In the following example, I'm going to set up a Simple Network Management Protocol version 3 (SNMPv3) user on a Cisco router with limited view of the system
<acronym title="Management Information Base">MIB
Create an SNMP view that limits the user to the system MIB.
block ROUTER(config)# snmp-server view SYSTEM system included
Create an SNMPv3 group that uses the view defined above.
block ROUTER(config)# snmp-server group SYSTEM_GROUP v3 priv read SYSTEM
We're using the
privkeyword to enable encrypted communication between the router and network management host. You'll have to decide if encryption is necessary and what impact it will have on your router's performance.
Finally, create the SNMPv3 user that will access the router.
block ROUTER(config)# snmp-server user SYSTEM_USER SYSTEM_GROUP v3 auth md5 slaptiauth priv aes 128 slaptipriv
There are two password like blocks here. The first is
auth md5 slaptiauththis sets the user password and how it will be hashed. The next is
priv aes 128 slaptiprivwhich sets the privacy passphrase and encryption options for communication between the router and network management host.
These are the basics of SNMPv3 configuration. Naturally, you'll want to flesh out the rest of your configuration and define a list of network management host IPs that can access SNMP on your router.
To test the configuration use Net-SNMP on your workstation:
$ snmpwalk -v 3 -u SYSTEM_USER -a MD5 -A slaptiauth -x AES -X slaptipriv -l authPriv test-router SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 7200 Software (C7200-SPSERVICESK9-M), Version 12.4(11)T1, RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 25-Jan-07 19:57 by prod_rel_team SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.222 SNMPv2-MIB::sysUpTime.0 = Timeticks: (3413221624) 395 days, 1:10:16.24 SNMPv2-MIB::sysContact.0 = STRING: "Slaptijack" SNMPv2-MIB::sysName.0 = STRING: ROUTER.slaptijack.com SNMPv2-MIB::sysLocation.0 = STRING: USA SNMPv2-MIB::sysServices.0 = INTEGER: 78 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::sysORLastChange.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
As you can see from the example above, the output dies after the system MIB is traversed.
Simple Network Management Protocol versions 1 and 2c have been the status quo on most networks for a long time. SNMPv1 suffered from a host of performance issues and really should be removed from your network. SNMPv3 has a lot of performance benefits and includes a much stricter security model. If the security model of SNMPv3 is too complicated for your network, SNMPv2c incorporates the performance changes without the security enhancements.