Configuring SNMPv3 on Cisco Catalyst switches is pretty simple and is MUCH preferred over v1 or v2. SNMPv3 has three big benefits:
- authentication — we can be assured that the message originated from a valid source
- integrity — we can be assured that a packet has not been modified in transit
- encryption — no more plain-text SNMP data flying around our network
First off, we need to decide what hosts should be allowed to query our switch using SNMP. In my case, this is a single host with the IP address 192.0.2.13. We’ll create a new access control list (ACL) on the switch to restrict access to SNMP.
c3550# conf t Enter configuration commands, one per line. End with CNTL/Z. c3550(config)# ip access-list standard SNMP c3550(config-std-nacl)# permit host 192.0.2.13 c3550(config-std-nacl)# deny any log c3550(config-std-nacl)# exit c3550(config)#
Next, we’ll set the system contact and system location for the device. These values are just free-text, so you can enter whatever you want. In production, you’ll like want to use something meaningful, especially when it comes to the device location.
c3550(config)# snmp-server location Bloomington, IN, USA c3550(config)# snmp-server contact firstname.lastname@example.org
Now, we want to create a “view” that restricts what data our SNMP user will be able to access. I’ll create a view named “MIB-2″ and allow access to the “mib-2″ MIB.
c3550(config)# snmp-server view MIB-2 mib-2 included
With our view created, we’ll create a group (“READONLY”) and assign it the read view that we just created
c3550(config)# snmp-server group READONLY v3 priv read MIB-2
Our last step is to actually create an SNMPv3 user. Here, I’ll create a user named “cacti” with randomly generated authentication and privacy passwords (used for authentication and encryption). We’ll use the HMAC SHA algorithm for authentication and 128-bit AES encryption. In addition, we’ll associate the “SNMP” ACL that we created earlier with this user.
Note #1: The passwords used here were randomly generated using “pwgen 16 2″ on FreeBSD.
Note #2: I’ve broken this command up over two lines, but the whole thing should be entered on one line.
c3550(config)# snmp-server user cacti READONLY v3 auth sha 5mJwYWFmjcgHVEP8 priv aes 128 16Y8HHbd81nHJgYq access SNMP
Exit global configuration mode and save the config.
c3550(config)# end c3550# wr Building configuration... [OK] c3550#
We should be all set. To verify, I’ll test with “snmpget” on my FreeBSD box (192.0.2.13), which is permitted by the “SNMP” ACL I created.
[jlgaddis@homer ~]$ snmpget -v 3 -u cacti -l authPriv -a sha -A 5mJwYWFmjcgHVEP8 \ -x aes -X 16Y8HHbd81nHJgYq 198.18.0.2 sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: email@example.com
That’s all there is to setting up SNMPv3. Now stop using the insecure v1 and v2 on your production networks!