should try and change the this to "AES256C" or "AES192C" in your device_auth.
(your net-snmp will need to be at least version 5.9.1 and compiled
with the option --enable-blumenthal-aes).
see:
Install the snmpd (SNMP agent) and lldpd (neighbor discovery) packages.
Edit the /etc/snmp/snmpd.conf file:
# AGENT BEHAVIOUR # comment out: agentAddress udp:127.0.0.1:161 agentAddress udp:161,udp6:[::1]:161
# ACCESS CONTROL rocommunity <your-secret> <management-device-IP/net>
# SYSTEM INFORMATION sysServices 76 # (default is 72, 74 is layer2 bridge/switch, 76 for layer3 router/gateway)
If running a firewall, allow SNMP traffic in on UDP port 161.
Edit the /etc/default/lldpd file:
DAEMON_ARGS="-k -x -l -m <Mgmt-IP>" # <Mgmt-IP> is the IP to advertise for Netdisco to connect
Restart snmpd and lldpd services when you have configured them.
This assumes you’re using LLDP on your network. If you use CDP then the
lldpd daemon can support that protocol - see the manual page for details.
Teltonika has its own enterprise ID, but the net-snmp agent that it runs may not be configured to use it. It’s still possible to configure though; with this configuration, Netdisco will use the correct class for Teltonika routers (ie SNMP::Info::Layer3::Teltonika) and will use a vendor specific object to determine the exact model.
uci set snmpd.@system[0].sysServices=78
uci set snmpd.@system[0].sysObjectID=.1.3.6.1.4.1.48690
uci commit
ubus call uci commit '{"config":"snmpd"}'
Note that the sysServices → layers setting may not work on all firmware versions due to a small bug, which may also be present in upstream OpenWRT (Teltonika RutOS is OpenWRT based).
