Cisco LAN SNMP v3 setup

Perl Net-SNMP SNMP v3 compatibility Auth & Priv support matrix

Configuration

  • User: xorux
  • Password: xorux4you
  • Security level: AuthPriv
  • Priv protocol: AES128
  • Auth protocol: SHA
    sw0#configure terminal

# create ReadOnly view
sw0(config)#snmp-server view ReadOnly iso included

# create v3 authPriv group (Monitor) allowed to read ReadOnly view
sw0(config)#snmp-server group Monitor v3 priv read ReadOnly

# check available authentication algorithms
sw0(config)#snmp-server user xormon Monitor v3 auth ?
  md5    Use HMAC MD5 algorithm for authentication
  sha    Use HMAC SHA algorithm for authentication
  sha-2  Use HMAC SHA-2 algorithm for authentication

# use SHA and check available privacy algorithms
sw0(config)#snmp-server user xormon Monitor v3 auth sha xorux4you priv ?
  3des  Use 168 bit 3DES algorithm for encryption
  aes   Use AES algorithm for encryption
  des   Use 56 bit DES algorithm for encryption
# check available AES variants
sw0(config)#snmp-server user xormon Monitor v3 auth sha xorux4you priv aes ?
  128  Use 128 bit AES algorithm for encryption
  192  Use 192 bit AES algorithm for encryption
  256  Use 256 bit AES algorithm for encryption

# create xormon user with SHA / AES128 authPriv 
sw0(config)#snmp-server user xormon Monitor v3 auth sha xorux4you priv aes 128 xorux4you

# end cfg with Ctrl+Z

# check xormon user
sw0#show snmp user xormon
User name: xormon
Engine ID: 800000090300AABBCC001000
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: Monitor
    Test: 
    snmpwalk -v 3 -l authPriv -u xormon -A xorux4you -X xorux4you -a SHA -x AES 192.168.1.1 sysDescr
  SNMPv2-MIB::sysDescr.0 = STRING: "Cisco IOS Software [IOSXE] ...

Notes

  • Auth and Priv passwords must have at least 8 characters
  • Use preferably AES128 if you are not sure that your Operating System supports higher AES in snmp-perl module
    Note that snmpwalk might work, just problem could be snmp-perl module only as it has different support matrix
  • When using AES256 privacy protocol, at least SHA256 must be used as authentication protocol

DES vrs AES

    Do not use old DES protocol, use AES instead.
    New Linuxes do not support DES protocol anyway, you might check if your operating systems supports it or does not
    If bellow cmd prints anything then DES is supported and you can use it, but try to avoid that 
    openssl ciphers | grep  DES

Add SAN switch to XorMon

    Cisco LAN SNMP v3 setup