Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SNMPv3 basic understanding

I'm interested in migrating a device fleet from snmpv2c to snmpv3 support but am completely new to the snmpv3 security structure and a bit confused by it. Under the snmpv2c community model, you could define read only or read/write access based on this community string. I'm struggling to understand the direct corelation as to how this is done with snmpv3. The configuration samples all tend to overwhelm with every option available (groups, users, readviews, writeviews etc) rather than just those fundamentally needed. Can anyone offer me a very quick understanding of how I set up a "community" equivelant under snmpv3? Much appreciated.

  • Network Management
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SNMPv3 basic understanding

You can think of the user as an SNMP manager, but you don't have to use one username per NMS. Many customers create one SNMP user for their whole network for all their NMSes. They use the user/password as more of a secure community string.

SNMPv3 traps still require a user and a password. Only for traps, you'll need to add a notify view to your SNMPv3 group. For example:

snmp-server group v3group v3 auth notify v1default

snmp-server host version 3 auth v3user

7 REPLIES
Cisco Employee

Re: SNMPv3 basic understanding

SNMPv3 uses a user-based security model. This model requires a username and password for authentication, and an optional additional password to encrypt the payload of the SNMP packet. Even without the encryption, the authentication data is protected using either an MD5 or SHA hash. The packet is additionally protected by an engine time field and a boot count. This helps prevent replay attacks.

Basically, all you need to allow SNMPv3 read on an IOS device is the following:

snmp-server group v3group v3 auth

snmp-server user v3user v3group v3 auth md5 v3pass123

That's it. This configures SNMPv3 authNoPriv using an MD5 hash for the authentication data. The user, v3user is allowed to poll any object in the v1default (built-in) view. The password chosen must be at least eight characters to be compatible with the USM.

If you want to allow write access as well, just change the group line to:

snmp-server group v3group v3 auth write v1default

This is very basic. I encourage you to read more on SNMP views to help limit access to those OIDs which are required.

New Member

Re: SNMPv3 basic understanding

Brilliant. Thanks very much for that. Has cut through the confusion for me! One remaining point I'd appreciate your clarification on though is the "user" definition. Is that effectively the NMS polling station? And how does that relate to the sending of traps from the IOS device to the polling station? Really appreciate your help to date.

Regards

Cisco Employee

Re: SNMPv3 basic understanding

You can think of the user as an SNMP manager, but you don't have to use one username per NMS. Many customers create one SNMP user for their whole network for all their NMSes. They use the user/password as more of a secure community string.

SNMPv3 traps still require a user and a password. Only for traps, you'll need to add a notify view to your SNMPv3 group. For example:

snmp-server group v3group v3 auth notify v1default

snmp-server host version 3 auth v3user

New Member

Re: SNMPv3 basic understanding

Thank you very much. Answered both my questions with exactly the information I needed! Much appreciated.

New Member

Re: SNMPv3 basic understanding

Hello, I have another question. I have snmpv3 authnoPriv running ok. Now I want to enable Priv, but does not function. Do you know if I need additional configuration, or perhaps I need to use the local & remote engineID ?.

I'am attaching you the current configuration.

!!

snmp-server group userBROU v3 priv notify v1default

snmp-server trap link switchover

snmp-server trap-source Vlan31

snmp-server source-interface informs Vlan31

snmp-server contact Anacelia

snmp-server enable traps ......

snmp-server enable traps .....

snmp-server host 172.19.31.15 version 3 priv spectuser2

!!!

!

Thanks a lot in advance.

Regards, Anacelia

Cisco Employee

Re: SNMPv3 basic understanding

Please start a new thread for this issue.

New Member

Re: SNMPv3 basic understanding

I'm apologize, but yesterday we went to the customer and run the following command and it run!

!

!

snmp-server user spectuser2 userBROU v3 auth md5 user4passwd priv des56 user4priv

!

!

and that's all!

Regards, Anacelia

2145
Views
9
Helpful
7
Replies
This widget could not be displayed.