SNMPv3 basic understanding

Answered Question
Jun 10th, 2008
User Badges:

I'm interested in migrating a device fleet from snmpv2c to snmpv3 support but am completely new to the snmpv3 security structure and a bit confused by it. Under the snmpv2c community model, you could define read only or read/write access based on this community string. I'm struggling to understand the direct corelation as to how this is done with snmpv3. The configuration samples all tend to overwhelm with every option available (groups, users, readviews, writeviews etc) rather than just those fundamentally needed. Can anyone offer me a very quick understanding of how I set up a "community" equivelant under snmpv3? Much appreciated.

Correct Answer by Joe Clarke about 8 years 10 months ago

You can think of the user as an SNMP manager, but you don't have to use one username per NMS. Many customers create one SNMP user for their whole network for all their NMSes. They use the user/password as more of a secure community string.


SNMPv3 traps still require a user and a password. Only for traps, you'll need to add a notify view to your SNMPv3 group. For example:


snmp-server group v3group v3 auth notify v1default

snmp-server host version 3 auth v3user

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
Joe Clarke Tue, 06/10/2008 - 16:38
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

SNMPv3 uses a user-based security model. This model requires a username and password for authentication, and an optional additional password to encrypt the payload of the SNMP packet. Even without the encryption, the authentication data is protected using either an MD5 or SHA hash. The packet is additionally protected by an engine time field and a boot count. This helps prevent replay attacks.


Basically, all you need to allow SNMPv3 read on an IOS device is the following:


snmp-server group v3group v3 auth

snmp-server user v3user v3group v3 auth md5 v3pass123


That's it. This configures SNMPv3 authNoPriv using an MD5 hash for the authentication data. The user, v3user is allowed to poll any object in the v1default (built-in) view. The password chosen must be at least eight characters to be compatible with the USM.


If you want to allow write access as well, just change the group line to:


snmp-server group v3group v3 auth write v1default


This is very basic. I encourage you to read more on SNMP views to help limit access to those OIDs which are required.

smith.dean Tue, 06/10/2008 - 17:00
User Badges:

Brilliant. Thanks very much for that. Has cut through the confusion for me! One remaining point I'd appreciate your clarification on though is the "user" definition. Is that effectively the NMS polling station? And how does that relate to the sending of traps from the IOS device to the polling station? Really appreciate your help to date.


Regards

Correct Answer
Joe Clarke Tue, 06/10/2008 - 18:38
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You can think of the user as an SNMP manager, but you don't have to use one username per NMS. Many customers create one SNMP user for their whole network for all their NMSes. They use the user/password as more of a secure community string.


SNMPv3 traps still require a user and a password. Only for traps, you'll need to add a notify view to your SNMPv3 group. For example:


snmp-server group v3group v3 auth notify v1default

snmp-server host version 3 auth v3user

smith.dean Tue, 06/10/2008 - 18:47
User Badges:

Thank you very much. Answered both my questions with exactly the information I needed! Much appreciated.

asarlo Thu, 11/27/2008 - 08:32
User Badges:

Hello, I have another question. I have snmpv3 authnoPriv running ok. Now I want to enable Priv, but does not function. Do you know if I need additional configuration, or perhaps I need to use the local & remote engineID ?.

I'am attaching you the current configuration.


!!

snmp-server group userBROU v3 priv notify v1default

snmp-server trap link switchover

snmp-server trap-source Vlan31

snmp-server source-interface informs Vlan31

snmp-server contact Anacelia

snmp-server enable traps ......

snmp-server enable traps .....

snmp-server host 172.19.31.15 version 3 priv spectuser2

!!!

!

Thanks a lot in advance.

Regards, Anacelia

Joe Clarke Thu, 11/27/2008 - 09:19
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Please start a new thread for this issue.

asarlo Fri, 11/28/2008 - 05:06
User Badges:

I'm apologize, but yesterday we went to the customer and run the following command and it run!

!

!

snmp-server user spectuser2 userBROU v3 auth md5 user4passwd priv des56 user4priv

!

!

and that's all!

Regards, Anacelia


Actions

This Discussion