Discovering SNMP devices
This topic provides information and instructions for discovering SNMP devices:
Configuring SNMP credentials
The discovery system will attempt SNMP queries if remote login attempts have not been successful. However, discovery will attempt SNMP queries, but will only use it if the SNMP port (UDP 161) is open on the target host.
You generally do not need to set the SNMP parameters unless you use a read community other than Public. Different SNMP parameters can be set for different host systems.
Discovery using SNMP is supported for hosts (see the Discovery Platforms page for a complete list) if only an SNMP credential is available for the host's IP address. However, SNMP only provides basic host information, running processes, network connections and installed packages. It does not support interrogating files, HBAs or running OS commands. If a host is discovered using SNMP, Reasoning always checks to see whether a login credential is available for that host as discovered data is richer when a login is achieved. If a login credential is found and used successfully, the host node created using SNMP discovery is updated. In rare cases, duplicate nodes could be created when the host is subsequently discovered using a login credential (for example, this can happen when the IP configuration changes).
Viewing SNMP credentials
To view SNMP credentials:
- From the secondary navigation bar on the Discovery tab, click Credentials.
- Click Devices.
The SNMP credentials page is displayed and the following information is shown for each credential:
This is the first part of the heading link for the credential and displays the range of IP addresses on which this credential is intended to be used. If you click this heading link, the Edit SNMP Credential page is displayed. For more information about this page, see #Setting up SNMP credentials.
A link is also provided showing the last successful use of the credential. This links to the Discovery Access for that use.
A free text description of the SNMP credential supplied by the user who created the credential.
A summary of the success rate when the credential has been used, information on failures, and links to DiscoveryAccesses, credential lists and other useful diagnostic pages.
Additional options used with this SNMP credential (for example, SNMP version). For more information, see the field name-details table for #Setting up SNMP credentials.
A drop-down menu with the following options:
- Edit — Select this to edit the credential. The Edit SNMP Credential page is displayed. See #Setting up SNMP credentials for information on the fields and settings available from this page.
- Disable — To disable a credential, select Disable. The credential is a marked as disabled in the credential list. When a credential is disabled, this option is replaced with an Enable option. To enable the credential, click Enable.
- Delete — Select this to delete the credential.
- Test — Select this to test the credential. See #Setting up SNMP credentials and #Testing SNMP credentials for more information.
- Move to top — moves the credential to the top of the list.
- Move to bottom — moves the credential to the bottom of the list.
The SNMP credentials are checked in sequence, and the first matching entry is used. After a working SNMP credential is found, further credentials are not checked. To reorder SNMP credentials, drag the credential to the required position in the list.
The SNMP credentials are shown in color-coded boxes. The colors represent the level of login success achieved with that credential:
- Green: 100% success rate.
- Yellow: partial success.
- Blue: the credential has never been used.
- Red: 0% success rate.
Adding or editing SNMP credentials
To add/edit SNMP credentials:
- From the SNMP credentials page, perform one of the following actions:
- To add a new credential, click Add.
- To edit an existing SNMP credential, click Actions => Edit.
Enter the SNMP credential details as follows:
Select "Match All" to match all endpoints. Deselect it to enter values that will be used to determine if this credential is suitable for a particular endpoint. They can be one or more of the following, separated by commas:
• IPv4 address: for example
• IPv4 range: for example
• IPv6 address: for example
• IPv6 network prefix: for example
The following address types cannot be specified
• IPv6 link local addresses (prefix
• IPv6 multicast addresses (prefix
• IPv4 multicast addresses (
As you enter text, the UI divides it into pills, discrete editable units, when you enter a space or a comma. According to the text entered, the pill is formatted to represent one of the previous types or presented as invalid.Click here for more information on using the pill UI.
