Cisco IOS SNMP v3 setup

Posted December 8th, 2008 by sean

Please note that this guide doesn't apply anymore to FreeNAC 3,In FreeNAC 3, the programming of the switches is done using PHP's SNMP libraries, instead of using the Linux utilities. This guide applies to prior versions of FreeNAC used along with SuSE Linux.

SNMP v3 setup

(contribution from 'immi')
To use authentication and encryption with SNMP and also restriction by access-list who can access my device.
For SNMP write I enabled only limited part of SNMP tree (.1.3.6.1.2), read is open.

1. Cisco Switch part in config mode:

snmp-server group secure v3 priv
snmp-server group secure v3 priv read secure-ro write secure-wr access 1
snmp-server view secure-ro internet included
snmp-server view secure-wr mgmt included
snmp-server user snmpusr secure v3 auth md5 cisco123 priv des56 cisco123

access-list 1 permit host x.x.x.x
access-list 1 deny any log

# then you can check
VMPSclient#sho run | incl snmp
snmp-server group secure v3 priv read secure-ro write secure-wr access 1
snmp-server view secure-ro internet included
snmp-server view secure-wr mgmt included
snmp-server location /CZ/PRG/ROOM249
snmp-server contact CallMe ext.: xxxx
VMPSclient

VMPSclient#sho snmp group
groupname: secure security model:v3 priv
readview : secure-ro writeview: secure-wr
notifyview: <no notifyview specified>
row status: active access-list: 1

VMPSclient#sho snmp user
User name: snmpusr
Engine ID: 8000000903000014A86637C0
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: secure

# two examples for check if it is working:
snmpwalk -v 3 -u snmpusr -l authPriv -a MD5 -A cisco123 -x DES -X cisco123 172.16.1.1 system
snmpwalk -v 3 -u snmpusr -l authPriv -a MD5 -A cisco123 -x DES -X cisco123 172.16.1.1 sysUpTime

2. Then modify the default SNMP values on Freenac server, it is in /usr/share/snmp/snmp.conf:
vmpssrv:~ # cat /usr/share/snmp/snmp.conf
(comments are erased)
defversion 3
defsecurityname snmpusr
defsecuritylevel authPriv
defauthtype MD5
defauthpassphrase cisco123
defprivtype DES
defprivpassphrase cisco123

To test, snmpwalk 172.16.1.1 system

3. Modify /opt/nac/etc/config.inc
(just part for port reset)
## restart_port
# $snmpwalk="/usr/bin/snmpwalk -v 1 -c public"; # SNMP Read community
# $snmpset ="/usr/bin/snmpset -v 1 -c private"; # SNMP Write community
$snmpset ="/usr/bin/snmpset"; # SNMP Write community
$snmpwalk="/usr/bin/snmpwalk"; # SNMP Read community

‹ Cisco CatOS configuration examplesupCisco IOS vmps configuration ›