SNMP Version 3 seems to be something many people have been reluctant to roll out for quite some time now. Not without good reason, as vendor support, poor management tool implementations of v3 and so forth can make it a real headache. One example that comes to mind it NNM 7.53’s implementation, which was truly awful and caused severe headaches, especially after any cisco device was reloaded.
If you do take the plunge, however, here is an example config for IOS (“read” on IOS is default but it’s included here for clarity):
! Create an access-list to tie down access access-list 99 permit 192.168.0.0 0.0.0.255 ! Create an SNMP view. Optional but recommended in case of issues in future ! such as high CPU when NMS is grabbing large tables. We can use this to ! cut down the view and exclude the problematic part of the MIB tree. snmp-server view SNMPVIEW iso included ! Create SNMPv3 groups for read and for traps snmp-server group SNMPv3-RO v3 priv read SNMPVIEW access 99 snmp-server group SNMPv3-TRAP v3 priv notify SNMPVIEW access 99 ! Create an SNMP User, one per network management system. Select ! your hashing and encryption algorithms here... Some docs suggest ! a separate user for read and traps, but the NMS may expect to use ! the same credentials for polling and receiving traps. ! ! Eg: SHA DES56 snmp-server user NETMAN-RO SNMPv3-RO v3 auth sha myauthpass priv des56 myencryptionpass access 99 snmp-server user NETMAN-TRAP SNMPv3-TRAP v3 auth sha myauthpass priv des56 myencryptionpass access 99 ! Configure trap receivers for v3 (assuming they support it) ! You may want to use the same user for read/trap if your ! NMS expects it snmp-server host 192.168.1.100 version 3 priv NETMAN-TRAP ! Enable the traps you want snmp-server enable traps snmp coldstart warmstart linkup linkdown snmp-server enable traps envmon snmp-server enable traps hsrp snmp-server enable traps envmon snmp-server enable traps bgp !etc ! Configure ifpersist to stop ifIndexes reordering after hardware ! changes or upgrades snmp-server ifindex persist
snmpwalk -v3 -u NETMAN-RO -l authpriv -a SHA -A myauthpass -x DES -X myencryptionpass 192.168.56.100 .220.127.116.11.18.104.22.168.0 iso.22.214.171.124.126.96.36.199 = STRING: "R1.lab.local"
Test commands for different setups:
MD5 DES snmpwalk -v3 -u CRSNMS -l authPriv -a MD5 -A authpasswd -x DES -X privpasswd TEST-RTR1 SHA-AES snmpwalk -v3 -u CRSNMS -l authPriv -a SHA -A authpasswd -x AES -X privpasswd TEST-RTR1 SHA-DES snmwalk -v3 -u CRSNMS -l authPriv -a SHA -A authpasswd -x DES -X privpasswd TEST-RTR1