Configuring SNMPv3 on Cisco Catalyst switches is pretty simple and is much preferred over v1 or v2. SNMPv3 has three big benefits:
1. Authentication — we can be assured that the message originated from a valid source
2. Integrity — we can be assured that a packet has not been modified in transit
3. Encryption — no more plain-text SNMP data flying around our network
First off, we need to decide what hosts should be allowed to query our switch using SNMP. In my case, this is a single host with the IP address 192.19.20.100. We’ll create a new access control list (ACL) on the switch to restrict access to SNMP.
2960# conf t
Enter configuration commands, one per line. End with CNTL/Z.
2960(config)# ip access-list standard SNMP
2960(config-std-nacl)# permit host 192.19.20.100
2960(config-std-nacl)# deny any log
2960(config-std-nacl)# exit
Next, I create a group named "public". Then, I’ll create a user named “testtest” with randomly generated authentication and privacy passwords (used for authentication and encryption). We’ll use the HMAC SHA algorithm for authentication and 128-bit AES encryption. In addition, we’ll associate the “SNMP” ACL that we created earlier with this user.
2960(config)# snmp-server group public v3 auth
2960(config)# snmp-server user testtest public v3 auth sha 6546512165132 priv des 8798456146156 access SNMP
Exit global configuration mode and save the config.
2960(config)# exit
2960# copy run start
Reference:
1. Configuring SNMP
No comments:
Post a Comment