SNMPv.3 Configuration

Unanswered Question
Aug 12th, 2009

I am doing research on migrating our routers and switches from SNMPv.1/v.2 to SNMPv.3. Really appreciated if somebody can share the experiences, and/or point to right documentations. Thank you.

btw. we are using Orion SolarWinds, and HP OpenView for monitoring.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Joe Clarke Wed, 08/12/2009 - 09:03

The biggest thing to be concerned with is whether or not your devices can do the level of SNMPv3 you require. If you require SNMPv3 authPriv, then you require a crypto image. SNMPv3 authPriv provides you with hashed credentials and an encrypted payload.

If all you require, however, is SNMPv3 authNoPriv (i.e. hashed credentials, but clear text payload), then any 120.(3)T image or higher will do.

Part of deciding on the type of v3, as well as the underlying hash and encryption algorithms, is what do your management applications support. Any NMS claiming SNMPv3 support will at least support SNMPv3 authNoPriv with MD5 hashing. If they do authPriv, then they will support (at the very least) MD5 hashing with DES encryption.

MD5 and DES may not be good enough for you, however. You have other options. For hashing, you can move from the 128-bit MD5 to the 160-bit SHA-1, and from the 56-bit DES to 3DES or AES. In general, you will find AES more commonly supported than 3DES, however.

If I were just getting started with SNMPv3, I'd probably start simple just so you can understand the differences between community-string based SNMP and user-based. I'd do SNMPv3 authNoPriv with MD5 hashing. Here is a basic overview of the configuration tasks:

And another guide on securing SNMP (as well as securing v1/v2c):

One caveat to share is that the password you pick your both hashing and encryption must be at least 8 characters long so that it works with all management systems. A very basic config which just allows SNMP read-only polling is below:

snmp-server group v3group v3 auth

snmp-server user v3user v3group v3 auth md5 v3user123


This Discussion