SNMPv3 Deployment and Testing

SNMP Version 3 seems to be something many people have been reluctant to roll out for quite some time now. Not without good reason, as vendor support, poor management tool implementations of v3 and so forth can make it a real headache. One example that comes to mind it NNM 7.53’s implementation, which was truly awful and caused severe headaches, especially after any cisco device was reloaded.

If you do take the plunge, however, here is an example config for IOS (“read” on IOS is default but it’s included here for clarity):

Cisco IOS

! Create an access-list to tie down access
access-list 99 permit 192.168.0.0 0.0.0.255

! Create an SNMP view. Optional but recommended in case of issues in future
! such as high CPU when NMS is grabbing large tables. We can use this to
! cut down the view and exclude the problematic part of the MIB tree.
snmp-server view SNMPVIEW iso included

! Create SNMPv3 groups for read and for traps
snmp-server group SNMPv3-RO v3 priv read SNMPVIEW access 99
snmp-server group SNMPv3-TRAP v3 priv notify SNMPVIEW access 99
 
! Create an SNMP User, one per network management system. Select
! your hashing and encryption algorithms here... Some docs suggest
! a separate user for read and traps, but the NMS may expect to use
! the same credentials for polling and receiving traps.
!
! Eg: SHA DES56
snmp-server user NETMAN-RO SNMPv3-RO v3 auth sha myauthpass priv des56 myencryptionpass access 99
snmp-server user NETMAN-TRAP SNMPv3-TRAP v3 auth sha myauthpass priv des56 myencryptionpass access 99

! Configure trap receivers for v3 (assuming they support it)
! You may want to use the same user for read/trap if your
! NMS expects it
snmp-server host 192.168.1.100 version 3 priv NETMAN-TRAP

! Enable the traps you want
snmp-server enable traps snmp coldstart warmstart linkup linkdown
snmp-server enable traps envmon
snmp-server enable traps hsrp
snmp-server enable traps envmon
snmp-server enable traps bgp
!etc

! Configure ifpersist to stop ifIndexes reordering after hardware 
! changes or upgrades
snmp-server ifindex persist

Test with:

snmpwalk -v3 -u NETMAN-RO -l authpriv -a SHA -A myauthpass -x DES -X myencryptionpass 192.168.56.100 .1.3.6.1.2.1.1.5.0

iso.3.6.1.2.1.1.5.0 = STRING: "R1.lab.local"

Test commands for different setups:

MD5 DES
snmpwalk -v3 -u CRSNMS -l authPriv -a MD5 -A authpasswd -x DES -X privpasswd TEST-RTR1
 
SHA-AES
snmpwalk -v3 -u CRSNMS -l authPriv -a SHA -A authpasswd -x AES -X privpasswd TEST-RTR1
 
SHA-DES
snmwalk -v3 -u CRSNMS -l authPriv -a SHA -A authpasswd -x DES -X privpasswd TEST-RTR1