Configuring SNMPv3 can be a daunting task compared to earlier questions, just from the copious amount of authentication parameters compared to earlier SNMP versions. In this short primer I’ll walk you through the steps necessary to set it up to get the same functionality as earlier SNMP versions, but with real (at least compared to SNMPv2c) security.
First, we’ll need to enable SNMPv3 from the configuration context of the switch
Switch1# config
Switch1(config)# snmpv3 enable
After this the initialisation process starts. First we need to create a dummy user called “initial” for some reason unknown to me, so don’t worry about what password you set at this point.
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: 12345678
Privacy protocol is DES
Enter privacy password: 12345678
'initial' has been created
After this it’ll ask you to create a second user, but I prefer to do it manually, so we’ll answer no. Then it asks you if you want to limit earlier versions of SNMP to read only access, which is kind of the whole point of this exercise so we’ll answer yes.
Would you like to create a user that uses SHA? [y/n] n
User creation is done.
SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only access (you can set this later by the command 'snmp restrict-access'): y
By typing the following command you can see that the initial user has been created.
Switch1(config)# show snmpv3 user
Status and Counters - SNMP v3 Global Configuration Information
User Name Auth. Protocol Privacy Protocol
-------------------------------- ---------------- ----------------
initial MD5 CBC DES
Now we can create our ‘real’ user by issuing the following command. I’ve chosen to use SHA for authentication and AES-128 for encryption, but you can use MD5 and DES respectively if you like, but do keep in mind that these are inferior encryption suites.
Switch1(config)# snmpv3 user [username] auth sha [auth password] priv aes [priv password]
By typing the following command we can see that another user has been created, in my demo a user with the name snmpv3user. Note the improved cipher suites.
Switch1(config)# show snmpv3 user
Status and Counters - SNMP v3 Global Configuration Information
User Name Auth. Protocol Privacy Protocol
-------------------------------- ---------------- ----------------
initial MD5 CBC DES
snmpv3user SHA CFB AES-128
This is where most people run into problems. One could rightfully assume that the right user has been created with the right privileges, but so far we’ve only created two users without even the most basic privilege of logging in. Finish with the following commands to add the SNMPv3 user to a privileged group and remove the unnecessary ‘initial’ user.
Switch1(config)# snmpv3 group managerpriv user [username] sec-model ver3
Switch1(config)# no snmpv3 user initial
To take the last and final step towards better security, type the following commands to disable SNMPv1/v2:
Switch1(config)# snmpv3 only
Switch1(config)# snmpv3 restricted-access
After you’re finished, remember to save your configuration if it works.
Switch1(config)# write memory
Gracias, exelente descripción del proceso.
Gracias!
Hello !
Thank you very much.
My current snmpv3 config for my 4100 switch is:
snmp-server snmpv3-only
snmpv3 user snmpv3user auth md5 auth-pass plaintext snmpv3userpassword priv des priv-pass plaintext privatepassword
snmpv3 context NewContext vrf default
snmpv3 user snmpv3user context NewContext
How can i add the SNMPv3 user to a privileged group like you did ?
How can i “translate” the bellow 2930 switch snmpv3 cmds to the equivalent 4100i?
snmpv3 group ManagerPriv user “snmpv3user” sec-model ver3
snmpv3 notify MyNotification tagvalue not_tag
snmpv3 targetaddress not_addr params not_params 172.x.x.x filter not-info taglist not_tag
snmpv3 params not_params user snmpv3user sec-model ver3 message-processing ver3 priv
snmpv3 community index 30 name yyy sec-name ManagerPriv
Thank you very much,
Hi! The CX 4100i is an Aruba CX switch so it runs a different OS, and the commands are completely different. I’m working on a guide for this, but do note that it’s very version dependent, so I recommend you update to the latest firmware version before trying anything, as SNMP changes quite a bit in version 11.11 if memory serves.
thanks a lot, very helpful article