SNMPv3 is a user based security model. It provides secure access to the devices by a combining authenticating and encrypting of packets over the network. The security features provided in SNMPv3 are Message integrity, Authentication and Encryption. The following parameters parameters are to be configured for SNMPv3.
1. Name: Credential name
2. Description: A brief description about the credential.
3. User Name: The user (principal) on behalf of whom the message is being exchanged.
4. Context Name ( SNMP Context ): A SNMP Context is a collection of management information accessible by an SNMP entity. An item of management information may exist in more than one context. An SNMP entity potentially has access to many contexts. In other words, if a management information has been defined under certain context by an SNMPv3 entity, then any management application can access that information by giving that context name. The "context name" is an octet string, which has at least one management information.
5. Authentication: Select any of the authentication protocols either MD5 or SHA and enter the password. MD5 and SHA are processes which are used for generating authentication/privacy keys in SNMPv3 applications.
6. Encryption: Select any of the encryption protocols either DES or AES-128 and enter the password.
Note: Only after configuring Authentication it is possible to configure Encryption.
7. SNMP Port: SNMP port number.
8. SNMP Timeout: SNMP timeout in seconds.
9. SNMP Retries: SNMP retries.
Note: Make sure that the context name given in NetFlow Analyzer is mapped properly to the agent credential
How to check if the snmpEngineBoots and snmpEngineTime values specified in the device are in-sync with those in the SNMP Agent ?
You can use the Wireshark tool to check if the snmpEngineBoots and snmpEngineTime parameters specified in the device and the SNMP Agent are in-sync with one another.
Download wireshark from here and query for the SNMP response. If the SNMP response message is a report with OID 220.127.116.11.18.104.22.168.1.2, then it means that the boot time and boot count are not synchronized
Pre-requisites for SNMPv3 credential
- Make sure the SNMP v3 authentication details recieved from your vendor has been implemented properly in the device
- Make sure the context name given in NetFlow Analyzer is mapped properly to the credential
- EngineID should be unique for all the SNMP v3 devices in an environment
- NetFlow Analyzer does not support AES-256, AES-192 encryption protocols
- Ports: The default port used for SNMP v3 is 161. Make sure that this port is not blocked by your firewall
- Make sure the engine boot time and engine boot count is updated properly in the SNMP agent