Cisco Switch/Router SNMPv3 Configuration

In this blog post, we will explore the configuration of SNMPv3 on Cisco devices and how it can help you secure your SNMP communications.

What's new with SNMPv3?

SNMPv3 introduces three new elements that are SNMP View, SNMP Groups, and SNMP Users.

  1. SNMP View - SNMP View is a set of MIB (Management Information Base) objects that a particular SNMP user can access. It specifies which parts of the MIB tree are visible to a specific user or group. SNMP Views can be configured based on a particular portion of the MIB tree or specific objects within the MIB tree. For example, you can say that a particular SNMP agent can only access a device's Interface stats and nothing else. You can even go more granular by providing access to just specific interfaces.
  2. SNMP Groups - SNMP Groups are collections of SNMP users with the same SNMP View and access permissions. By assigning users to groups, you can simplify management and control access to specific portions of the MIB tree.
  3. SNMP Users - SNMP Users are individuals or entities that require access to the Network Device through SNMP.

SNMPv3, compared to SNMPv2c, also introduces several significant security improvements. These improvements include:

  1. Authentication - SNMPv3 includes support for message integrity and authentication through the use of MD5 or HMAC-SHA algorithms, which prevent unauthorized access to SNMP messages.
  2. Encryption - SNMPv3 provides confidentiality through the use of encryption algorithms such as DES/AES, which ensures that sensitive information is protected while being transmitted across the network.

Overall, SNMPv3 offers significant security enhancements over SNMPv2c, making it a more robust and secure protocol for managing network devices.

The table below describes the combinations of SNMPv3 security models and levels.

  • noAuthNoPriv - Uses a username match for authentication with no encryption.
  • authNoPriv - Uses MD5 or SHA Authentication but no encryption.
  • authPriv - Uses MD5 or SHA Authentication and supports Encryption.

How to Configure SNMP Version 3

The configuration is very straightforward if you want to use the bare minimum, just configure a group/user and off you go.  

💡
Please note that by default, SNMPv3 gives full read access to all MIBs on a device. You can use the SNMP view option to limit the MIBs your SNMP server can read.

For this example, I'm going to go with authpriv which provides a higher level of security. You can be up and running with just two lines of code as shown below.

snmp-server group TEST_GROUP v3 priv
snmp-server user TEST_USER TEST_GROUP v3 auth sha cisco123 priv des cisco123

Navigate to your SNMP agent and add the device to it. For this example, I'm using LibreNMS.

Verification

You can use the following show commands to view the group/user stats.

switch-03#show snmp user 

User name: TEST_USER
Engine ID: 800000090300500000090000
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: DES
Group-name: TEST_GROUP
   
switch-03#show snmp group 
groupname: TEST_GROUP                       security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : v1default                        writeview: <no writeview specified>        
notifyview: <no notifyview specified>       
row status: active

Closing Thoughts

In conclusion, SNMPv3 should be used instead of SNMPv2c because it offers better security features such as authentication, encryption, and access control, which are crucial for protecting sensitive information and preventing unauthorized access to network devices.

References

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/snmp-xe-3se-3850-book/nm-snmp-snmpv3.html