Scribd
Upload
13 views

How To Configure SNMPv3 On Cisco IOS Router

Uploaded by

kaung khant zaw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
13 views

How To Configure SNMPv3 On Cisco IOS Router

Uploaded by

kaung khant zaw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

How to configure SNMPv3 on Cisco IOS Router

SNMPv3 is similar to SNMPv1 or SNMPv2 but has a completely different security model.
SNMPv1 and SNMPv2 use a community-string that is used as the password and there’s no
authentication or encryption.

SNMPv3 is able to use both authentication and encryption and has a new security model that
works with users, groups and 3 different security levels. Users will be applied to a group and
access policies will be applied to a group so that you can determine what groups have read or
read-write access and which MIBs (Management Information Bases) they should be able to
access.

Security Levels
SNMP offers 3 different security levels:

 noAuthNoPriv
 AuthNoPriv
 AuthPriv

Auth stands for Authentication and Priv for Privacy (encryption).

 noAuthNoPriv = username authentication and no encryption.


 AuthNoPriv = MD5 or SHA authentication but no encryption.
 AuthPriv = MD5 or SHA authentication AND encryption.

SNMPv1 and SNMPv2 only support noAuthNoPriv since they don’t offer any authentication or
encryption. SNMPv3 supports any of the three security levels. When you decide to use
noAuthNoPriv for SNMPv3 then the username will replace the community-string.

The community-string for SNMPv1 and SNMPv2 is send in clear-text. SNMPv3 is far more secure
because it doesn’t send the user passwords in clear-text but uses MD5 or SHA1 hash-based
authentication, encryption is done using DES, 3DES or AES.

Let’s take a look at a simple SNMPv3 configuration example on a Cisco IOS router.

Configuration Example
First we’ll create a new group and select a security model:
By using the priv parameter we will select the AuthPriv security level. There are a number of options for
security levels:

The first item is the access-list, you can use this to select what IP addresses or subnets should
be permitted for users. Optionally you can select certain views:

 If you don’t specify a read view then all MIB objects are accessible. Use this if you want
to limit the number of MIBs that your NMS (Network Management Software) can
monitor.
 Without a write view then nothing is writable, you will have read-only access.
 The notify view is used to send notifications to members of the group. If you don’t
specify any then it will be disabled by default.

To keep this example simple we won’t use any views for now, this means that we’ll have full
read access to all MIBs:
We’ll create a new user called “MYUSER” and assign it to the “MYGROUP” group. We use
SNMPv3 as the security model and use MD5 for authentication. This user will use “MYPASS123”
as the password. Encryption is done using AES 128-bit and the encryption key is “MYKEY123”.

This router is now SNMPv3 enabled and we can monitor it using SNMPv3 from a NMS. Let’s try
if we can get access…

Verification
User accounts are not stored in the configuration, take a look below:

Here you can see the username, security options and to which group the user belongs. We can also
check the group configuration:
Above you can see that we have our group called “MYGROUP” and that we use the default read view. If
you are a Linux user you can use the excellent snmpwalk command-line utility that tests if your router
can be accessed using SNMP. It works for SNMPv1, v2 and v3:
As you can see snmpwalk is able to extract information from my router. We’ll add the router to a NMS
now. I’m using Observium which is an excellent free and open source NMS. If your environment has a lot
of Cisco or Linux devices then I can highly recommend to give it a try:
We’ll have to specify our security level, username, password, authentication algorithm,
encryption key and protocol. Once the router has been added Observium will be able to extract
information from it using SNMP:
Above you can see that Observium is now monitoring our router using SNMPv3. This should
give you an idea of how SNMPv3 works and how to configure it on your Cisco devices.

You might also like