This page will show, how you would configure SNMPv3 on Cisco and Juniper network device
Cisco IOS
You need to create a group, select the version of SNMP and whether you want to add USM (User Security Model) aka security level. Once the group has been created we will need to create a user, associate the user to the newly created group and set the authentication password and privacy password.
authNoPriv – password authentication is requested either by MD5 or SHA hashing, however no encryption is used for communications between the devices.
authPriv – authentication is the same as authNoPriv however communications between the snmp process and the logging server is encrypted.
On Cisco IOS, its quite simple to get it SNMPv3 configured:
Switch(config)#snmp-server group test1 v3 priv Switch(config)#snmp-server user test1 test1 v3 auth sha test1 priv aes 128 test1
Now that v3 user has been created, we can run and snmpwalk to make sure it working as expected:
[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 172.31.184.140 SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2) Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 01-May-08 15:42 by antonino SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.516 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (582733) 1:37:07.33 SNMPv2-MIB::sysContact.0 = STRING: "Write a comment :D" SNMPv2-MIB::sysName.0 = STRING: Switch.lab.co SNMPv2-MIB::sysLocation.0 = STRING: "The Lab in Space" SNMPv2-MIB::sysServices.0 = INTEGER: 6 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00"
Juniper Junos
With Junos, you will need to create your user, create your security-group, set the security-model, assign a user and once you have the group created and confirmed you will be able to set the privileges for each of the groups by assigned the MIB views
USM — SNMPv3 security model
v1 — SNMPV1 security model
v2c — SNMPv2c security model
Authentication — Provides authentication but no encryption.
Privacy — Provides authentication and encryption.
Read-view – the group user can see the MIB updates
Write-view – the group user can make changes to the MIB updates.
The configuration looks more complex on Junos than on IOS however it’s quite straightforward:
set snmp name "This a test for snmpwalk example :p" set snmp location "The Lab in Space" set snmp contact "Write a comment :D" set snmp v3 usm local-engine user test1 authentication-sha authentication-password test1234 set snmp v3 usm local-engine user test1 privacy-aes128 privacy-password test1234 set snmp v3 vacm security-to-group security-model usm security-name test1 group view-all set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy read-view view-all set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy notify-view view-all set snmp view view-all oid .1 include
As like before, we can run and snmpwalk to make sure it working as expected:
[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 10.1.0.201 SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458338855) 53 days, 1:09:48.55 SNMPv2-MIB::sysContact.0 = STRING: Write a comment :D SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space SNMPv2-MIB::sysServices.0 = INTEGER: 4
With SNMPv3 available, you should be using v3 for the additional security available. You don’t have the option to configure SNMPv3 without user authentication and/or unencrypted (noAuthNoPriv) but this kinda pointless use SNMPv3 with no authentication or encryption. There could be situations where you will need user authentication but not need encryption (authNoPriv) however in most cases you will use both.
Keeran Marquis
Latest posts by Keeran Marquis (see all)
- Life and Times of an Unemployed Professional Speed Dater #3 - August 5, 2018
- Life and Times of an Unemployed Professional Speed Dater #2 - August 5, 2018
- Life and Times of an Unemployed Professional Speed Dater #1 - August 5, 2018
There is a typo in the “junos” line : set snmp v3 vacm security-to-group security-model usm security-name test group view-all
It has to be : set snmp v3 vacm security-to-group security-model usm security-name test1 group view-all
cheers for that seb 🙂
saved me
Excellent tutorial, man! Thanks a bunch!
Why do you use both notify-view and read-view in the Junos configuration?
What is the difference between them and what does it used for?
Hi Guy
INE have a much better explanation of the differences than i could provide :p
http://blog.ine.com/2008/07/19/snmpv3-tutorial/
Cheers
Keeran