Sample SNMPv3 access configuration:
configure snmpv3 add user v3admin authentication md5 v3adminauth privacy des v3adminpriv
configure snmpv3 add group v3group user v3admin sec-model usm
configure snmpv3 add access v3group sec-model usm sec-level priv read-view defaultAdminView write-view defaultAdminView notify-view defaultAdminView
disable snmp access snmp-v1v2c
disable snmpv3 default-user
disable snmpv3 default-group
SNMPv3 configuration explained:
SNMP consists of a user, group, and access level portion
This is the user portion:
configure snmpv3 add user <user> authentication m5 <authpassword> priv des <privpassword>
The user portion ties together the username, authentication type (md5 or SHA1), authentication password (<authpassword>), encryption type (des or aes) and the encryption key (<privpassword>). This is all the information required to actually de-encrypt and authenticate the SNMP messages.
The group portion:
configure snmpv3 add group <group> user <user> sec-model usm
This portion ties the user to a specific group within the switch to be used with SNMPv3
The Access portion:
configure snmpv3 add access <group> sec-model usm sec-level priv read-view defaultAdminView write-view defaultAdminView notify-view defaultAdminView
This portion defines the authentication/encrypation level of the SNMP communication (auth only, auth/no priv, etc..) and also defines the groups access to MIBs for specific functions
Any user who has been defined in the group will have access to the MIB views that are configured. By default, the "defaultAdminView" is defined as Subtree 1.0, meaning all MIBs. You can define MIB views to restrict access to specific MIBs or MIB trees, and then configure that MIB view to be used as an allowed "read-view", "write-view", or "notify-view"
The last three lines disable SNMPv1 and v2 access and disable the default SNMPv3 users and groups.
- ready-view: MIBs that are allowed to be read on the device
- write-view: MIBs that are allowed to be written to the device
- notify-view: MIBs allowed to be used for traps/informs