Testing SNMP in Nutanix

I've been spending a lot of time recently working with SNMP on Nutanix and wanted to collect an overview of the pages and how to test your configuration.

Nutanix SNMP Config

First we click on the gear -> SNMP


Here we 3 tabs - Transport, Users, and Traps

Transport

This is basically a whitelist.  The ports and protocols that you specify here are the ports that we will listen on.  The default SNMP configuration would be UDP port 161



Before we can test SNMP we need to specify a user

Users

Here is where we specify who is allowed to connect to us over SNMP.


Clicking on "new user" you are given a few options:


All three of these fields are completely user defined.  Just make sure to remember what you set the keys to!

AES/SHA is the preferred method as it is more secure.  Prior to 4.1.1 you can use DES and MD5, but it's not as strong.

Now that we have a user and a transport created we can test the config with snmpwalk.

SNMPWalk

SNMPwalk is a powerful tool which will walk through all the available MIBs on a specified host.  We will be using it to test if SNMP is configured correctly.  You can run this from any CVM:

snmpwalk -v3 -l authpriv -u [username] -a [MD5/SHA] -A [Auth Key] -x [DES/AES] -X [Priv Key] [IP to run it against]

Or to use the information from our above example:

snmpwalk -v3 -l authpriv -u rtpChris -a SHA -A 12341234 -x AES -X 12341234 localhost

If everything is configured correctly you'll start getting a huge stream of output.  If not it'll fail to connect.  Verify your password and transport is configured correctly and read the error messages :)

Traps

Finally we have the traps page.  Here we can specify where to send traps




Here I put my Solarwinds server and chose an engine ID (it must start with 0x and be at least 12 characters long).  To verify that it's working you can trigger a trap by restarting a CVM.  On my machine (10.63.1.30) I started up wireshark so I could see if the traps were coming in.  I set the capture filter "udp port 162" so that I would only capture the traps:



Now it would be nice if we could see decrypt these packets.  Luckily we can do that with Wireshark!


Simply fill this out with the username/password/key (leaving engine ID blank) and you'll be able to see the decoded info.