HowTo: Configure SNMPv3

In this post, I will describe how you can configure SNMPv3 on Comware based and provision based switches. SNMP is used by management systems to monitor and configure network devices. As the information which are send and received by the SNMP speaking devices could be sensitive, you should have security in place to protect the communication. SNMPv2 provides some kind of protection, but with SNMPv3 you are able to create users and groups with granular access to specific MIBS, therefore I would always recommend to use SNMPv3 in production environments.

Configure SNMPv3 on Comware Based Devices

To configure SNMPv3 on a Comware based device, you have to enable SNMPv3 and disable all the other versions:

[RTG-Core]snmp-agent sys-info version v3
[RTG-Core]undo snmp-agent sys-info version v1 v2c
[RTG-Core]dis snmp-agent sys-info version
 SNMP version running in the system:
 SNMPv3

[RTG-Core]

The next step is to create a group. The group is used, to allow access to certain SNMP MIB’s and/or OID’s. I will use a default group, but you can also define your own group with your own views. To create a custom view using this command:

[RTG-Core]snmp-agent mib-view included TestView iso

This will allow only the “iso” tree.

To create the group use this command:

[RTG-Core]snmp-agent group v3 snmpv3 read-view ViewDefault write-view ViewDefault notify-view ViewDefault

This will create the group “snmpv3” which is using the “ViewDefault” view for “read-view”, “write-view” and “notify-view”. This will allow access to all MIB’s and OID’s.

The next step, is to create the SNMPv3 user:

[RTG-Core]snmp-agent usm-user v3 imc snmpv3 authentication-mode sha imcimc privacy-mode aes128 imcimc

This will configure the snmpv3 user “imc” using “sha” for authentication with the password “imc” and the encryption key “imc”.

For Comware 7 you need to use this command:

[RTG-Core]snmp-agent usm-user v3 imc snmpv3 simple authentication-mode sha imcimc privacy-mode aes128 imcimc

The SNMPv3 configuration is done. You should now set some system information to recognize the device accordingly in your network management system:

[RTG-Core]snmp-agent sys-info contact Florian Baaske
[RTG-Core]snmp-agent sys-info location LAB_RTG

You should now be able to monitor and configure the device using SNMPv3.

Configure SNMPv3 on provision based switches

To configure SNMPv3 on provision based switches you have to follow more or less the same procedure. You have to enable SNMPv3 on the switch:

ClientAccess(config)# snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: **********
Privacy protocol is DES
Enter privacy password: **********

User 'initial' has been created
Would you like to create a user that uses SHA? [y/n] n

User creation is done. SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] n
ClientAccess(config)# snmpv3 only

During the process of enabling SNMPv3 you have to create a default snmp user. You can delete this user later. With the command “snmpv3 only” you can allow access to the switch only for SNMPv3, all other snmp versions will be rejected.

You now need to configure the SNMPv3 users:

ClientAccess(config)# snmpv3 user imc auth sha imcimc priv aes imcimc

This will create the user “imc” using authentication and encryption. If you chose “aes” for encryption, it is always “AES-128”. No other algorithm is possible.

The next step is to assign the user to a predefined group. The groups are:

  • managerpriv – v3 with full access, authentication and encryption (privacy)
  • managerauth – v3 with full access and authentication
  • operatorauth – v3 with operator access and authentication
  • operatornoauth – v3 with operator access

I only listed the groups for SNMPv3. There are also groups for SNMPv1 and SNMPv2c. If you would like to use those groups, please have a look in the Management and Configuration Guide of the corresponding provision based switch. You will also find the difference between full access and operator access.

To actually assign a user to a group use this command:

ClientAccess(config)# snmpv3 group managerpriv user imc sec-model ver3

This will assign the user”imc” to the group “managerpriv”. You can now delete the initial create snmpv3 user:

ClientAccess(config)# no snmpv3 user initial

You can now test the access with your network management system.

If you have any questions or would like to give feedback to this post, please use the comment function below.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.