SNMPv3 standards require a unique engineID for each SNMP entity (or engine). The SNMP engine/application must have its own unique engineID whether it is a manager or an agent. RFC 3414 and RFC 3418 are the official SNMPv3 standards. See the IETF website (http://www.ietf.org/rfc.html) for more information.
SNMPv3 support includes the following:
- 64-Bit Counters
DX NetOps Spectrummodels and concurrently manages devices that support SNMPv1, SNMPv2c, and SNMPv3.
Support for Diffie-Hellman (DH) Profile on SNMP v3
10.4.1supports the creation of DH profiles on SNMPv3. This ability provides more robust security mechanism during communication. For more information about how to create a DH profile, see the SNMP v3 Profiles Dialog page.
10.3.1 introduces support for a Secure Domain option in the SNMPv3 profile creation dialog. This feature will ensure privacy and security by restricting v3 profile to the particular SDC specified in a Secure Domain option and preventing users from viewing device profiles belonging to other users. Users have to specify the IP address and configure the secure domain for their devices. For more information about the enhanced support for SNMPV3 Profile, refer to the SNMP v3 Profiles Dialog page.
Secure Domain option in the SNMP v3 profile creation
Starting from 10.3,
DX NetOps Spectrumallows '/' and ':' in the snmpv3 username, authentication password, and privacy passwords.
SNMPv3 provides the following levels of security: non-authenticated, authenticated, and authenticated with privacy. Authentication in SNMPv3 uses an algorithm to determine if a message is from a valid source.
DX NetOps Spectrumsupports the SNMPv3 standard for the authentication of messages. You specify an authentication password for a device model when you create it.
When an SNMP packet is converted to SNMPv3, security parameters are added to the SNMPv3 packet that is sent to the device. The SNMPv3 agent on the device checks the authenticity of the message to verify that the packet came from an authorized source.
SNMPv3 data sent from the device to
DX NetOps Spectrumalso uses similar security parameters.
DX NetOps Spectrumreceives the packet and verifies its authenticity.
DX NetOps Spectrumsupports the following algorithms for authentication:
- MD5 (Message Digest Algorithm): Produces a 128-bit (16 bytes) message digest. This algorithm is the default. You can model a device configured to use MD5, using ‘Authentication with no Privacy’ or ‘Authentication with Privacy.’
- SHA (Secure Hash Algorithm): Produces a 160-bit (20 bytes) message digest.
- SHA256: Produces a 256-bit (32 bytes) message digest.
- SHA512: Produces a 512-bit (64 bytes) message digest.
Enable SNMPv3 Privacy
Privacy in SNMPv3 uses an encryption algorithm to encode the contents of an SNMPv3 packet to verify that it cannot be viewed by unauthorized entities when routed over the network.
DX NetOps Spectrumsupports the SNMPv3 standard for the encryption of messages. You specify a privacy password for a device model when you create it.
If configured properly, the SNMPv3 message is sent by
DX NetOps Spectrumusing the password to encrypt the message before it goes out onto the network. The destination device decrypts the data when it receives it. The return data sent from the device to
DX NetOps Spectrumis also encrypted.
DX NetOps Spectrumsupports the following encryption algorithms for privacy:
- DES: Data Encryption Standard (DES) is a 64-bit standard that encrypts and decrypts data.
- 3DES: Data Encryption Standard (DES) is a 64-bit standard that encrypts and decrypts data three times.
- AES: Advanced Encryption Standard (AES) is a 128-bit standard, cryptographic algorithm that encrypts and decrypts data.
- AES256: Advanced Encryption Standard (AES 256) is a 256-bit standard, cryptographic algorithm that encrypts and decrypts data.
Follow these steps:
- In the Topology tab of the Contents panel, click Creates a new model by IP .The Create Model by IP Address dialog opens.
- Complete the fields as appropriate.
- Network AddressSpecifies the IPv4 or IPv6 address for the device you want to model.
- DCM Timeout (ms)Specifies the timeout between retry attempts (in milliseconds).Default:3000 milliseconds (3 seconds)
- DCM Retry CountType the number of times that the DCM should attempt to send a request to a device that is not responding.
- Agent PortSpecifies the SNMP agent port.Default:161
- Select the SNMP v3 option in the SNMP Communications Options section.The SNMP Community String field becomes disabled.
- Click Profiles to create a new SNMPv3 security profile.The Edit SNMP v3 Profiles dialog opens.
The Edit SNMP v3 Profiles dialog is also accessible by clicking Profiles in the Configuration tab in the Discovery Console. For more information, refer to Edit SNMPv3 Profiles dialog.
The SNMPv3 standard provides support for 64-bit counters.
DX NetOps Spectrumcan access 64-bit counter MIB variables for all SNMPv3 devices that comply with this standard.
SNMPv3 Support Issues
The following are some issues related to SNMPv3 support.
- get-bulk CommandDX NetOps Spectrumsupport of SNMPv3 does not include the get-bulk command.
- View Access Control Model (VACM)DX NetOps Spectrumsupports the VACM features of SNMPv3, however, VACM is not recommended.DX NetOps Spectrumhas features that allow for secure access to devices. If you giveDX NetOps Spectrumfull view access to all device MIBs, you receive effective monitoring and management performance.
- Performance and CapacityHigh processing resources are required forDX NetOps Spectrumto effectively manage SNMPv3 devices. More overhead is consumed using the Authentication and Privacy features due to the time it takes to decrypt and authenticate each message.This affects the number of device models that aSpectroSERVERcan manage.
- SNMPv3 Security User Names onSpectroSERVERYou cannot use the same user name more than once for the three levels of SNMPv3 (non-authenticated, authenticated, and authenticated with privacy). For example, if you are using the user name “user1” for SNMPv3 level 1 non-authenticated, you cannot use that same user name for SNMPv3 level 2 authenticated or for SNMPv3 level 3 authenticated with privacy.