Setting Up SNMPv3 In Cisco IOS

Posted on in Networking

In the following example, I'm going to set up a Simple Network Management Protocol version 3 (SNMPv3) user on a Cisco router with limited view of the system MIB.

  • Create an SNMP view that limits the user to the system MIB.

    ROUTER(config)# snmp-server view SYSTEM system included
    
  • Create an SNMPv3 group that uses the view defined above.

    ROUTER(config)# snmp-server group SYSTEM_GROUP v3 priv read SYSTEM
    

    We're using the priv keyword to enable encrypted communication between the router and network management host. You'll have to decide if encryption is necessary and what impact it will have on your router's performance.

  • Finally, create the SNMPv3 user that will access the router.

    ROUTER(config)# snmp-server user SYSTEM_USER SYSTEM_GROUP v3 auth md5 slaptiauth priv aes 128 slaptipriv
    

    There are two password like blocks here. The first is auth md5 slaptiauth this sets the user password and how it will be hashed. The next is priv aes 128 slaptipriv which sets the privacy passphrase and encryption options for communication between the router and network management host.

These are the basics of SNMPv3 configuration. Naturally, you'll want to flesh out the rest of your configuration and define a list of network management host IPs that can access SNMP on your router.

To test the configuration use Net-SNMP on your workstation:

$ snmpwalk -v 3 -u SYSTEM_USER -a MD5 -A slaptiauth -x AES -X slaptipriv -l authPriv test-router
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 7200 Software (C7200-SPSERVICESK9-M), Version 12.4(11)T1, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 25-Jan-07 19:57 by prod_rel_team
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.222
SNMPv2-MIB::sysUpTime.0 = Timeticks: (3413221624) 395 days, 1:10:16.24
SNMPv2-MIB::sysContact.0 = STRING: "Slaptijack" 
SNMPv2-MIB::sysName.0 = STRING: ROUTER.slaptijack.com
SNMPv2-MIB::sysLocation.0 = STRING: USA
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORLastChange.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

As you can see from the example above, the output dies after the system MIB is traversed.

Simple Network Management Protocol versions 1 and 2c have been the status quo on most networks for a long time. SNMPv1 suffered from a host of performance issues and really should be removed from your network. SNMPv3 has a lot of performance benefits and includes a much stricter security model. If the security model of SNMPv3 is too complicated for your network, SNMPv2c incorporates the performance changes without the security enhancements.

Slaptijack's Koding Kraken