Cisco NX-OS SNMP v3 configuration

Cisco logoAfter you’ve built a new storage environment you will probably want to monitor it and/or integrate the equipment in existing monitoring tools. SNMP is one of the protocols to use for this, but for some reason I always forget how to do a Cisco NX-OS SNMP v3 configuration. There’s a big difference in security between SNMP v2c and v3 and they’re configured quite differently: SNMPv2c uses community strings, SNMPv3 builds on the user accounts in the switch. This post will show you how to configure SNMP v3 in the DCNM SAN GUI and on the Cisco MDS NX-OS CLI.

SNMPv2c vs SNMPv3

The biggest difference between SNMPv2c and SNMPv3 is in the protocol security. SNMPv1 and SNMPv2c simply use a community string (=password) that is sent in clear-text between the manager and the device you want to poll. Of course this is inherently insecure: sniff a couple of SNMPv2c packets from a link (e.g. an open wireless access point), inspect them and you’ll have the SNMP community string. Assuming there’s not a unique SNMP community string on each device, you can now scan for more devices and start polling them yourself. Or maybe even alter some configurations, if you catch with a read-write community string…

SNMPv3 doesn’t fundamentally change the protocol but does add security. It adds authentication (MD5 or SHA) and privacy (DES or 128bit AES) protocols. There’s a couple of modes you can run SNMPv3 in:

  • NoAuthNoPriv – no authentication, no privacy: if you know the username, you’re in.
  • AuthNoPriv – authentication is required but no encryption is enforced: besides the username you’ll only need the password.
  • AuthPriv – both authentication and privacy protocols are active: you need a username, password and the traffic between the device and requester is encrypted.

It might seem obvious that the latter mode is the most secure: NoAuthNoPriv basically doesn’t add any security over SNMPv2c.

Cisco NX-OS SNMP v3 configuration

So how do you configure SNMPv3 access on your SAN switches? Open the DCNM-SAN GUI (I’m using 6.3(1) in these screenshots, so screens may vary depending on the version you use) and log in to your fabric. In the physical attributes screen (bottom left in the GUI), browse to Switches > Security > Users and Roles.

Move over to the top right screen and select the Users tab. It might be grayed out; in that case, select the Roles tab first and the Users tab will unlock. A little GUI bug…

In the users tab click the Add button (white spreadsheet with a blue arrow pointing to it). This will open the create users interface.

Cisco NX-OS SNMPv3 Create User

All the switches will be pre-selected; enter a username and password. I only want to allow read-only access, hence I select the network-operator role. Choose a digest and encryption protocol (in this case MD5 and 128bit AES) and click Create. That’s it: SNMPv3 access is configured.

Privacy Unsupported for this userYou might get a “Privacy unsupported for this user” error: both fabrics of 6 switches each gave me this error on one switch only. In this case you will have to resort to the command line interface to configure the users. Enter configuration mode and use the following commands:

username <username> password <password> role network-operator
snmp-server user <username> network-operator auth md5 <password> priv aes-128 <password>

That’s it! Don’t forget to save the configuration changes and use a SNMP testing tool to check the functionality. I can recommend Paessler SNMP Tester; it’s an intuitive interface with lots of options to test a wide range of SNMP functionality.