Image of Cortney & Jeremy

Configuring SNMPv3 on Catalyst switches

by Jeremy L. Gaddis on March 3, 2010 · 5 comments

in Networking

Cisco Catalyst 2960sConfiguring SNMPv3 on Cisco Catalyst switches is pretty simple and is MUCH preferred over v1 or v2. SNMPv3 has three big benefits:

  • authentication — we can be assured that the message originated from a valid source
  • integrity — we can be assured that a packet has not been modified in transit
  • encryption — no more plain-text SNMP data flying around our network

First off, we need to decide what hosts should be allowed to query our switch using SNMP. In my case, this is a single host with the IP address 192.0.2.13. We’ll create a new access control list (ACL) on the switch to restrict access to SNMP.

c3550# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
c3550(config)# ip access-list standard SNMP
c3550(config-std-nacl)# permit host 192.0.2.13
c3550(config-std-nacl)# deny any log
c3550(config-std-nacl)# exit
c3550(config)#

Next, we’ll set the system contact and system location for the device. These values are just free-text, so you can enter whatever you want. In production, you’ll like want to use something meaningful, especially when it comes to the device location.

c3550(config)# snmp-server location Bloomington, IN, USA
c3550(config)# snmp-server contact jeremy@evilrouters.net

Now, we want to create a “view” that restricts what data our SNMP user will be able to access. I’ll create a view named “MIB-2″ and allow access to the “mib-2″ MIB.

c3550(config)# snmp-server view MIB-2 mib-2 included

With our view created, we’ll create a group (“READONLY”) and assign it the read view that we just created

c3550(config)# snmp-server group READONLY v3 priv read MIB-2

Our last step is to actually create an SNMPv3 user. Here, I’ll create a user named “cacti” with randomly generated authentication and privacy passwords (used for authentication and encryption). We’ll use the HMAC SHA algorithm for authentication and 128-bit AES encryption. In addition, we’ll associate the “SNMP” ACL that we created earlier with this user.

Note #1: The passwords used here were randomly generated using “pwgen 16 2″ on FreeBSD.

Note #2: I’ve broken this command up over two lines, but the whole thing should be entered on one line.

c3550(config)# snmp-server user cacti READONLY v3 auth sha 5mJwYWFmjcgHVEP8
     priv aes 128 16Y8HHbd81nHJgYq access SNMP

Exit global configuration mode and save the config.

c3550(config)# end
c3550# wr
Building configuration...
[OK]
c3550#

We should be all set. To verify, I’ll test with “snmpget” on my FreeBSD box (192.0.2.13), which is permitted by the “SNMP” ACL I created.

[jlgaddis@homer ~]$ snmpget -v 3 -u cacti -l authPriv -a sha -A 5mJwYWFmjcgHVEP8 \ -x aes -X 16Y8HHbd81nHJgYq 198.18.0.2 sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: jeremy@evilrouters.net

That’s all there is to setting up SNMPv3. Now stop using the insecure v1 and v2 on your production networks!

{ 5 comments… read them below or add one }

Leave a Comment

Previous post:

Next post: