SNMPv3 is the only secure version of SNMP, providing authentication and encryption for network management traffic. For the CCNA 200-301 exam (objective 4.5), you must know how to configure SNMPv3 on Cisco IOS devices to enable secure monitoring. In real networks, SNMPv3 is essential for compliance and preventing unauthorized access to device configurations and performance data.
Jump to a section
Imagine a large corporate mailroom that handles sensitive documents between departments. In the early days (SNMPv1/v2c), anyone could walk in, read any document, and even request changes—there was no lock on the door, and the mailroom trusted anyone who knew the department names (community strings). This was like having a shared password posted on the wall. SNMPv3 is like installing a secure mailroom with three layers: first, a badge reader at the entrance (authentication) that verifies you are who you claim to be using a unique PIN (auth key). Second, once inside, all documents are placed in sealed, opaque envelopes (encryption) so only the intended recipient can read them. Third, the mailroom keeps a log of who accessed which document and when, so any tampering is detected (integrity). Each user (engineer) is assigned a unique badge and PIN, and the mailroom manager (SNMP engine) maintains a list of authorized users and their permissions. If an engineer tries to read a document without the right PIN, the door stays locked. If someone intercepts an envelope, they can't open it without the decryption key. This is exactly how SNMPv3 works: it defines users with authentication and privacy (encryption) credentials, and every SNMP packet is cryptographically protected. The old community string is replaced by a username and keys, making it impossible for an attacker to spoof management requests or eavesdrop on sensitive data like interface statistics or routing tables.
What is SNMPv3 and Why Does It Exist?
Simple Network Management Protocol (SNMP) is used to monitor and manage network devices. SNMPv1 and SNMPv2c use community strings (plaintext passwords) for authentication, which are sent in clear text and easily intercepted. SNMPv3 addresses these security flaws by adding three security features: authentication (verifying the source), privacy (encryption of payload), and integrity (ensuring data is not modified in transit). The CCNA 200-301 exam tests your ability to configure SNMPv3 on Cisco IOS devices, including creating users, setting security levels, and verifying the configuration.
SNMPv3 Security Models and Levels
SNMPv3 defines three security models: noAuthNoPriv, authNoPriv, and authPriv. The security level determines what protections are applied:
noAuthNoPriv: No authentication and no encryption. This is essentially equivalent to SNMPv2c in terms of security. The packet is sent in clear text, and the community string is replaced by a username (but still sent in the clear).
authNoPriv: Authentication is performed using HMAC-MD5 or HMAC-SHA, but the payload is not encrypted. The packet is authenticated but the data is still visible.
authPriv: Authentication and encryption are both applied. The payload is encrypted using CBC-DES or CFB128-AES-128. This is the most secure level.
The exam expects you to know these three levels and when to use each. For production, authPriv is recommended.
SNMPv3 Configuration Steps on Cisco IOS
Configuring SNMPv3 involves several steps: enabling SNMP, creating an SNMP group (which defines the security model and access rights), and creating an SNMP user (which assigns authentication and privacy keys). Here is a typical configuration sequence:
! Step 1: Enable SNMP server (if not already enabled)
Router(config)# snmp-server enable traps
Router(config)# snmp-server host 192.168.1.100 version 3 auth priv SNMP_USER
! Step 2: Create an SNMP group with security model and access
Router(config)# snmp-server group ADMIN v3 priv read WRITE access 10
! Step 3: Create an SNMP user with authentication and privacy keys
Router(config)# snmp-server user SNMP_USER ADMIN v3 auth sha myAuthKey priv aes 128 myPrivKey
! Step 4: (Optional) Restrict SNMP access using an ACL
Router(config)# access-list 10 permit 192.168.1.100
Router(config)# access-list 10 deny anyIn this example:
The group ADMIN is created with v3 priv (authentication and encryption required).
The user SNMP_USER is associated with group ADMIN and uses SHA for authentication and AES 128 for encryption.
The keys myAuthKey and myPrivKey are used to derive the actual keys (the engine will compute the HMAC and encryption keys from these passwords).
The ACL 10 restricts SNMP access to only the NMS at 192.168.1.100.
