To configure an SNMP v3 server, specify an SNMP group that maps SNMP users to SNMP views. Then, specify the IP address or port number for the remote SNMP agent of the device where the user resides.
A group defines what access rights a set of users have. The access policy is defined by associating a read, write, or notify view with the group.
The group also defines the security model (SNMP version) and the security level (authentication and/or encryption) for its users
The security models are defined as SNMPv1, SNMPv2, SNMPv3, while the security levels are defined as noAuthNoPriv, AuthNoPriv, and AuthPriv.
SNMPv3 can implement any of the three above security levels. SNMPv1 and SNMPv2 only support noAuthNoPriv.
In the case that SNMPv3 uses noAuthNoPriv, the username serves as a replacement for the community string.
Configuration:
- Define snmp group
snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [write write-view] [notify notify-view] [access access-list]
- Define remote IP address (for NMS) - Optional
snmp-server engineID {local engine-id | remote ip-address [udp-port udp-port-number] [vrf vrf-name] engine-id-string}
- Define SNMP user
snmp-server user user-name group-name [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access access-list]Configuration:
- NoAuthNoPriv
snmp-server user TEST_NOAUTH_NOPRIV NoAuthNoPriv v3
snmp-server group NoAuthNoPriv v3 noauth
R1#show snmp user
ser name: TEST_NOAUTH_NOPRIV
Engine ID: 800000090300CA002A260000
storage-type: nonvolatile active
Authentication Protocol: None
Privacy Protocol: None
Group-name: NoAuthNoPriv
R1#show snmp group
groupname: NoAuthNoPriv security model:v3 noauth
readview : v1default writeview:
notifyview:
row status: active
- AuthNoPriv
snmp-server group AuthNoPriv v3 auth
snmp-server user TEST_AUTH_NOPRIV AuthNoPriv v3 auth md5 CISCO_SNMP
- verification
R1#show snmp user
User name: TEST_AUTH_NOPRIV
Engine ID: 800000090300CA002A260000
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: None
Group-name: AuthNoPriv
R1#show snmp group
groupname: AuthNoPriv security model:v3 auth
readview : v1default writeview:
notifyview:
row status: active
- AuthPriv
snmp-server group AuthPriv v3 priv
snmp-server user TEST_AUTH_PRIV AuthPriv v3 auth md5 CISCO_SNMP priv des CISCO_SNMPv3
- verification
R1#show snmp user
User name: TEST_AUTH_PRIV
Engine ID: 800000090300CA002A260000
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: AuthPriv
R1#show snmp group
groupname: AuthPriv security model:v3 priv
readview : v1default writeview:
notifyview:
row status: active
No comments:
Post a Comment