Adding SNMPv3 config steps for MetroCluster IP switches

[viktorpenev]

Page URL

https://docs.netapp.com/us-en/ontap-metrocluster/maintain/task_replace_an_ip_switch.html

Page title

Replace an IP switch or change the use of existing MetroCluster IP switches

Summary

Hi all,

This might not be the right page, but we might need to add additional steps on configuring SNMPv3 with MetroCluster IP switches.
I've found a burt, which has steps listed for different devices, but they still might have to be verified:

https://burtview.netapp.com/burts/1358228#Unit_Test_Plan_aclose_FriFeb1111:21:57EST2022

Setup the SNMPv3 user on the switch: (Items in parentheses are optional)

• Cisco:
  • configure terminal
  • snmp-server user [USER] ( auth [md5/sha/sha-256] [AUTH-PASSWORD] ( priv (aes-128) [PRIV-PASSWORD] ) )
  • show snmp user
• Broadcom:
  • enable
  • configure terminal
  • snmp-server user [USER] network-admin [auth-md5/auth-sha/noauth] "(AUTH-PASSWORD)" ( [priv-aes128/priv-des] "[PRIV-PASSWORD]" ) You must use single or double quotes around the authentication and privacy protocol passwords. You must use both authentication and privacy protocols together. Using authentication without privacy is not supported at this time.
  • show snmp user
• Nvidia:
  • net add snmp-server username [USER] [auth-md5/auth-sha/auth-none] (AUTH-PASSWORD) ( [encrypt-aes/encrypt-des] [PRIV-PASSWORD] )
  • net pending
  • net commit
    2. Setup the SNMPv3 user on ONTAP:
• security login create -user-or-group-name [USER] -application snmp -authentication-method usm -remote-switch-ipaddress [IP]
  3. Configure SHM to monitor with the new SNMPv3 user:
• system switch ethernet modify -device [DEVICE] -snmp-version SNMPv3 -community-or-username [USER]
  4. Wait the SHM polling period to verify that the serial number to be queried with the newly created SNMPv3 user is the same as above
• system switch ethernet polling-interval show
• "AFTER SHM POLLING PERIOD"
• system switch ethernet show-all -instance -device [DEVICE]

Public issues must not contain sensitive information

• [X] This issue contains no sensitive information.

[netapp-aoife]

Hi @viktorpenev Thanks very much for raising this and for providing the inputs. I'll verify this and will let you know when the documentation has been updated.

[viktorpenev]

Quick update, there's this KB https://kb.netapp.com/onprem/Switches/Broadcom/How_to_setup_SNMPv3_monitoring_on_a_BES-53248_cluster_switch (but the burt in it is fixed) - steps might be easier to read here.

In the KB the snmp-group used already exist on the switch, but if it doesn't it has to be created separately. Something along the lines of:

1. Setup the SNMPv3 user on the switch:

snmp-server user [USER] network-admin [auth-md5/auth-sha/noauth] "(AUTH-PASSWORD)" ( [priv-aes128/priv-des] "[PRIV-PASSWORD]" )

e.g. snmp-server user admin1 network-admin auth-md5 "netapp123" priv-des "netapp123"

2. If the 'network-admin' user group doesn't exist, create it:

snmp-server group network-admin v3 auth read "Default"

show snmp group

3. Setup the SNMPv3 user on ONTAP:

   > security login create -user-or-group-name [USER] -application snmp -authentication-method usm -remote-switch-ipaddress [IP]

4. Configure SHM to monitor with the new SNMPv3 user:

   > system switch ethernet modify -device [DEVICE] -snmp-version SNMPv3 -community-or-username [USER]

But this is just for BES switches. I could probably test with Cisco as well if needed, but I don't have access to any systems with SN2100.

Thanks!

[netapp-aoife]

Hi @viktorpenev thanks for raising this issue. This has now been addressed in the documentation here: https://docs.netapp.com/us-en/ontap-metrocluster/install-ip/task_config_switch_health.html