How to configure SNMPv3 on Cisco IOS Router

Hello Sims.

We’ll inform Rene about adding some information about SNMPv3 as well. In the meantime, here is some general information:

SNMPv3 hasn’t changed much from v2 as far as the protocol itself is concerned other than the addition of cryptographic security. Security is the main focus of v3 because security has been the biggest weakness of the protocol since its inception.

Additional changes include new textual conventions, concepts and terminology.

As for the actual configuration of the protocol on Cisco devices, one of the major differences is that you no longer create an SNMP community name, but you create a username, password, and apply authentication and encryption algorithms such as SHA and AES.

So where SNMP commands in v2 would look like this:

Router(config)#snmp-server community StringRW rw SNMPRW

the corresponding command for v3 would be:

Router(config)#snmp-server user snmpManager MGMTSTATIONS v3 auth sha SecurePa55 priv aes 128 Secure3ncrypt access SNMPv3

I hope this has been helpful!

Laz

Hi,

Actually I was talking about the view part of snmpv3

snmp-server view writeview internet included

Thanks

Hi Sims,

Once you have access through SNMP, you will have access to the entire Management Information Base (MIB).

With views, it’s possible to limit this to certain (sub)trees.

Cisco has some good examples here:

Like this one:

snmp-server view myview mib-2 included
snmp-server view myview atEntry excluded
snmp-server view myview cisco included

It includes access to the MIB-II and Cisco MIB but denies access to the atEntry MIB.

19 posts were merged into an existing topic: How to configure SNMPv3 on Cisco IOS Router

Hi,

First of all thank you so much for you clear lessons, Im heavily depending on them as my study material for my CCNP 300-101.

I would love to see a full tutorial on how to implement Observium with GNS3 routers, I have searched the whole net, but nothing I can find,

could you please guide us step by step how to use GNS3 (VMware) with Observium

Thanks.

Hi Hussam,

Glad to hear you like it.

If you want to play around with Observium, it’s best to use the tutorial that you can find on the Observium website:

http://docs.observium.org/install_debian/

Once you have Observium up and running, the only thing you need to do is to use the cloud icon in GNS3 to connect a physical network card (or a virtual one if you use vmware) to your GNS3 routers:

This is an older video but it’s probably still 99% the same on the latest GNS3 version.

Rene

Thank you Rene, I will try them and I will let you know.

How to check below settings? Is there any way to check this configuration?

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123

I am not getting this configuration on “show run” all the time but SNMP works always fine.

Thanks
Manami

Hi Manami,

These SNMPv3 commands are not saved in the running config but in the private config. You can’t retrieve the passwords, the usernames will show up though with show snmp user.

Rene

Hi Rene

In your config example, do you not also need to configure the snmp server command?

e.g. snmp-server host 10.0.0.1 version 3 priv MYUSER

Where 10.0.0.1 is the IP of the SNMP server

Hello Chris

Thesnmp-server host command specifies the recipient of an SNMP notification either as a trap or a response to an inform request.

If you don’t specify the server as Rene has not in his example, you are able to connect to the router and send responses to SNMP inform requests only. Traps require further configuration on the router because they are initiated by the router itself. Informs are initiated by external SNMP queriers.

I hope this has been helpful!

Laz

Need to confirm what is the difference between auth and priv in snmp v3.

If i configure below then what is the difference between them,

snmp-server group SBG v3 auth read ABC
snmp-server group SBG V3 priv read ABC.

Regards,
Mohammed Oves

Hi Mohammed,

Auth is authentication and priv is privacy (encryption). For authentication we can use MD5 or SHA, for encryption DES/AES.

Rene

Why do you have to specify the security level on the group when you do it for the user?

Hello Justin

When you specify the security level in the following command

R1(config)#snmp-server group MYGROUP v3 priv

you are specifying that SNMP packets will be authenticated and encrypted.

When issuing the command:

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123

you are specifying that the user will indeed use the User Based Security Model (USM) for SNMPv3 that has been configured in the previous command. The priv keyword in the second command is not the same as that in the first. In the first, you have the option of specifying auth, noauth or priv while in the second command you either include the priv keyword or you don’t. If you use the priv keyword, you then must specify the encryption method and key sizes.

Take a look at the following two command references from Cisco:

snmp-server group:

snmp-server user:

I hope this has been helpful!

Laz

Hello Rene,

In the topic, Introduction to SNMP, you have mentioned that
noAuthNoPriv means that noAuthNoPriv = username authentication but no encryption.

but In the topic SNMPv3, you have mention that
noAuthNoPriv means that : noAuthNoPriv = no authentication and no encryption.

so a bit confused, I think that there is no authentication in SNMPv3 but then what do you mean by username authentication in noAuthNoPriv.

Hello Tejpal

Yes, you are correct that the statements are confusing. First of all, let’s look at what the noAuthNoPriv level of security actually does. For SNMP v1 and v2, noAuthNoPriv will indeed result in no username authentication and no encryption. However, only the community string will be used to match for authentication.

For SNMP v3, because it doesn’t use the concept of a community string, the noAuthNoPriv level will result in no encryption but a username will be used for authentication.

Because of these differences, the statements were made in this way. However, I will let Rene know so that he can clarify this a little more.

Thanks for pointing that out!

Laz

Hello team,

I am having doubt regarding snmp and netflow, that where should we configure these protocols in a network topology i.e. switch, router, firewall or servers in DMZ?

Regards
Varun Uppal

Hello Varun

It all depends on what kinds of things you want to capture. For netflow, you can specify particular ports from which to capture traffic. You can choose these ports based on what information you want to gain. For example, if you want to follow the traffic that is flowing to and from a web server on your network, configure netflow to monitor the particular port on a switch that the server is connected to. If you want to examine backbone traffic, choose the port channel you have configured between your primary switches and your edge router.

For SNMP, the idea is the same. Do you want to examine particular attributes of traffic to and from your DMZ? Choose the appropriate ports.

In general, when choosing switches as the location to monitor, you are monitoring more specific traffic. Traffic that goes over routers and firewalls is usually consolidated traffic of many combined users.

Ultimately, you have to first define what you are looking for in order to proceed to practically decide on what ports to monitor.

I hope this has been helpful!

Laz

Hello,
I had to use Des56 for the encryption type on my physical 2621xm router like this:

Screenshot (19)_LI.jpg1119×690 231 KB

Screenshot (21).png1760×281 12 KB

Screenshot (23).png1722×272 16.5 KB

Is this because des is not the same as Des56? Can you help me get this working? Do I have to get an NMS to be able to get it working? or Can I continue to use snmpget? Btw, smmpget worked just fine getting snmpv2 object info.

Thanks for your help!!! I should have started studying here a long time ago I would have advanced in my studies much more had I done that.