How to configure SNMPv3 on Cisco IOS Router

How to check below settings? Is there any way to check this configuration?

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123

I am not getting this configuration on “show run” all the time but SNMP works always fine.

Thanks
Manami

Hi Manami,

These SNMPv3 commands are not saved in the running config but in the private config. You can’t retrieve the passwords, the usernames will show up though with show snmp user.

Rene

Hi Rene

In your config example, do you not also need to configure the snmp server command?

e.g. snmp-server host 10.0.0.1 version 3 priv MYUSER

Where 10.0.0.1 is the IP of the SNMP server

Hello Chris

Thesnmp-server host command specifies the recipient of an SNMP notification either as a trap or a response to an inform request.

If you don’t specify the server as Rene has not in his example, you are able to connect to the router and send responses to SNMP inform requests only. Traps require further configuration on the router because they are initiated by the router itself. Informs are initiated by external SNMP queriers.

I hope this has been helpful!

Laz

Need to confirm what is the difference between auth and priv in snmp v3.

If i configure below then what is the difference between them,

snmp-server group SBG v3 auth read ABC
snmp-server group SBG V3 priv read ABC.

Regards,
Mohammed Oves

Hi Mohammed,

Auth is authentication and priv is privacy (encryption). For authentication we can use MD5 or SHA, for encryption DES/AES.

Rene

Why do you have to specify the security level on the group when you do it for the user?

Hello Justin

When you specify the security level in the following command

R1(config)#snmp-server group MYGROUP v3 priv

you are specifying that SNMP packets will be authenticated and encrypted.

When issuing the command:

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123

you are specifying that the user will indeed use the User Based Security Model (USM) for SNMPv3 that has been configured in the previous command. The priv keyword in the second command is not the same as that in the first. In the first, you have the option of specifying auth, noauth or priv while in the second command you either include the priv keyword or you don’t. If you use the priv keyword, you then must specify the encryption method and key sizes.

Take a look at the following two command references from Cisco:

snmp-server group:

snmp-server user:

I hope this has been helpful!

Laz

2 Likes

Hello Rene,

In the topic, Introduction to SNMP, you have mentioned that
noAuthNoPriv means that noAuthNoPriv = username authentication but no encryption.

but In the topic SNMPv3, you have mention that
noAuthNoPriv means that : noAuthNoPriv = no authentication and no encryption.

so a bit confused, I think that there is no authentication in SNMPv3 but then what do you mean by username authentication in noAuthNoPriv.

Hello Tejpal

Yes, you are correct that the statements are confusing. First of all, let’s look at what the noAuthNoPriv level of security actually does. For SNMP v1 and v2, noAuthNoPriv will indeed result in no username authentication and no encryption. However, only the community string will be used to match for authentication.

For SNMP v3, because it doesn’t use the concept of a community string, the noAuthNoPriv level will result in no encryption but a username will be used for authentication.

Because of these differences, the statements were made in this way. However, I will let Rene know so that he can clarify this a little more.

Thanks for pointing that out!

Laz

Hello team,

I am having doubt regarding snmp and netflow, that where should we configure these protocols in a network topology i.e. switch, router, firewall or servers in DMZ?

Regards
Varun Uppal

Hello Varun

It all depends on what kinds of things you want to capture. For netflow, you can specify particular ports from which to capture traffic. You can choose these ports based on what information you want to gain. For example, if you want to follow the traffic that is flowing to and from a web server on your network, configure netflow to monitor the particular port on a switch that the server is connected to. If you want to examine backbone traffic, choose the port channel you have configured between your primary switches and your edge router.

For SNMP, the idea is the same. Do you want to examine particular attributes of traffic to and from your DMZ? Choose the appropriate ports.

In general, when choosing switches as the location to monitor, you are monitoring more specific traffic. Traffic that goes over routers and firewalls is usually consolidated traffic of many combined users.

Ultimately, you have to first define what you are looking for in order to proceed to practically decide on what ports to monitor.

I hope this has been helpful!

Laz

1 Like

Hello,
I had to use Des56 for the encryption type on my physical 2621xm router like this:


But when I tried to retrieve the information like Rene, but using snmp-get, I got “missing object name”
So I tried to add the object sysName.0 and then I got “Encryption not enabled”

Is this because des is not the same as Des56? Can you help me get this working? Do I have to get an NMS to be able to get it working? or Can I continue to use snmpget? Btw, smmpget worked just fine getting snmpv2 object info.

Thanks for your help!!! I should have started studying here a long time ago :frowning_face: I would have advanced in my studies much more had I done that.

Did anyone try this? If so, does this work using a VM with debian install? I could not get observium community version installed on ubuntu 18.04. Anyone had any luck implementing this with gns3? Please share!

Hello Martha

Doing some research, I find that several IOS platforms use the des56 keyword while others simply use des, however, both result in the same 56 bit encryption. It’s strange that you would get this result. I assume the 2621xm router doesn’t support aes?

Doing a bit more research, it seems that the problem may not be with your router configuration, but with your snmpget utility. The snmpget utility detects the use of des, but the specific package you have installed doesn’t support it or it wasn’t enabled. If you use your favorite search engine to find the error message that is displayed, you will find solutions to the problem for your particular installation.

I hope this has been helpful!

Laz

I will try this again sometime.

1 Like

Hi Rene,

The paragraph below is from the lesson:

The notify view is used to send notifications to members of the group. If you don’t specify any then it will be disabled by default.

The example below is from Cisco certification guide.


My question is no any notify view is defined in snmp-server group command and if notify view is not defined notifications are disabled. So it means the configuration is wrong? Could you please clarify?

Best Regards…

Hello Fatih

No, it is not wrong to simply not configure any notify views. Remember, that the notify option specifies a notify view This does not mean that all notifications are disabled and SNMP stops working.

The notify view is something that you can define and configure. By default nothing is defined for the notify view, that is, the null OID until the snmp-server host command is issued. The notify view is usually not configured manually. Rather, it’s added by the snmp-server host command automatically, when a user in a group is bound to a notification target host. SNMP will use the username configured with snmp-server host along with the security model specified to authenticate and possibly encrypt the notifications.

Cisco recommends that you let the software autogenerate the notify view, so unless your configuration requires it, it is better not to configure this at all. You can find more info about this and related commands at the following Cisco documentaiton.

I hope this has been helpful!

Laz

Rene,

Do I need to use the same name group If I have some devices? or different group for each device?

Hello Juan

An SNMP group is simply a table that maps SNMP users to SNMP views. These are local to the device. You can use the same or different group names within each device. You can specify up to 10 groups within a single device.

I hope this has been helpful!

Laz