Invalid pills are labeled with a question mark. You can also paste a list of IP addresses or ranges into this field. If any pills are invalid, a message stating the number of invalid pills is displayed above the range field. Clicking the link applies a filter which shows only invalid pills which you can then edit or delete. The filter can be removed by clicking clear in the Showing n of n label below the Range field. There is no paste option on the context sensitive (right click) menu.
Warning: You cannot paste a comma-separated list of IP address information into the Range field in Firefox. This can crash the browser. You can use a space separated list without any problems.
• To edit a pill, click the pill body and edit the text.
• To delete a pill, click the X icon to the right of the pill, or click to edit and delete all of the text.
• To view the unformatted source text, click the source toggle switch. The source view is useful for copying to a text editor or spreadsheet. Click the source toggle switch again to see the formatted pill view.
Underneath the entry field is a filter box. Enter text in the filter box to only show matching pills.
Pills are not currently supported in Opera.
A check box to define whether or not the credential is enabled.
The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c.
If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list.
Community used for SNMP read access to the defined host(s). For SNMP V1 and V2c credentials only.
For SNMP V3 credentials only.
For SNMP V3 credentials only. Shows the security level selected using the authentication and privacy protocols.
- noAuthNoPriv: no authentication and no privacy.
- authNoPriv: authentication, no privacy.
- authPriv: authentication and privacy.
There is no setting for privacy without authentication.
The protocol used to encrypt the authentication with the client. For SNMP V3 credentials only. Select one of the following from the drop down list:
- None: no encryption used. Operates in the same way as v1 and v2.
- MD5: an authentication passphrase is entered and MD5 hashed. The MD5 hashed passphrase is used to access the target system.
- SHA: an authentication passphrase is entered and SHA hashed. The SHA hashed passphrase is used to access the target system.
The key (passphrase) which will be used to encrypt the credentials. For SNMP V3 credentials only, and only if you have chosen an authentication protocol. Must be at least 8 characters.
The protocol used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation over no encryption. This is for SNMP V3 credentials only, and only if you have chosen an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following from the drop down list:
- None: no data encryption is used. Operates in the same way as v1 and v2.
- DES: uses a privacy key to encrypt data using the DES algorithm.
- AES CFB128: uses a privacy key to encrypt data using the AES algorithm.
The key (passphrase) which will be used to encrypt the data. For SNMP V3 credentials only, and only if you have chosen a privacy protocol. Must be at least 8 characters.
A free-text description of this SNMP credential.
The number of attempts made if no response is received. The default is five.
The time (in seconds) in which a response is expected. The default is one second.
Custom SNMP Port
To choose a custom SNMP port, select the check box and choose from the ports in the list. You must already have configured a custom SNMP port in the Discovery Configuration window.
- Click Apply.
The SNMP Credentials page is refreshed to show details of the new credentials.
Granting SNMP v3 permissions
When SNMP v3 is used to discover a device that uses different security contexts for different instances of a MIB (in the same way that community string indexing is used for v1 or v2), the SNMP v3 user might not have access to the different security contexts.
If a device is discovered where access to different contexts is required, but access has not been granted to the user, discovery will gather less information and topology discovery might not be complete. A ScriptFailure node will be associated with the DeviceInfo for the DiscoveryAccess, with a message of the type,
Failed to access vlan-1 (AuthorizationError), where
vlan-1 is the name of the security context that discovery attempted to access.
To ensure discovery has full access, the user should be granted access to all of the contexts on the network device. For example, to grant access to all contexts to the group
privgroup on a Cisco device with a recent version of IOS, you can use this configuration command:
You should consult your device documentation or manufacturer for more details.
Testing SNMP credentials
When you have added the credentials, you should test them to ensure that they work by performing the following actions:
- Click Actions => Test for the SNMP credential.
A dialog box is displayed with the credential values, and a field in which you enter the IP address against which to test the credential.
- Enter the target IP address to test.
- Click Test.
The page is refreshed to show that the test in progress and when complete, the results are shown on the Credential Tests page; this might take a few minutes.
Repeat the preceding steps for all the credentials you want to test.