SNMPv3 Configuration (Opt.)

Restrict Access

Create an IP access-list of all the services which will be allowed to query the SNMP service.

Switch (config)# ip access-list standard snmp-service
Switch (config-std-nacl)# permit 10.0.0.16  
Switch (config-std-nacl)# permit 10.0.0.17

Configure Views

Create two new views, one which will have read-only privileges (called “SNMP-v3-RO-View “) and another with read-write privileges (called “SNMP-v3-RW-View”). Both views will be able to walk through the ‘ISO’ OIDs (aka. the OIDs containing SNMP information).

Switch (config)# snmp-server view SNMP-v3-RO-View iso included 
Switch (config)# snmp-server view SNMP-v3-RW-View iso included

Configure Groups

Create a group for each view outlining that group’s privilege level (read/write). In this example, the SNMP-v3-RO group, which has been assigned the SNMP-v3-RO-View view, can only read the SNMP information(priv read), never write.

Switch (config)# snmp-server group SNMP-v3-RO v3 priv read SNMP-v3-RO-View access snmp-service
Switch (config)# snmp-server group SNMP-v3-RW v3 priv write SNMP-v3-RW-View access snmp-service

Configure & Assign Users

Create a new user for each group that will allow querying of the SNMP service from external tools. For this example, the user SNMP-v3-RO-User will be created and added to the SNMP-v3-RO group. Being a member of this group in turn grants the account access to the SNMP-v3-RO-View view. Two passwords are required when running this command:

1. Auth - Password to authenticate the user.
2. Priv - Secret used to enable encryption of the SNMP messages.

Switch (config)# snmp-server user SNMP-v3-RO-User SNMP-v3-RO v3 auth sha [password] priv aes 128 [password] access snmp-service
Switch (config)# snmp-server user SNMP-v3-RW-User SNMP-v3-RW v3 auth sha [password] priv aes 128 [password] access snmp-service

The account can now be used to monitor your switch via SNMP.