Strong SNMPv3 Encryption

Problem

You want to increase the strength of SNMPv3 encryption.

Solution

Starting with IOS Version 12.4(2)T, Cisco introduced support for stronger encryption capabilities. To enable 3DES use the following command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass
Router1(config)#end                                                                       
Router1#

To enable AES encryption of SNMPv3 traffic, use the following command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass
Router1(config)#end
Router1#

Discussion

Beginning with IOS Version 12.4(2)T, Cisco enhanced the encryption capabilities of SNMPv3 by adding support for 3DES and Advanced Encryption Standard (AES). The addition of AES 128-bit encryption meets the RFC 3826 standard. In addition, Cisco has also added support for 168-bit 3DES, and 192-bit and 256-bit AES encryption, which is currently not part of the RFC standard.

Tip

AES and 3DES encryption are only supported in IOS images that support encryption services.

To display the user encryption method to confirm configuration, use the show snmp user command:

Router1#show snmp user wbrejniak

User name: wbrejniak
Engine ID: 800000090300000E84244E70
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: ORAROV3

Router1#

Notice ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial