Simple Network Management Protocol (SNMP) is defined by Internet Engineering Task Force (IETF) as an Internet standard protocol that network devices utilize to communicate with each other and exchange data. SNMP protocol collects and organizes information about the devices it manages on the network. The latest version is SNMP version 3 (SNMPv3). It addresses the weaknesses of the earlier SNMP versions, such as security problems, by adding cryptographic security features. Its developers have made things look much different by introducing new conventions, concepts, and terminology.
SNMPv3 Features
The SNMPv3 architecture introduces the User-based Security Model (USM) for message security. With USM, the messages exchanged between the SNMP manager and the SNMP agent will have data integrity checking and data origin authentication. The View-Based Access Control Model (VACM) is for message processing models and access control.
SNMPv3 supports the SNMP ‘Engine ID’ Identifier, uniquely identifying each SNMP entity. Conflicts can occur if two SNMP entities have duplicate EngineIDs. The EngineID is used to generate the key for authenticated messages.
Many SNMP products remain fundamentally the same under SNMPv3 but are enhanced by the following new features:
Security
- Authentication
- Privacy
Administration
- Authorization and access control
- Logical contexts
- Naming of entities, identities, and information
- People and policies
- Usernames and key management
- Notification destinations and proxy relationships
- Remote configuration via SNMP operations
SNMPv3 Elements
There are three new elements introduced in SNMPv3: SNMP View, SNMP User, and SNMP Group. These new elements work hand in hand with each other to provide a higher level of security by authenticating and encrypting every interaction with the network device.
SNMP View – defines what you can see on a Cisco device. This SNMPv3 element ensures that unauthorized users cannot see sensitive information while in the network, such as passwords, for example.
SNMP User – in SNMPv3, an SNMP User is then associated with an SNMP Group, which is added to it so that access and views are limited. While associating the User to the Group, the username, password, and the level of encryption and authentication are defined.
SNMP Group – SNMP View is associated with an SNMP Group wherein it defines the type of access, such as read-only or read/write. The type of security method to be enabled during the interaction with a device is specified by SNMP Group.
SNMPv3 security models come primarily in two forms: Authentication and Encrypting.
- Authentication – is used to ensure that only the intended recipient reads traps. As messages are created, they are given a special key based on the entity’s EngineID. The key is shared with the intended recipient and used to receive the message.
- Encrypting – privacy encrypts the payload of the SNMP message to ensure that unauthorized users cannot read it. Any intercepted traps will be filled with garbled characters and will be unreadable. Privacy is especially useful in applications where SNMP messages must be routed over the Internet.
There are three security levels in an SNMP Group. These are the following:
- noAuthnoPriv – Communication without authentication and privacy.
- authNoPriv – Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).
- authPriv – Communication with authentication and privacy. The protocols used for Authentication are MD5 and SHA, and for Privacy, DES (Data Encryption Standard) and AES (Advanced Encryption Standard) protocols can be used. For Privacy Support, you have to install some third-party privacy packages.
SNMPv3 Configuration
Below is the configuration of the SNMP view in the global configuration command.
R1(config)# snmp-server view <view name> <mib/oid> included
Here are some of the MIB objects that can be used in SNMP View:
- ifIndex
- iso
- ifEntry
- system
- cisco
Now that we have configured the new view read and write, let us configure the SNMP Group.
R1(config)# snmp-server group <Group name> v3 priv read <View name>
Finally, we will configure the last step, which is the SNMP User.
R1(config)# snmp-server user <Username> <Group name> v3 auth {md5 | sha} <Authentication Password> priv {3des | aes| des} {128 | 192 |256} <Encryption Password>
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
