Saturday 4 May 2013

SNMPv3

SNMPv3 extends the previous versions of SNMP by introducing a new security model that replaces the old community-based authentication system. SMNPv3 also provides for communication privacy by means of encryption. The new concepts for SNMPv3 are the user, group, and security level.


To configure an SNMP v3 server, specify an SNMP group that maps SNMP users to SNMP views. Then, specify the IP address or port number for the remote SNMP agent of the device where the user resides.


A group defines what access rights a set of users have. The access policy is defined by associating a read, write, or notify view with the group.

The group also defines the security model (SNMP version) and the security level (authentication and/or encryption) for its users

The security models are defined as SNMPv1, SNMPv2, SNMPv3, while the security levels are defined as noAuthNoPriv, AuthNoPriv, and AuthPriv. 

SNMPv3 can implement any of the three above security levels. SNMPv1 and SNMPv2 only support noAuthNoPriv.

In the case that SNMPv3 uses noAuthNoPriv, the username serves as a replacement for the community string.

Configuration:

  • Define snmp group 

snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [write write-view] [notify notify-view] [access access-list] 

  • Define remote IP address (for NMS) - Optional

  snmp-server engineID {local engine-id | remote ip-address [udp-port udp-port-number] [vrf vrf-name] engine-id-string} 

  • Define SNMP user 
snmp-server user user-name group-name [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access access-list] 
Configuration:

  • NoAuthNoPriv

 snmp-server user TEST_NOAUTH_NOPRIV NoAuthNoPriv v3
snmp-server group NoAuthNoPriv v3 noauth 
    • verification

R1#show snmp user
ser name: TEST_NOAUTH_NOPRIV
Engine ID: 800000090300CA002A260000
storage-type: nonvolatile active
Authentication Protocol: None
Privacy Protocol: None
Group-name: NoAuthNoPriv

R1#show snmp group
groupname: NoAuthNoPriv                     security model:v3 noauth
readview : v1default                        writeview:      
notifyview:      
row status: active
  • AuthNoPriv
snmp-server group AuthNoPriv v3 auth
snmp-server user TEST_AUTH_NOPRIV AuthNoPriv v3 auth md5 CISCO_SNMP

    • verification 

R1#show snmp user
User name: TEST_AUTH_NOPRIV
Engine ID: 800000090300CA002A260000
storage-type: nonvolatile  active
Authentication Protocol: MD5
Privacy Protocol: None
Group-name: AuthNoPriv

R1#show snmp group
 groupname: AuthNoPriv                       security model:v3 auth
readview : v1default                        writeview:      
notifyview:      
row status: active
  • AuthPriv
snmp-server group AuthPriv v3 priv
snmp-server user TEST_AUTH_PRIV AuthPriv v3 auth md5 CISCO_SNMP priv des CISCO_SNMPv3

    • verification 

R1#show snmp user
User name: TEST_AUTH_PRIV
Engine ID: 800000090300CA002A260000
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: AuthPriv

R1#show snmp group
groupname: AuthPriv                         security model:v3 priv
readview : v1default                        writeview:      
notifyview:      
row status: active



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)