Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Any resource issues known when using snmpv3 with encryption?

Hi,

I am planning to migrate a customer network from snmpv1 to snmpv3 with use of authentication and encryption -> authpriv.

Does anybody have experience in using snmpv3 and encryption concerning resource problems on network components and network management systems?

Best Regards,

Thorsten

8 REPLIES

Re: Any resource issues known when using snmpv3 with encryption?

I use it on our border devices and have had no problems, but we use ISR routers with AIM VPN cards, so I would assume that the AIM card would do the encryption. The encryption for SNMPv3 is only DES which most Cisco routers can easily handle, so I would not be worried too much.

HTH and please rate.

Cisco Employee

Re: Any resource issues known when using snmpv3 with encryption?

SNMPv3 authPriv is still not widely supported by NMS products out-of-the-box, so you will want to check your NMS documentation to make sure it works. Additionally, Cisco devices such as the desktop XL switch line and the 2950 switches do not work well with SNMPv3 when it comes to tracking connected MAC addresses.

SNMPv3 authPriv will also require crypto images on all of your devices. Crypto code requires more memory, so make sure you have all of your devices sufficiently upgraded hardware-wise before making the conversion.

New Member

Re: Any resource issues known when using snmpv3 with encryption?

Our NMS products offer SNMPv3 authPriv, we tested that already.

Your hint concerning crypto images sounds really interesting. Is there any documentation in cco where this is mentioned?

I read several cisco documentation about understanding, how to configure and implementing snmpv3 but there was no hint that for authPriv crypto images are needed.

Is there also any restriction concerning CatOS?

Best regards,

Thorsten Steffen

Cisco Employee

Re: Any resource issues known when using snmpv3 with encryption?

The Feature Navigator has the DES and AES SNMP crypto options, but it does not appear to be giving any image results at the moment. I can't find any other general documents that specify this requirement, but here is a mtrix from the 3550 documentation that spells it out nicely (http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/configuration/guide/swsnmp.html#wp1040787) Crypto images are needed across the board to do authPriv on any device. If you have a device without crypto support, you should not see any of the privacy options.

For example, on a 7507 I have running 12.2(12) (JSV image), my SNMPv3 user command ends after I specify an auth password. Where as on a 7206 running 12.4(12) (ADVENTERPRISEK9) I see priv options with supported alogrithms of 3des, des, and aes (note: algorithm support will vary depending on device and OS version).

New Member

Re: Any resource issues known when using snmpv3 with encryption?

Hello Joe,

meanwhile I unsuccesfully tried on several ways to get an official information of cisco concerning the need of crypto images for snmpv3 encryption.

Do you perhaps have the possibility to get a statement on internal ways?

Regards,

Thorsten

New Member

Re: Any resource issues known when using snmpv3 with encryption?

Most NMS now support v3 except it introduces one issue. With more NMS you need to manually add v3 devices since most NMS auto discover doesn't find new v3 devices.

jerry

Cisco Employee

Re: Any resource issues known when using snmpv3 with encryption?

This is not the case with CiscoWorks LMS. The auto-discovery feature works just fine with SNMPv3 provided you have configured correct credentials.

New Member

Re: Any resource issues known when using snmpv3 with encryption?

If you are using CiscoWorks suite of products, they only support v3 auth, not priv. If you are using Openview, the SNMP Research "security pack" product is a very capable v3 implementation (extends HPOV to use SNMPv3)

227
Views
19
Helpful
8
Replies