Configuring SNMPv3

SNMPv3 uses SNMP users to restrict SNMP access. When you map an SNMP user to an SNMP group, you can restrict the access of MIBs for SNMP requests through an SNMP view.

To configure SNMPv3, perform the following steps.
  1. In privileged EXEC mode, enter global configuration mode.
    device# configure terminal
  2. Configure the contact information for the SNMP server.
    device(config)# snmp-server contact "Network Management group - Contact # 123-123-1234"
    
    This example changes the default contact information from Field Support to "Network Management group - Contact # 123-123-1234".

    The double quotes allows you to enter the string with spaces.

  3. Configure the location information for the SNMP server.
    device(config)# snmp-server location "South Room, Rack-11"
    
    This example changes the default location from End User Premise to "South Room, Rack-11".

    The double quotes allows you to enter the string with spaces.

  4. Add an SNMP view to restrict or allow access to the MIB OIDs.
    device(config)# snmp-server view view2 1.3.6.1 included
    This example adds the SNMP view2 view entry with included permission to allow access for the MIB 1.3.6.1 object ID ('internet').
  5. Add an SNMP group.
    device(config)# snmp-server group group1 v3 priv write view2 notify view2
    
    This example adds the group1 group for SNMPv3 and maps the read-write access and notify views to view2.
  6. Add an SNMP user and associate it with a group.
    device(config)# snmp-server user user2 groupname group1 auth md5 auth-password private123 priv DES priv-password public123
    

    This example adds the user2 user and associates it with the group1 group to access of MIBs for SNMPv3 requests. For SNMPv3 users, the passwords for auth-password and priv-password keywords are encrypted while storing to the persistent memory or displaying it back to the user. You can configure either with a plain-text password or an encrypted password. In both cases, the show running-config command displays the passwords as encrypted.

  7. Configure the SNMPv3 trap host associated with an SNMP user.
    device(config)# snmp-server v3host 10.26.3.166 user2 severity-level Info udp-port
    4425
    

    This example configures 10.26.3.166 as an SNMPv3 trap recipient host on the target port 4425 and associates the user2 user.

    The global SNMPv3 host can be associated with global SNMPv3 users only. You cannot create an SNMPv3 host in a global configuration by associating it with local SNMPv3 users.

  8. Enable the traps.
    device(config)# snmp-server enable trap
  9. Access privileged EXEC mode.
    device(config)# exit
    
  10. Verify the configuration.
    device# show running-config snmp-server
    snmp-server contact "Network Management group - Contact # 123-123-1234" 
    snmp-server enable trap
    snmp-server location "South Room, Rack-11"
    snmp-server group group1 v3 priv write view2 notify view2
    snmp-server user user2 groupname group1 md5 auth-password private123 priv DES priv-password public123
    snmp-server v3host 10.26.3.166 user2 
     severity-level Info 
     udp-port 4425
    !
    snmp-server view view2 1.3.6.1 included

Example

The following example shows the previous steps to configure SNMPv3.

device# configure terminal
device(config)# snmp-server contact  "Network Management group - Contact # 123-123-1234"
device(config)# snmp-server location "South Room, Rack-11"
device(config)# snmp-server view view2 1.3.6.1 included
device(config)# snmp-server group group1 v3 priv write view2 notify view2
device(config)# snmp-server user user2 groupname group1 md5 auth-password private123 priv DES priv-password public123
device(config)# snmp-server v3host 10.26.3.166 user2 severity-level Info udp-port 4425
device(config)# snmp-server enable trap