The SNMPv3 credential (SETTINGS menu > Library > Credentials [SNMP v3]) stores information needed for monitoring SNMPv3-enabled devices with WhatsUp Gold.

Appropriate credentials allow you to leverage SNMP-based Monitors (WhatsUp GoldActive Monitors like SNMP Extended, Performance Monitors, and so on) to manage and monitor target devices governed by the SNMPv3 View Based Access Controls.

Once you add an SNMPv3 credential to the Credentials Library, you can...

  • Add it to a list of credentials that WhatsUp Gold should try as part of a Discovery Scan.
  • Associate it directly to WhatsUp Gold managed devices in My Network from Device Properties.
  • Define it with VLAN pattern matching to query details from VLAN tables with no need for specific Context names or additional agents or protocols such as CDP/LLDP.

Getting Started

Before you monitor from WhatsUp Gold using SNMPv3, ensure the target device...

  • Is configured to use SNMPv3 (at the physical device). The device needs an SNMPv3 agent running and a default or custom SNMP engine ID.
  • Has an SNMPv3 user (at the physical device) defined with access to the appropriate SNMPv3 Groups and Views.
  • Has unique per-VLAN Contexts associated with any VLANs defined on the device for devices that support VLAN-specific Contexts. (More on this later in this topic.)
  • Is associated with the appropriate SNMPv3 credential within WhatsUp Gold. The Device Card will show this association when you select a device in My Network.
提示: For devices that support reading the BRIDGE-MIB for each VLAN with a VLAN-specific Context, properly configuring those devices and WUG can make it less necessary to enable CDP/LLDP for getting enough information to compute device connectivity. For more information, see the VLAN Pattern control and examples included later in this topic.

Differences from SNMPv2

Unlike SNMPv2, SNMPv3 employs a View Based Access Control Model (VACM). This means that the WhatsUp Gold SNMPv3 monitor requires an authorized and privileged user at the managed device. This SNMPv3 user you specify in the SNMPv3 credentials dialog (User Name) represents a user that already has or needs privileges at the device for accessing specific MIB resources as needed for your site requirements.

It is optional but best practice to manage MIB objects using both user authentication (Authentication Protocol) and payload encryption (Encryption Protocol) enabled. This complement of features combines to provide the full capabilities of SNMPv3 by leveraging both the SNMPv3 authorization services and scoped resource access (in some form of a MIB objects view) at the target device.

註: All access to VLAN-specific information contained within a device’s MIB (that is, the BRIDGE-MIB which contains forwarding information used in computing connectivity) requires SNMPv3 user or group access to a unique Context configured for each VLAN. SNMPv3 Contexts provide access to collections of objects and they are required for polling VLAN information on a target device. (In contrast, SNMPv1/2 used community-name indexing—which is not available with SNMPv3—to access VLAN-specific information.)
提示: For monitoring only, it is best practice to leverage an SNMPv3 user in the WhatsUp Gold credential that possesses Read and Notify permissions on the target MIB objects. For maintaining VLAN tables, Write permissions will need to be preconfigured for each VLAN-specific Context, and your user will need access to this Context.

SNMPv3 Credential Configuration Dialog

Configure the following fields to create a SNMPv3 credential:

  • Name. Enter a unique name for the credential. This name displays in the Credentials Library.
  • Description. (Optional) Enter additional information about the credential. This information displays next to the credential in the Credentials Library.
  • Username. Enter the username with access privileges known to the SNMP agent running on the target device. This username is included in every SNMP packet in the authentication header. An SNMP device, upon reception of a packet, uses this username to look for configured authentication and encryption parameters and applies them to the received message.
  • Context. (Optional) If you want this feature, and you know a SNMPv3 Context name defined on the target device, enter the appropriate SNMPv3 Context name here. The value you enter here represents the primary Context. Contexts can be defined on devices to constrict access to a collection of MIB objects. A blank value ("") (also referred to as the default context) indicates any MIB not defined by an explicit (named) Context definition can be accessed.
    註: If you are using Contexts for accessing VLAN-specific tables (that is, BRIDGE-MIB), specify one or more VLAN Pattern entries.
  • VLAN Pattern. (Used for matching one or more active BRIDGE-MIB Context views.)

    This control enables you to specify Contexts for accessing VLAN-specific tables. When determining what Context to use for a specific VLAN, WhatsUp Gold tries each pattern in order to find the first one that allows access to the VLAN-specific information for the matched VLAN. See VLAN Pattern Matching Syntax and Examples below.

    重要: Either the default Context ("") or the primary context (if specified) must include access to the VLAN table so that WhatsUp Gold can know which VLANs to query when it tries to validate the effectiveness of this credential (such as successfully read content from the routing tables).
  • Authentication. If required, select the authentication protocol for this SNMP credential.
    • Protocol. Select the algorithm method for authenticating SNMPv3 packets. MD5 creates a 128 bit digital signature, SHA-1 creates a 160 bit digital signature and SHA-256 creates a 256 bit digital signature.
    • Password. Enter the authentication password.
    • Confirm password. Re-enter the authentication password a second time for confirmation.
  • Encryption. If supported, and an authentication protocol was selected for the SNMPv3 device, select the encryption protocol for the SNMP credential.
    • Protocol. Select the algorithm method for encrypting SNMPv3 packets. DES56 uses a 56 bit encryption scheme, AES-128 uses a 128 bit encryption scheme, AES-192 uses a 192 bit encryption scheme, and AES-256 uses a 256 bit encryption scheme. Triple DES encryption may also be selected.
    • Password. Enter the encryption passphrase used for the key.
    • Confirm password. Re-enter the authentication password a second time for confirmation.
註: SNMPv3 passwords are limited to 64 characters.

VLAN Pattern Matching Syntax and Examples

You can use one or more of the following methods match an active VLAN Context:

Pattern prefix and substitution. Useful if you know the Context name (but not the VLAN name/index):

Example 1: MyVLanContext-{index}

—Where {index} is substituted (iteratively) with a VLAN index read from a list of VLANs known by the device.

Example 2: VLANContext-{name}

—Where {name} is substituted (iteratively) with a VLAN name read from a list of VLANs known by the device.

Literal VLAN name/index and Context pair (no substitution). Useful if you have explicit values you want to try for both the context and the VLAN name.

Syntax: <name> :< context>

Example 3: VLAN0065:bridge1

—Where VLAN0065 is a VLAN known to the device and bridge1 is a possible context defined for gating access to VLAN0065 MIB values.

Syntax: <number> :< context>

Example 4: 65:bridge1

—Where 65 is the VLAN number of a VLAN known to the device and bridge1 is a possible context defined for gating access to MIB values specific to that VLAN.

(Contexts are required for reading contents of BRIDGE-MIB objects associated with your devices VLAN tables.)

提示: Contexts can be associated with MIBs other than VLAN/BRIDGE-MIB objects, but when associated with BRIDGE-MIB they have a one-to-one relationship.

VLAN Pattern Matching Best Practices

When using pattern matching or substitution for VLAN patterns, here are some important things to consider:

  • Use an easy to remember prefix for Context names. For example, vlan-10 (where 10 is the VLAN index).
  • If your VLAN Contexts do not have easy patterns, you can specify a specific (more literal) pattern to get an exact match.
  • You can check your VLAN Context names at the device (for example, #show snmp context —from supported Cisco switches).