Strong SNMPv3 Encryption

Strong SNMPv3 Encryption

Problem

You want to increase the strength of SNMPv3 encryption.

Solution

Starting with IOS Version 12.4(2)T, Cisco introduced support for stronger encryption capabilities. To enable 3DES use the following command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass
Router1(config)#end                                                                      
Router1#

To enable AES encryption of SNMPv3 traffic, use the following command:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass
Router1(config)#end
Router1#

Discussion

Beginning with IOS Version 12.4(2)T, Cisco enhanced the encryption capabilities of SNMPv3 by adding support for 3DES and Advanced Encryption Standard (AES). The addition of AES 128-bit encryption meets the RFC 3826 standard. In addition, Cisco has also added support for 168-bit 3DES, and 192-bit and 256-bit AES encryption, which is currently not part of the RFC standard.

AES and 3DES encryption are only supported in IOS images that support encryption services.


To display the user encryption method to confirm configuration, use the show snmp user command:

Router1#show snmp user wbrejniak

User name: wbrejniak
Engine ID: 800000090300000E84244E70
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: ORAROV3

Router1#

Notice that user wbrejniak is currently configured to use 3DES encryption, as highlighted in our previous example:

Router1#show snmp user wbrejniak

User name: wbrejniak
Engine ID: 800000090300000E84244E70
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: ORAROV3

Router1#

Now notice that we've changed the configuration of user wbrejniak to support AES 128-bit encryption.

In our next example, we'll use Net-SNMP to extract the hostname using strong encryption. Please note that Net-SNMP currently only supports DES 56-bit and AES 128-bit encryption because they are standards based:

Freebsd% snmpget -v 3 -u wbrejniak -l authPriv -a md5 -A authpass -x aes -X privpass 172.25.1.101 sysName.0
SNMPv2-MIB::sysName.0 = STRING: Router1.oreilly.com
Freebsd%

See Also