Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9985
Views
0
Helpful
4
Replies

How to configure SNMP to use SHA256, SHA384 and SHA512 on a Cisco 2960s

plq1234567
Level 1
Level 1

‎12-23-2018 12:10 AM

Hello,

I'm a software developer with products that query snmp for device information.

One of my customers says they are using SHA256, SHA384 and SHA512. I have enhanced my products to support this but I am not finding an easy way of getting my test switch to support these levels of encryption so I can't test whether it works or not.

After a lot of grief I have got my switch updated to IOS version 15.2 with bin file c2960s-universalk9-tar.152-2a.E1

I was expecting that there would be a sha256 option on the snmp-server command, but its just the same as before. It does have advanced AES options like AES256, so this worked:

    snmp-server user paul group1 v3 auth sha pwd1 priv aes 256 pwd2

So I was hoping there would be something like

    snmp-server user paul group1 v3 auth sha 256 pwd1 priv aes 256 pwd2

Nope !

Yet when I issue this command it seems to think that higher levels of SHA are supported:

 

     Cisco2960(config)#crypto ipsec transform-set test ?

 

  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform

  ...

  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

 

I have very little experience of working with IOS, so I am relying on googling stuff to get along, but have hit a dead stop here with very little documentation or forum posts out there on SHA256 or higher.

 

 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

johnd2310
Level 8
Level 8

‎12-23-2018 03:59 PM

Hi,

I think you for authentication you can only have md5 or sha, as per the configuration guide below:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/network_management/configuration_guide/b_nm_1522e_2960x_cg/b_nm_15ex_2960-x_cg_chapter_0100.html

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

plq1234567
Level 1
Level 1
In response to johnd2310

‎12-24-2018 08:03 AM

Thanks John,

 

Do you know if thats the same for SNMP across all switches and other devices ?

 

I was told the customer has 3750's and 3850's, but I can't easily get hold of one of them as they are a lot of money even on ebay :)

 

If sha-2 is never supported then I don;t need to progress this further, but if it is supported on some devices and not the 2960, I'll need to get hold of one somehow to make sure we can support it...

 

thanks again

 

0 Helpful

johnd2310
Level 8
Level 8
In response to plq1234567

‎12-27-2018 05:02 PM

Hi,

 

I have check on a 3850 switch and i get the same, md5 and sha for authentication. The same for the ASA firewall. There  is an enhancement request for the ASA for sha-2: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux48487/?rfs=iqvred

 

Looks like sha-2 is not yet supported in Cisco switches. You could get your customer to open a tac case with Cisco to see when support will be added.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Felipe A. Amaya
Level 1
Level 1

‎12-26-2018 05:06 AM

Hello,

 

This is what has worked for me across Cisco devices.

 

conf t
snmp-server group {GroupName} v3 priv
snmp-server user {UserName} {GroupName} v3 auth sha {AuthPassphrase} priv aes 256 {PrivPassphrase}
snmp-server enable traps
snmp-server host {IPv4/v6 Address} traps version 3 priv {UserName}
exit
w

 

 

0 Helpful
Customers Also Viewed These Support Documents