Cisco doing secure SNMP

Version 3 of the Simple Network Management Protocol (SNMP) is developed with as main purpose securing the insecure SNMP protocol. Since I needed to setup SNMP for a monitoring tool I decided to do it the secure way, which is SNMP v3. This article will describe how to configure SNMPv3 on a Cisco device using Cisco IOS, in my case a broadband router.

The first task is to login at the console as a privileged user and switch to configuration mode.

router#conf t Enter configuration commands, one per line. End with CNTL/Z. router(config)#

The next task is to define a view. To keep it simple, we’ll create a view that allows access to the entire internet subtree:

snmp-server view readview internet included

Next, create a group that uses the just created view. This command creates a group called readonly and v3 means that SNMPv3 should be used. The auth keyword specifies that the entity should authenticate packets without encrypting them. The read readview says that the view named readview should be used whenever members of the readonly group access the router.

snmp-server group readonly v3 auth read readview

The following command creates a user called snmpro, who belongs to the readonly group. auth md5 specifies that the router should use MD5 to authenticate the user (sha is also possible). The next item is the user’s password or passphrase, which is limited to 64 characters. The last item priv des56 specifies the encryption of the SNMP packets.

snmp-server user snmpro readonly v3 auth md5 password priv des56 passphrase

This configuration uses encryption to prevent passwords from being transferred in clear text and also encrypts the SNMP packets themselves, which may contain information that you don’t want available to the public.

End config mode with CNTL/Z or simple type ‘end’. And issue ‘write mem’ to save the current configuration to non-volatile memory to make this change permanent.

router(config)#end router#write mem Building configuration... [OK] router#

To verify if it’s working you can use snmpwalk. In the example below I use a Linux system to execute the snmpwalk command to request the system description (sysDescr.0) from a host called router.

$ snmpwalk -v 3 -u snmpro -l authPriv -a MD5 -A password -x DES -X passphrase \ router sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4) Technical Support: Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 01-May-08 02:31 by prod_rel_team $

As you can see the system description is returned successfully.