Step-by-Step Packet Flow
When an NMS sends an SNMPv3 Get-Request to the router:
The NMS constructs an SNMPv3 message with a header containing the username, security parameters (auth and priv flags), and the request PDU.
If authPriv is used, the NMS computes an HMAC (using SHA or MD5) over the message and appends it as the authentication parameter. Then it encrypts the PDU payload using AES or DES with the privacy key.
The router receives the packet and extracts the username from the header. It looks up the user in its local database (created by snmp-server user).
The router uses the stored authentication key to verify the HMAC. If it fails, the packet is discarded and an authentication failure trap may be generated.
If authentication passes, the router decrypts the payload using the privacy key.
The router processes the SNMP request (e.g., reading an OID) and constructs a response.
The response is similarly authenticated and encrypted before being sent back.
Verification Commands
Use the following show commands to verify SNMPv3 configuration:
Router# show snmp user
User name: SNMP_USER
Engine ID: 80000009030000E0F7B2A301
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: ADMINRouter# show snmp group
groupname: ADMIN security model: v3 priv
contextname: <nil> storage-type: nonvolatile
readview: WRITE writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: activeRouter# show snmp engineID
Local SNMP engineID: 80000009030000E0F7B2A301
Remote SNMP engineID: (none)Interaction with SNMP Traps and Informs
SNMPv3 can also be used for traps and informs. When configuring trap destinations, you must specify the security level and username that the router will use to send traps. For example:
Router(config)# snmp-server host 192.168.1.100 version 3 auth priv SNMP_USER trapsThis ensures that traps sent to the NMS are authenticated and encrypted. The NMS must have the same user credentials configured to decode the traps.
Defaults and Timers
SNMPv3 is not enabled by default; you must configure it.
The default engine ID is derived from the router's MAC address or configured manually.
Authentication keys are derived from the password using an algorithm (not stored as plaintext).
Encryption algorithms: DES (default for older IOS), AES 128/192/256 (available in newer IOS). For CCNA, know AES 128 as a common option.
The snmp-server user command requires the user to be associated with an existing group.
The snmp-server group command requires a view (read, write, notify) to define access to MIB objects.
Traps and Informs
Traps are unacknowledged notifications from the agent to the manager.
Informs are acknowledged notifications (require confirmation).
SNMPv3 supports both. For informs, you must configure a remote engine ID.
Router(config)# snmp-server host 192.168.1.100 informs version 3 auth priv SNMP_USERCommon Pitfalls
Forgetting to configure an ACL to restrict SNMP access is a common security oversight.
Mismatched authentication or privacy protocols between the agent and NMS will cause failures.
The group must exist before creating a user; otherwise the user command will fail.
The password (key) must be at least 8 characters long; otherwise, IOS will reject it.
Summary
SNMPv3 provides secure network management by adding authentication, encryption, and integrity. On the CCNA exam, you must be able to configure users and groups, understand the three security levels, and verify the configuration with show commands. Remember that SNMPv3 is a significant improvement over v2c, and Cisco expects you to know how to deploy it in a secure enterprise environment.
Enable SNMP and configure ACL
Start by entering global configuration mode. First, enable SNMP traps (optional but common). Then create an access list that permits only your NMS server IP. For example: `access-list 10 permit 192.168.1.100`. This restricts SNMP access to only the management station. Without an ACL, any device that can reach the router could attempt SNMP queries. The ACL is applied later to the group or via `snmp-server community` but for v3, it's applied to the group view or via the host command. Typically, you apply the ACL to the SNMP group using the `access` keyword.
Create SNMP group with security level
Use the command `snmp-server group GROUPNAME v3 priv read VIEWNAME access ACL_NUMBER`. The group defines the security model (v3) and the security level (noauth, auth, priv). For CCNA, focus on `auth` and `priv`. The `read` view specifies which MIB objects can be read. You must create a view first or use a predefined view like `Internet` (which includes most objects). Example: `snmp-server group ADMIN v3 priv read INTERNET access 10`. This group requires authentication and encryption, and restricts access to the NMS defined in ACL 10.
