Cisco, Juniper, Networking

Configuring SNMPv3

6 Comments

This page will show, how you would configure SNMPv3 on Cisco and Juniper network device

Cisco IOS

You need to create a group, select the version of SNMP and whether you want to add USM (User Security Model) aka security level. Once the group has been created we will need to create a user, associate the user to the newly created group and set the authentication password and privacy password.

Cisco Security Levels
noAuthNoPrivThere is no authentication password requested and the communications between the agent and the server are not encrypted. The SNMP process just requests authorized username string match.
authNoPrivpassword authentication is requested either by MD5 or SHA hashing, however no encryption is used for communications between the devices.
authPrivauthentication is the same as authNoPriv however communications between the snmp process and the logging server is encrypted.

On Cisco IOS, its quite simple to get it SNMPv3 configured:

Switch(config)#snmp-server group test1 v3 priv
Switch(config)#snmp-server user test1 test1 v3 auth sha test1 priv aes 128 test1

Now that v3 user has been created, we can run and snmpwalk to make sure it working as expected:

[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 172.31.184.140
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 01-May-08 15:42 by antonino
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.516
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (582733) 1:37:07.33
SNMPv2-MIB::sysContact.0 = STRING: "Write a comment :D"
SNMPv2-MIB::sysName.0 = STRING: Switch.lab.co
SNMPv2-MIB::sysLocation.0 = STRING: "The Lab in Space"
SNMPv2-MIB::sysServices.0 = INTEGER: 6
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00"

Juniper Junos

With Junos, you will need to create your user, create your security-group, set the security-model, assign a user and once you have the group created and confirmed you will be able to set the privileges for each of the groups by assigned the MIB views

Security Model levelsSecurity LevelMIB Views
AnyAny security model
USMSNMPv3 security model
v1SNMPV1 security model
v2cSNMPv2c security model
NoneProvides no authentication and no encryption.
AuthenticationProvides authentication but no encryption.
PrivacyProvides authentication and encryption.
Notify-viewgroup user is inform of MIB updates
Read-viewthe group user can see the MIB updates
Write-viewthe group user can make changes to the MIB updates.

The configuration looks more complex on Junos than on IOS however it’s quite straightforward:

set snmp name "This a test for snmpwalk example :p"
set snmp location "The Lab in Space"
set snmp contact "Write a comment :D"
set snmp v3 usm local-engine user test1 authentication-sha authentication-password test1234
set snmp v3 usm local-engine user test1 privacy-aes128 privacy-password test1234
set snmp v3 vacm security-to-group security-model usm security-name test1 group view-all
set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy read-view view-all
set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy notify-view view-all
set snmp view view-all oid .1 include

As like before, we can run and snmpwalk to make sure it working as expected:

[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458338855) 53 days, 1:09:48.55
SNMPv2-MIB::sysContact.0 = STRING: Write a comment :D
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

With SNMPv3 available, you should be using v3 for the additional security available. You don’t have the option to configure SNMPv3 without user authentication and/or unencrypted (noAuthNoPriv) but this kinda pointless use SNMPv3 with no authentication or encryption. There could be situations where you will need user authentication but not need encryption (authNoPriv) however in most cases you will use both.

The following two tabs change content below.
My Twitter profileMy LinkedIn profileMy Instagram profile

Keeran Marquis

Network Engineer
Keeran Marquis is a Network Engineer. His main goal is to learn everything within the Networking field, pick up a little bit of scripting, be a poor man sysadmin and share whatever he knows! All Posts are his own views, opinions and experiences, no guarantees they will work for you but point you in the right direction 🙂
Share this:
Share

6 thoughts on “Configuring SNMPv3”

  1. seb

    There is a typo in the “junos” line : set snmp v3 vacm security-to-group security-model usm security-name test group view-all

    It has to be : set snmp v3 vacm security-to-group security-model usm security-name test1 group view-all

    Reply »
  4. Guy Greenshtein

    Why do you use both notify-view and read-view in the Junos configuration?
    What is the difference between them and what does it used for?

    Reply »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.