SNMP has been around for many years and even though the acronym stands for simple network management protocol, it is quite complex and takes significant time to understand exactly how to get the best from it. It is well worth investing the time though as it is a very powerful way to monitor your network and once you master it’s configuration, you’ll be setting up custom items for all sorts of reasons. The widely used SNMPv2 is only implemented with basic passwords or ‘communities’. I’ve jokingly heard it referred to as ‘Security Not My Problem’. Not a major issue on secure networks but obviously less than ideal if you are running SNMP over insecure networks. Not only because the password is sent in plain text but also all of the data returned! This is where SNMPv3 comes in to play. This version provides both authentication and privacy.
The three steps to implement are:
- Create SNMPv3 group
- Create SNMPv3 user
- Validate authPriv
snmp-server group testGroup v3 priv snmp-server user testUser testGroup v3 auth sha test1234 priv aes 128 test1234 access 1
The first command creates the testGroup using SNMPv3 authPriv security model. The second command creates the user testUser, makes this user a member of the previously created testGroup and implements SHA based authentication with AES128 used as the privacy protocol. Note the use of test1234 for both passwords however these could be different. I’ve also included the optional access list to the command allowing a specific IP or range to access the user. You may use named access lists instead of standard.
The following is the required snmpwalk command to verify the implementation when using SNMPv3. My advice is to always test your authentication using snmpwalk before moving on to using other platforms to implement monitoring.
snmpwalk -v3 -u testUser -A test1234 -l authPriv -a SHA -x AES -X test1234 10.254.254.253 .220.127.116.11.18.104.22.168.6.5.0
The following is a decent post detailing the other user security models. Not entirely sure why anyone would implement anything other than authPriv though if you are using version 3.