In this tutorial, you will learn how to configure SNMPv3 on a Cisco IOS switch.
SNMPv3 configuration is completely different than SNMPv1 or SNMPv2. SNMPv3 requires creating a group, and a user and setting the security level.
It sounds complicated but it’s easy.
SNMPv3 Security Levels
Before walking through the examples you need to understand the three security levels for SNMPv3. The SNMP protocol does not include these security features in versions 1 and 2.
- noAuthNoPriv = Uses a username for authentication with no password. Encryption is not used. This gives you the same level of security as SNMPv1 and v2, not recommended.
- AuthNoPriv = Uses a username and password for authentication. Encryption is used for authentication but not for the device to server communication.
- AuthPriv = Uses a username and password for authentication with full end-to-end encryption.
Tip #1: By default, SNMPv3 gives full read access to all MIBs. You can use the read view option to limit the number of MIBs your network monitoring tool can read. Unfortunately, Cisco is lacking good documentation for this.
Tip #2: You can also define an access list with SNMPv3. This lets you lock down which IP addresses and ports can query your device. (See example 4).
To keep things simple I’ll be using the default view for all the examples.
Video Tutorial
If you don’t like video tutorials or want more details, then continue reading the instructions below.
Example 1: SNMPv3 with noAuthNoPriv (No Encryption)
This is the least secure option and is basically the same as SNMPv2.
Step 1: Create a Group
First, you need to create a group and set the security level. In this example, I named my group “group1” and assigned it the noauth (noAuthNoPriv) security level.
Switch(config)#snmp-server group group1 v3 noauthStep 2: Create a User
Next, create a user and assign it to the group you just created. I created “user1” and assigned it to group1.
Switch(config)#snmp-server user user1 group1 v3That is it, SNMPv3 is configured. To verify SNMP is working check out step 3.
Step 3: Verify SNMPv3 is working.
You can use an SNMP tester tool to verify SNMP is working. I’m using the Paessler SNMP tool in this example.
For a simple test use these settings:
- IP of computer you are testing from
- Device IP you want to test
- Set SNMP to version 3
- SNMP user you created
- Set to read device uptime
After clicking start you should get the device uptime back if SNMP was configured correctly. This means your remote computer is able to read SNMP information from your device.
That is it for example 1. Remember noAuthNoPriv provides no authentication or encryption so it’s not recommended to use. It’s basically the same as using SNMPv2.
Example 2: SNMPv3 with AuthNoPriv (User encryption)
These steps are similar to example 1 but it provides encryption for the authentication.
Step 1: Create a Group
In this example, I’ll create a group named “group2” and set the security to auth (AuthNoPriv).
Switch(config)#snmp-server group group2 v3 authStep 2: Create a User with a Password and Encryption
Here I created “user2” and assign it to group2 then configured the password using sha encryption. Change mypassword1 to a password of your choice.
Switch(config)#snmp-server user user2 group2 v3 auth sha mypassword1
Step 3: Verify SNMPv3
In the Paessler SNMP tool, you need to select authentication and enter your password.
Example 3: SNMPv3 with AuthPriv (Full end to end Encryption)
This example uses full encryption for authentication and end-to-end communication. This would be a preferred configuration.
Step 1: Create a Group (set security to priv)
Switch(config)#snmp-server group group3 v3 priv
Step 2: Create a User
Here I create user3 and assign it to group3, set the authentication password and encryption then set the password and encryption for end-to-end communication.
Switch(config)#snmp-server user user3 group3 v3 auth sha mypassword1 priv aes 256 privpassword1That is it for example 3. Use the SNMP Tester or verify with your NMS software.
If testing with the SNMP tester you will need to set the authentication and encryption password.
Note: The Paessler SNMP Tester does not work with aes 256 encryption. I had to change the encryption to aes 128 for the Paessler to work.
Example 4: SNMPv3 with Access List
You can use an access list to limit which remote systems can query your devices.
First, create an access list.
Below I’m creating a standard ACL and named it “NMS_ACL”. Then I use the permit IP_Address of the remote system I want to allow. All other systems will be denied.
Switch(config)#ip access-list standard NMS_ACL
Switch(config-std-nacl)#permit 192.168.100.22When you go to configure the SNMP group you can use the ACL you just created.
Switch(config)#snmp-server group group4 v3 priv access NMS_ACLWith this configuration, only the IP address 192.168.100.22 can query the device using SNMPv3. If I tried to read SNMP details from another IP such as 192.168.100.23 it would be denied.
Verify SNMP Configuration
You can verify your SNMP configuration with these commands.
Show SNMP Group Details
To see all group details use this command:
Switch#show snmp group
Show SNMP User Details
To see all user details use this command:
Switch#show snmp user
Summary
I just showed you several examples for configuring SNMPv3 on a Cisco switch. If your devices support v3 then it is recommended to start changing them over to the more secure SNMPv3. SNMPv1 and 2 are less secure and provide no encryption, a hacker could run a packet sniffer and capture the SNMP string with the older SNMP versions.