07-17-2007 05:15 AM
Hi,
I am planning to migrate a customer network from snmpv1 to snmpv3 with use of authentication and encryption -> authpriv.
Does anybody have experience in using snmpv3 and encryption concerning resource problems on network components and network management systems?
Best Regards,
Thorsten
07-17-2007 05:23 AM
I use it on our border devices and have had no problems, but we use ISR routers with AIM VPN cards, so I would assume that the AIM card would do the encryption. The encryption for SNMPv3 is only DES which most Cisco routers can easily handle, so I would not be worried too much.
HTH and please rate.
07-17-2007 08:44 AM
SNMPv3 authPriv is still not widely supported by NMS products out-of-the-box, so you will want to check your NMS documentation to make sure it works. Additionally, Cisco devices such as the desktop XL switch line and the 2950 switches do not work well with SNMPv3 when it comes to tracking connected MAC addresses.
SNMPv3 authPriv will also require crypto images on all of your devices. Crypto code requires more memory, so make sure you have all of your devices sufficiently upgraded hardware-wise before making the conversion.
07-17-2007 10:38 PM
Our NMS products offer SNMPv3 authPriv, we tested that already.
Your hint concerning crypto images sounds really interesting. Is there any documentation in cco where this is mentioned?
I read several cisco documentation about understanding, how to configure and implementing snmpv3 but there was no hint that for authPriv crypto images are needed.
Is there also any restriction concerning CatOS?
Best regards,
Thorsten Steffen
07-17-2007 10:47 PM
The Feature Navigator has the DES and AES SNMP crypto options, but it does not appear to be giving any image results at the moment. I can't find any other general documents that specify this requirement, but here is a mtrix from the 3550 documentation that spells it out nicely (http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/configuration/guide/swsnmp.html#wp1040787) Crypto images are needed across the board to do authPriv on any device. If you have a device without crypto support, you should not see any of the privacy options.
For example, on a 7507 I have running 12.2(12) (JSV image), my SNMPv3 user command ends after I specify an auth password. Where as on a 7206 running 12.4(12) (ADVENTERPRISEK9) I see priv options with supported alogrithms of 3des, des, and aes (note: algorithm support will vary depending on device and OS version).
07-19-2007 04:12 AM
Hello Joe,
meanwhile I unsuccesfully tried on several ways to get an official information of cisco concerning the need of crypto images for snmpv3 encryption.
Do you perhaps have the possibility to get a statement on internal ways?
Regards,
Thorsten
07-18-2007 02:25 PM
Most NMS now support v3 except it introduces one issue. With more NMS you need to manually add v3 devices since most NMS auto discover doesn't find new v3 devices.
jerry
07-18-2007 08:14 PM
This is not the case with CiscoWorks LMS. The auto-discovery feature works just fine with SNMPv3 provided you have configured correct credentials.
07-18-2007 09:58 AM
If you are using CiscoWorks suite of products, they only support v3 auth, not priv. If you are using Openview, the SNMP Research "security pack" product is a very capable v3 implementation (extends HPOV to use SNMPv3)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide