Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8487
Views
9
Helpful
7
Replies

SNMPv3 basic understanding

Go to solution
smith.dean
Level 1
Level 1

‎06-10-2008 04:05 PM

I'm interested in migrating a device fleet from snmpv2c to snmpv3 support but am completely new to the snmpv3 security structure and a bit confused by it. Under the snmpv2c community model, you could define read only or read/write access based on this community string. I'm struggling to understand the direct corelation as to how this is done with snmpv3. The configuration samples all tend to overwhelm with every option available (groups, users, readviews, writeviews etc) rather than just those fundamentally needed. Can anyone offer me a very quick understanding of how I set up a "community" equivelant under snmpv3? Much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to smith.dean

‎06-10-2008 06:38 PM

You can think of the user as an SNMP manager, but you don't have to use one username per NMS. Many customers create one SNMP user for their whole network for all their NMSes. They use the user/password as more of a secure community string.

SNMPv3 traps still require a user and a password. Only for traps, you'll need to add a notify view to your SNMPv3 group. For example:

snmp-server group v3group v3 auth notify v1default

snmp-server host version 3 auth v3user

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎06-10-2008 04:38 PM

SNMPv3 uses a user-based security model. This model requires a username and password for authentication, and an optional additional password to encrypt the payload of the SNMP packet. Even without the encryption, the authentication data is protected using either an MD5 or SHA hash. The packet is additionally protected by an engine time field and a boot count. This helps prevent replay attacks.

Basically, all you need to allow SNMPv3 read on an IOS device is the following:

snmp-server group v3group v3 auth

snmp-server user v3user v3group v3 auth md5 v3pass123

That's it. This configures SNMPv3 authNoPriv using an MD5 hash for the authentication data. The user, v3user is allowed to poll any object in the v1default (built-in) view. The password chosen must be at least eight characters to be compatible with the USM.

If you want to allow write access as well, just change the group line to:

snmp-server group v3group v3 auth write v1default

This is very basic. I encourage you to read more on SNMP views to help limit access to those OIDs which are required.

Go to solution
smith.dean
Level 1
Level 1
In response to Joe Clarke

‎06-10-2008 05:00 PM

Brilliant. Thanks very much for that. Has cut through the confusion for me! One remaining point I'd appreciate your clarification on though is the "user" definition. Is that effectively the NMS polling station? And how does that relate to the sending of traps from the IOS device to the polling station? Really appreciate your help to date.

Regards

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to smith.dean

‎06-10-2008 06:38 PM

You can think of the user as an SNMP manager, but you don't have to use one username per NMS. Many customers create one SNMP user for their whole network for all their NMSes. They use the user/password as more of a secure community string.

SNMPv3 traps still require a user and a password. Only for traps, you'll need to add a notify view to your SNMPv3 group. For example:

snmp-server group v3group v3 auth notify v1default

snmp-server host version 3 auth v3user

0 Helpful

Go to solution
smith.dean
Level 1
Level 1
In response to Joe Clarke

‎06-10-2008 06:47 PM

Thank you very much. Answered both my questions with exactly the information I needed! Much appreciated.

0 Helpful

Go to solution
asarlo
Level 1
Level 1
In response to Joe Clarke

‎11-27-2008 08:32 AM

Hello, I have another question. I have snmpv3 authnoPriv running ok. Now I want to enable Priv, but does not function. Do you know if I need additional configuration, or perhaps I need to use the local & remote engineID ?.

I'am attaching you the current configuration.

!!

snmp-server group userBROU v3 priv notify v1default

snmp-server trap link switchover

snmp-server trap-source Vlan31

snmp-server source-interface informs Vlan31

snmp-server contact Anacelia

snmp-server enable traps ......

snmp-server enable traps .....

snmp-server host 172.19.31.15 version 3 priv spectuser2

!!!

!

Thanks a lot in advance.

Regards, Anacelia

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to asarlo

‎11-27-2008 09:19 AM

Please start a new thread for this issue.

0 Helpful

Go to solution
asarlo
Level 1
Level 1
In response to Joe Clarke

‎11-28-2008 05:06 AM

I'm apologize, but yesterday we went to the customer and run the following command and it run!

!

!

snmp-server user spectuser2 userBROU v3 auth md5 user4passwd priv des56 user4priv

!

!

and that's all!

Regards, Anacelia

0 Helpful
Customers Also Viewed These Support Documents