Re: SNMPv3 on Cisco Nexus 9000 with snmpwalk

rumak18 · ‎06-05-2024

Hello,

i've done the following config on my Cisco 92348-GC switch:

nex1-9000(config)# snmp-server protocol enable
nex1-9000(config)# snmp-server location MYLOCAL
nex1-9000(config)# snmp-server engineID local AA:BB:CC:DD:EE:FF
nex1-9000(config)# snmp-server user snmp.user network-operator auth sha-256 $MYPASS priv $PRIVACYPASS engineID AA:BB:CC:DD:EE:FF

Now when i try snmpwalk from a LInux machine, i am only able to connect with "authnoPriv", although, in my opinion the privacy is configured with the command "priv" for the user.

This cli command with "authNoPriv" works:

snmpwalk -v3 -a SHA-256 -A $MYPASS -x AES -X $PRIVACYPASS -u snmp.user -l authNoPriv 10.10.1.100

This command with "authPriv" does NOT work with error "Unsupported security level"

snmpwalk -v3 -a SHA-256 -A $MYPASS -x AES -X $PRIVACYPASS -u snmp.user -l authPriv 10.10.1.100

So obviously the encryption does not work.

I've also tried to enforce encryption for the user with the command:

nex1-9000(config)#snmp-server user snmp.user.r enforcePriv
priv protocol not set for the user

But this also does not work on the switch with the error message "priv protocol not set for the user".

So what am i doing wrong here?

antisocial11224 · ‎06-06-2024

@rumak18 wrote:
Hello,
i've done the following config on my Cisco 92348-GC switch:
nex1-9000(config)# snmp-server protocol enable
nex1-9000(config)# snmp-server location MYLOCAL
nex1-9000(config)# snmp-server engineID local AA:BB:CC:DD:EE:FF
nex1-9000(config)# snmp-server user snmp.user network-operator auth sha-256 $MYPASS priv $PRIVACYPASS engineID AA:BB:CC:DD:EE:FF

Now when i try snmpwalk from a LInux machine, i am only able to connect with "authnoPriv", although, in my opinion the privacy is configured with the command "priv" for the user.
This cli command with "authNoPriv" works:
snmpwalk -v3 -a SHA-256 -A $MYPASS -x AES -X $PRIVACYPASS -u snmp.user -l authNoPriv 10.10.1.100
This command with "authPriv" does NOT work with error "Unsupported security level"
snmpwalk -v3 -a SHA-256 -A $MYPASS -x AES -X $PRIVACYPASS -u snmp.user -l authPriv 10.10.1.100

So obviously the encryption does not work.
I've also tried to enforce encryption for the user with the command:
nex1-9000(config)#snmp-server user snmp.user.r enforcePriv
priv protocol not set for the user
But this also does not work on the switch with the error message "priv protocol not set for the user".
So what am i doing wrong here?

Your setup seems correct at first glance, but there might be a misconfiguration causing the encryption to fail.

When configuring SNMPv3 with authentication and encryption (authPriv), ensure that the encryption algorithm and passphrase are correctly specified. In your case, you're using SHA-256 for authentication and AES for encryption, which is correct.

However, the error "Unsupported security level" suggests that the switch is not recognizing the security level specified in the snmpwalk command. This could indicate a problem with how the user is configured on the switch.

The error message "priv protocol not set for the user" further supports this idea. It seems that the switch is expecting the encryption protocol (priv) to be explicitly set for the SNMPv3 user, but it's not properly configured. Double-check the SNMPv3 user configuration on the switch to ensure that the encryption protocol (priv) is correctly specified for the user. Verify that the SNMPv3 user credentials (authentication passphrase and encryption passphrase) match between the switch configuration and the snmpwalk command. If necessary, recreate the SNMPv3 user with the correct parameters, ensuring that both authentication and encryption are properly configured. Once the SNMPv3 user configuration is corrected, retry the snmpwalk command with authPriv to see if the encryption works as expected.

rumak18 · ‎06-06-2024

Hi,

thank for your hints. But i've already recreated the user several times. And in fact i see it like you. Something is missing in the users config. This can also be seen in the "show snmp user" output:

But then again...what to do with the missing encryption protocol...?

nex1-9000# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________

User Auth Priv(enforce) Groups acl_filter

____ ____ _____________ ______ __________

admin md5 aes-128(no) network-admin
snmp.user sha-256 no network-operator

______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
______________________________________________________________

User Auth Priv
____ ____ ____
snmp.user sha-256 aes-128
(EngineID )
11:12:22:33:44:55

rumak18 · ‎06-13-2024

Ok. I've resolved this issue. The switch needed a reboot. It did not accepted all my commands obviously. After rebooting and configuring it from scratch it worked.