Any resource issues known when using snmpv3 with encryption?

thorsten.steffen · ‎07-17-2007

Hi,

I am planning to migrate a customer network from snmpv1 to snmpv3 with use of authentication and encryption -> authpriv.

Does anybody have experience in using snmpv3 and encryption concerning resource problems on network components and network management systems?

Best Regards,

Thorsten

Collin Clark · ‎07-17-2007

I use it on our border devices and have had no problems, but we use ISR routers with AIM VPN cards, so I would assume that the AIM card would do the encryption. The encryption for SNMPv3 is only DES which most Cisco routers can easily handle, so I would not be worried too much.

HTH and please rate.

Joe Clarke · ‎07-17-2007

SNMPv3 authPriv is still not widely supported by NMS products out-of-the-box, so you will want to check your NMS documentation to make sure it works. Additionally, Cisco devices such as the desktop XL switch line and the 2950 switches do not work well with SNMPv3 when it comes to tracking connected MAC addresses.

SNMPv3 authPriv will also require crypto images on all of your devices. Crypto code requires more memory, so make sure you have all of your devices sufficiently upgraded hardware-wise before making the conversion.

thorsten.steffen · ‎07-17-2007

Our NMS products offer SNMPv3 authPriv, we tested that already.

Your hint concerning crypto images sounds really interesting. Is there any documentation in cco where this is mentioned?

I read several cisco documentation about understanding, how to configure and implementing snmpv3 but there was no hint that for authPriv crypto images are needed.

Is there also any restriction concerning CatOS?

Best regards,

Thorsten Steffen

Joe Clarke · ‎07-17-2007

The Feature Navigator has the DES and AES SNMP crypto options, but it does not appear to be giving any image results at the moment. I can't find any other general documents that specify this requirement, but here is a mtrix from the 3550 documentation that spells it out nicely (http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/configuration/guide/swsnmp.html#wp1040787) Crypto images are needed across the board to do authPriv on any device. If you have a device without crypto support, you should not see any of the privacy options.

For example, on a 7507 I have running 12.2(12) (JSV image), my SNMPv3 user command ends after I specify an auth password. Where as on a 7206 running 12.4(12) (ADVENTERPRISEK9) I see priv options with supported alogrithms of 3des, des, and aes (note: algorithm support will vary depending on device and OS version).

thorsten.steffen · ‎07-19-2007

Hello Joe,

meanwhile I unsuccesfully tried on several ways to get an official information of cisco concerning the need of crypto images for snmpv3 encryption.

Do you perhaps have the possibility to get a statement on internal ways?

Regards,

Thorsten

GERARD PUOPLO · ‎07-18-2007

Most NMS now support v3 except it introduces one issue. With more NMS you need to manually add v3 devices since most NMS auto discover doesn't find new v3 devices.

jerry

Joe Clarke · ‎07-18-2007

This is not the case with CiscoWorks LMS. The auto-discovery feature works just fine with SNMPv3 provided you have configured correct credentials.

bsomogyi · ‎07-18-2007

If you are using CiscoWorks suite of products, they only support v3 auth, not priv. If you are using Openview, the SNMP Research "security pack" product is a very capable v3 implementation (extends HPOV to use SNMPv3)