Strong SNMPv3 Encryption

Problem

You want to increase the strength of SNMPv3 encryption.

Solution

Starting with IOS Version 12.4(2)T, Cisco introduced support for stronger encryption capabilities. To enable 3DES use the following command:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass Router1(config)#end Router1#

To enable AES encryption of SNMPv3 traffic, use the following command:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass Router1(config)#end Router1#

 

Discussion

Beginning with IOS Version 12.4(2)T, Cisco enhanced the encryption capabilities of SNMPv3 by adding support for 3DES and Advanced Encryption Standard (AES). The addition of AES 128-bit encryption meets the RFC 3826 standard. In addition, Cisco has also added support for 168-bit 3DES, and 192-bit and 256-bit AES encryption, which is currently not part of the RFC standard.

AES and 3DES encryption are only supported in IOS images that support encryption services.

To display the user encryption method to confirm configuration, use the show snmp user command:

Router1#show snmp user wbrejniak User name: wbrejniak Engine ID: 800000090300000E84244E70 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: 3DES Group-name: ORAROV3 Router1#

Notice that user wbrejniak is currently configured to use 3DES encryption, as highlighted in our previous example:

Router1#show snmp user wbrejniak User name: wbrejniak Engine ID: 800000090300000E84244E70 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: AES128 Group-name: ORAROV3 Router1#

Now notice that we've changed the configuration of user wbrejniak to support AES 128-bit encryption.

In our next example, we'll use Net-SNMP to extract the hostname using strong encryption. Please note that Net-SNMP currently only supports DES 56-bit and AES 128-bit encryption because they are standards based:

Freebsd% snmpget -v 3 -u wbrejniak -l authPriv -a md5 -A authpass -x aes -X privpass 172.25.1.101 sysName.0 SNMPv2-MIB::sysName.0 = STRING: Router1.oreilly.com Freebsd%

 

See Also

Recipe 17.22

Категории