How to configure SNMPv3 on Cisco IOS Router

SNMPv3 is similar to SNMPv1 or SNMPv2 but has a completely different security model. SNMPv1 and SNMPv2 use a community-string that is used as the password and there’s no authentication or encryption.

SNMPv3 is able to use both authentication and encryption and has a new security model that works with users, groups and 3 different security levels. Users will be applied to a group and access policies will be applied to a group so that you can determine what groups have read or read-write access and which MIBs (Management Information Bases) they should be able to access.

Security Levels

SNMP offers 3 different security levels:

  • noAuthNoPriv
  • AuthNoPriv
  • AuthPriv

Auth stands for Authentication and Priv for Privacy (encryption).

  • noAuthNoPriv = username authentication and no encryption.
  • AuthNoPriv = MD5 or SHA authentication but no encryption.
  • AuthPriv = MD5 or SHA authentication AND encryption.

SNMPv1 and SNMPv2 only support noAuthNoPriv since they don’t offer any authentication or encryption. SNMPv3 supports any of the three security levels. When you decide to use noAuthNoPriv for SNMPv3 then the username will replace the community-string.

The community-string for SNMPv1 and SNMPv2 is send in clear-text. SNMPv3 is far more secure because it doesn’t send the user passwords in clear-text but uses MD5 or SHA1 hash-based authentication, encryption is done using DES, 3DES or AES.

Let’s take a look at a simple SNMPv3 configuration example on a Cisco IOS router.

Configuration Example

First we’ll create a new group and select a security model:

R1(config)#snmp-server group MYGROUP ?
  v1   group using the v1 security model
  v2c  group using the v2c security model
  v3   group using the User Security Model (SNMPv3)

We’ll call our group “MYGROUP” and of course we will select SNMPv3 as the security model. Next step is to select the security level:

R1(config)#snmp-server group MYGROUP v3 ?
  auth    group using the authNoPriv Security Level
  noauth  group using the noAuthNoPriv Security Level
  priv    group using SNMPv3 authPriv security level

By using the priv parameter we will select the AuthPriv security level. There are a number of options for security levels:

R1(config)#snmp-server group MYGROUP v3 priv ?
  access   specify an access-list associated with this group
  context  specify a context to associate these views for the group
  match    context name match criteria
  notify   specify a notify view for the group
  read     specify a read view for the group
  write    specify a write view for the group
  <cr>

The first item is the access-list, you can use this to select what IP addresses or subnets should be permitted for users. Optionally you can select certain views:

  • If you don’t specify a read view then all MIB objects are accessible. Use this if you want to limit the number of MIBs that your NMS (Network Management Software) can monitor.
  • Without a write view then nothing is writable, you will have read-only access.
  • The notify view is used to send notifications to members of the group. If you don’t specify any then it will be disabled by default.

To keep this example simple we won’t use any views for now, this means that we’ll have full read access to all MIBs:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

567 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi Sims,

    Once you have access through SNMP, you will have access to the entire Management Information Base (MIB).

    With views, it’s possible to limit this to certain (sub)trees.

    Cisco has some good examples here:

    https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html

    Like this one:

    snmp-server view myview mib-2 included
    snmp-server view myview atEntry excluded
    snmp-server view myview cisco included
    

    It includes access to the MIB-II and Cisco MIB but denies access to the atEntry MIB.

  2. Hi Hussam,

    Glad to hear you like it.

    If you want to play around with Observium, it’s best to use the tutorial that you can find on the Observium website:

    http://docs.observium.org/install_debian/

    Once you have Observium up and running, the only thing you need to do is to use the cloud icon in GNS3 to connect a physical network card (or a virtual one if you use vmware) to your GNS3 routers:

    This is an older video but it’s probably still 99% the same on the latest GNS3 version.

    Rene

  3. Hello Justin

    When you specify the security level in the following command

    R1(config)#snmp-server group MYGROUP v3 priv

    you are specifying that SNMP packets will be authenticated and encrypted.

    When issuing the command:

    R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123

    you are specifying that the user will indeed use the User Based Security Model (USM) for SNMPv3 that has been configured in the previous command. The priv keyword in the second command is not the same as that in the first. In the first, you have the option of

    ... Continue reading in our forum

  4. Hello Tejpal

    Yes, you are correct that the statements are confusing. First of all, let’s look at what the noAuthNoPriv level of security actually does. For SNMP v1 and v2, noAuthNoPriv will indeed result in no username authentication and no encryption. However, only the community string will be used to match for authentication.

    For SNMP v3, because it doesn’t use the concept of a community string, the noAuthNoPriv level will result in no encryption but a username will be used for authentication.

    Because of these differences, the statements were made in thi

    ... Continue reading in our forum

  5. I will try this again sometime.

36 more replies! Ask a question or join the discussion by visiting our Community Forum