Thursday, August 8, 2013

Understanding and configuring SNMPv3

SNMPv3 was introduced to increase security over the previous version SNMPv2c which used clear text communities to authorize SNMP operations by introducing a new security model.

The security model consists of two mains parameters,


  1. Authentication (Auth):Which makes sure the proper user is using the service and it is hashed with either MD5 or SHA1.
  2. Privacy (Priv): Which encrypts the data between the host and the server and it utilizes DES, 3DES or AES as an encryption methods.


Both Auth and Priv can be combined to form the security model that SNMPv3 uses to operate which can be illustrated in those three methods:


  1. NOAuthPriv: No authentication and No Privacy
  2. AuthNoPriv: Authentication and No Privacy
  3. AuthPriv: Authentication and Privacy

The Structure of SNMPv3 consists of Groups and Users attached to those groups
  • SNMP Groups: they contain access control policies to which users with certain privileges. these privileges mainly are the SNMP view they are going to either read or read/write to.
  • SNMP Users: The users are assigned with a group, along with the security models they will be using ( Auth and Priv)
  • SNMP Hosts: SNMP hosts are servers that recieves pushed SNMP notifications and traps. Since notifications and traps are pushed to the server, each server can be associated with only one user.
Note: SNMP uses either pull or push communication with the server. Pull is when the server requests to read or write something to the router or switch. Push is when the router or switch sends trap or notification to the server. Both are not dependent on each other, you can configure one or both of them


Now let's start configuring SNMPv3

First you have to define a view, which is the part or the MIB tree you want use, in our exmple here we will use two views, ISO view for for read only and we will call it READ and SYSTEM view for read/write and we will call it WRITE

snmp-server view READ iso includedsnmp-server view WRITE system included
Now we need to configure the SNMP group called MANAGMENT that uses both the READ and WRITE views for its associated users

snmp-server group MANAGMENT v3 priv read READ write WRITE
Now let's confirm that with show snmp group


 R1#show snmp group
groupname: ILMI                             security model:v1
readview : *ilmi                            writeview: *ilmi                        
notifyview: <no notifyview specified>    
row status: active
groupname: ILMI                             security model:v2c
readview : *ilmi                            writeview: *ilmi                        
notifyview: <no notifyview specified>    
row status: active
groupname: READGROUP                        security model:v3 priv
readview : READ                             writeview: WRITE                        
notifyview: <no notifyview specified>    
row status: active
Lets associate two users to the MANAGMENT group. READUSER and WRITEUSER

snmp-server user READUSER MANAGMENT v3 auth sha READuserAUTHENTICATIONpassword priv aes 128 READuserPRIVACYpassword

snmp-server user WRITEUSER MANAGMENT v3 auth sha WRITEuserAUTHENTICATIONpassword priv aes 128 WRITEuserPRIVACYpassword 

One thing you'll notice that when you're showing the running-configuration, the user's line will not be shown, in order to see what SNMPv3 users configured you'll have to use the command show snmp user.


R1#show snmp user 

User name: READUSER
Engine ID: 800000090300C2000F940000
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: MANAGMENT
User name: WRITEUSER
Engine ID: 800000090300C2000F940000
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: MANAGMENT


That looks promising, we have now configured SNMPv3 and NMS servers can pull SNMP info from the router or switch. How about configuring the router to push traps incase of a BGP event using SNMPv3, we will use user READUSER that was configured previously for that task
snmp-server host 200.0.0.1 version 3 priv READUSER bgp
let's verify that
R1#show snmp host
 Notification host: 200.0.0.1    udp-port: 162   type: trapuser: READUSER  security model: v3 priv