Strong SNMPv3 Encryption

Problem

You want to increase the strength of SNMPv3 encryption.

Solution

Starting with IOS Version 12.4(2)T, Cisco introduced support for stronger encryption capabilities. To enable 3DES use the following command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass
Router1(config)#end  
Router1#

To enable AES encryption of SNMPv3 traffic, use the following command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass
Router1(config)#end
Router1#

 

Discussion

Beginning with IOS Version 12.4(2)T, Cisco enhanced the encryption capabilities of SNMPv3 by adding support for 3DES and Advanced Encryption Standard (AES). The addition of AES 128-bit encryption meets the RFC 3826 standard. In addition, Cisco has also added support for 168-bit 3DES, and 192-bit and 256-bit AES encryption, which is currently not part of the RFC standard.

AES and 3DES encryption are only supported in IOS images that support encryption services.

To display the user encryption method to confirm configuration, use the show snmp user command:

Router1#show snmp user wbrejniak

User name: wbrejniak
Engine ID: 800000090300000E84244E70
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: ORAROV3

Router1#

Notice that user wbrejniak is currently configured to use 3DES encryption, as highlighted in our previous example:

Router1#show snmp user wbrejniak

User name: wbrejniak
Engine ID: 800000090300000E84244E70
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: ORAROV3

Router1#

Now notice that we've changed the configuration of user wbrejniak to support AES 128-bit encryption.

In our next example, we'll use Net-SNMP to extract the hostname using strong encryption. Please note that Net-SNMP currently only supports DES 56-bit and AES 128-bit encryption because they are standards based:

Freebsd% snmpget -v 3 -u wbrejniak -l authPriv -a md5 -A authpass -x aes -X privpass 172.25.1.101 sysName.0
SNMPv2-MIB::sysName.0 = STRING: Router1.oreilly.com
Freebsd%

 

See Also

Recipe 17.22

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net