Solved: SNMP v3 encryption

p.deleuw · ‎08-17-2023

Hi community,

the documentation https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/SNMP_Overview_and_Configuration says:

"SNMP v1/v2c sends the community string in plain text. If v3 is selected, you will need to configure a username and password. When using v3, Cisco Meraki devices will use SHA1 for authentication and DES for privacy, with the configured password used for both."

Is this true? DES encryption in 2023? The doc is last updated on Jun 28, 2023 ...

Regards,

Peter

aleabrahao · ‎08-17-2023

Yes, it is. ,😉

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

aleabrahao · ‎08-17-2023

Yes, it is. ,😉

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

p.deleuw · ‎08-17-2023

Thank you, @alessandrodematos. I managed to test it:

~$ snmpget -v3 -l authPriv -u snmpuser -a SHA -A snmpuser -x DES -X snmpuser 10.3.0.4 iso.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "Meraki MR33 Cloud Managed AP"
~$ snmpget -v3 -l authPriv -u snmpuser -a SHA -A snmpuser -x AES -X snmpuser 10.3.0.4 iso.3.6.1.2.1.1.1.0
snmpget: Decryption error

Additionaly, you can poll the dashboard via snmp.meraki.com. You enable and configure it on Organization > Settings. Here you can choose between DES and AES (128).
~$ snmpget -v3 -l authPriv -u xxxxxx -a SHA -A snmpuser1 -x AES -X snmpuser1 snmp.meraki.com:16100 iso.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco Meraki Cloud Controller"

You can poll::
Device MAC address
Device Serial number
Device Name
Device Status (Online or Offline)
Device Last Contacted - Date and Time
Mesh Status (Gateway or Repeater)
Public IP Address
Product Code (e.g. MR18-HW)
Product Description (e.g. Meraki Cloud-controller 802.11n AP)
Name of the Network that the device resides in (Dashboard Network)
Packets/Bytes In/Out on each physical interface

Regards

Peter

GreenMan · ‎08-17-2023

Worth remembering that, in a Meraki world, SNMP cannot be used for configuration. I think it's safe to say that, as a cloud-native platform, we think there are probably better ways of securely managing IT systems these days, too.

p.deleuw · ‎08-17-2023

Yes, of course. The RestAPI is your friend. Secure remote administration via HTTPS. Flexible and scriptable. Scalable with action batches.

SNMP (read-only) is reasonable for integration with exiting monitoring systems.

CyberDingo · ‎09-04-2025

Making a note that Cisco Meraki has since added AES-128 encryption as an option for SNMPv3 and still uses SHA1 for hashing.

whistleblower14 · ‎12-10-2025

I´ve only Switches in my Network and I´m trying to integrate them via SNMPv3 in my NMS which is on the LAN-side but in a different VLAN/IP-Subnet... I´m not able to get the informations via SNMP - any ideas?

CyberDingo · ‎12-10-2025

I would start by making sure your switches have access to your NMS located in a different VLAN/subnet. Can you ping between each other? Once that is the case, you will have to set the configuration of the SNMPv3 on the NMS and the end client side.