Sunday, June 23, 2013

SNMPv3 traps config + cisco

In this blog we will look at security SNMPv3 traps

SNMPv3 allows for us to generate traps and secure these between the agent and manager. To do this we need to take a few steps in  our configurations;

1st we need to enable traps

config t
  snmp-server enable traps


next we need to define  a snmpv3 group and a user. Here we are defining a group name <mygroup> and a user <myuser> and with  <md5> and single <des> for authentication and encryption.

config t
 snmp-server group mygroup v3 auth
 snmpserver user myuser  mygroup v3  priv md5 Ims0s3cur3d  des56 hAckm3123Wed

The next few steps are crucial; we have to have a unique EnginID, but we don't have to configured one. By default, our  snmpEngineID is predefined on every cisco  router/switch device.

This  ID is created by default , & by using the 1st physical interface bia ( burned in address  aka mac-address )

Here's a cisco 2800;

rt1.mdc11#show int gi 0/0 | incl bia
  Hardware is MV96340 Ethernet, address is 0015.fad8.2211 (bia 0015.fad8.2211

and check out our SNMPengine ID

rt1.mdc11#show snmp engineID       
Local SNMP engineID: 8000000903000015FAD2211  <------ here

Remote Engine ID          IP-addr    Port

Notice how our bia is used to compute the engine ID?

It's done by default and you have to do nothing. Arguments have been made for crafting the ID by and for it being unique for each device in your network.  A few valid reasons exist for this purpose;


  • Such as if you   change hardware ( i.e  RMA ) or configurations are move to a new device ( SNMP engine ID will change )

  • Also the  SNMPv3 user  password is hashed off this  ID. So if you change it mid-stream, it would  screw up the SNMPv3 user

Now moving on, you need to craft a remote snmp engine ID for the remote collector;

snmp-server engineID remote 8000000903000000000001

Once again this ID is unique and should be for the SNMPtrap collector.

Now that we have all of the ingredients,  we can complete the config by mapping the SNMPv3 user to our  snmp-server  hosts that's to receive the traps.

Here's the final configuration for our  user to send traps to the host; the user =  "myuser", and we are using  version 3.

snmp-server  host  informs  version  3 priv myuser

So  in this example, the  router/switch would send  snmpv3 traps with authentication only, and with no encryption. The SNMP collector would authenticate the sender traps.

The following dumps shows you some unencrypted traps being sent to a  collector & from the above host;

Here's some other important information that pertains to cisco and SNMPv3 users;

The SNMPv3 user information,  is NOT maintain in the running-config. If you "dir" the nvram filesystem, it would maintain a list of  SNMPv3 user names/password-hashes and along with  any ssh private-pub/keys. If you would run the "show run " command, you will not find any user information for SNMPv3.

NOTE: The file  <private-config> contains the SNMPv3 user  information and it is NOT read/write by anyone.

Also the "show snmp user" command will show you details about any  configured  users, along with your SNMP engine ID.

So SNMPv3 traps are easy to configure , and requires a few more steps. Its simple, and just remember ; " you have the means to use auth or authPriv between the  SNMPagent and collector"

Ken Felix
Freelance Network/Security Engineer

   ^     ^
=( *  * )=
     /    \

1 comment:

  1. SNMP V3’s focus was to enhance this security flaw. SNMP V3 adds authentication and privacy choices to secure its communication between SNMP servers and SNMP agents.

    Silvester Norman

    Change Mac Address