Create SNMP user with credentials
Now create a user associated with the group: `snmp-server user USERNAME GROUPNAME v3 auth sha AUTHPASSWORD priv aes 128 PRIVPASSWORD`. The authentication algorithm can be `md5` or `sha`; `sha` is more secure. The privacy algorithm can be `des` or `aes 128`. The passwords must be at least 8 characters. Example: `snmp-server user NMS-USER ADMIN v3 auth sha Cisco123 priv aes 128 Cisco456`. This user will be used by the NMS to authenticate and encrypt SNMP packets. The router stores the derived keys, not the plaintext passwords.
Configure SNMP trap destination
To send traps securely, configure a trap host with the same username and security level: `snmp-server host 192.168.1.100 version 3 auth priv NMS-USER`. This tells the router to send traps to the NMS using SNMPv3 with authentication and encryption. The NMS must have the same user configured to decode the traps. Optionally, you can specify `traps` or `informs` (informs require a remote engine ID). Example: `snmp-server host 192.168.1.100 version 3 auth priv NMS-USER traps`.
Verify SNMPv3 configuration
Use `show snmp user` to list all SNMP users, their authentication and privacy protocols, and the group they belong to. Use `show snmp group` to see groups and their security levels. Use `show snmp engineID` to see the local engine ID. Example output: `show snmp user` shows username, engine ID, auth protocol, priv protocol, and group. Verify that the user has the correct protocols and group. Also use `show running-config | include snmp` to review the configuration.
Test SNMPv3 from NMS
From the NMS (e.g., a Linux machine with net-snmp), use `snmpget -v3 -l authPriv -u NMS-USER -a SHA -A Cisco123 -x AES -X Cisco456 192.168.1.1 1.3.6.1.2.1.1.1.0` to retrieve the system description. If the configuration is correct, you'll get a response. If you get a timeout or authentication error, check the ACL, passwords, and that the NMS can reach the router. Common issues: wrong passwords, missing ACL permit, or mismatched protocols.
In enterprise networks, SNMPv3 is used to secure management traffic, especially when devices are managed over untrusted networks (e.g., WAN links or cloud-managed branches). For example, a large bank with hundreds of routers and switches uses SNMPv3 to collect interface utilization and CPU stats. The NMS (like SolarWinds or PRTG) is configured with SNMPv3 users for each device. The network team creates a standard SNMPv3 user on all devices with the same credentials for simplicity, but uses different keys per device for better security. ACLs restrict SNMP access to only the NMS IPs. This prevents attackers from sniffing SNMP traffic and learning network topology.
Another scenario: A service provider uses SNMPv3 to monitor customer edge routers. Each customer has a unique SNMPv3 user with its own authentication and privacy keys. The provider configures the NMS to poll each router using the appropriate credentials. This ensures that one customer cannot query another customer's device. If a misconfiguration occurs (e.g., wrong privacy protocol), the NMS will fail to poll, and the monitoring system alerts the NOC.
Performance considerations: SNMPv3 with authPriv adds CPU overhead due to encryption and HMAC computation. For devices with limited CPU (e.g., older routers), using authNoPriv may be a compromise. However, modern devices handle it easily. Polling intervals should be set appropriately (e.g., every 5 minutes) to avoid overwhelming the device. Traps should be rate-limited to prevent storms.
Misconfigurations: A common mistake is forgetting to apply an ACL, leaving SNMP open to the world. Another is using the same password for authentication and privacy, which reduces security. Also, if the NMS and agent have different engine IDs (e.g., after a device replacement), the keys must be reconfigured because keys are derived from the engine ID.
The CCNA 200-301 exam objective 4.5 covers 'Configure and verify SNMP (v2c, v3)'. For SNMPv3, expect questions on:
The three security levels: noAuthNoPriv, authNoPriv, authPriv. Know which provides authentication only vs. encryption.
The difference between SNMPv2c (community string) and SNMPv3 (username + keys).
Configuration commands: snmp-server group, snmp-server user, and snmp-server host with v3 parameters.
Verification commands: show snmp user, show snmp group.
Common wrong answers:
1. Choosing SNMPv2c over v3 because it's simpler: The exam expects you to know that v3 is the secure option. If a question asks for a secure solution, v3 is correct.
2. Confusing authentication and privacy: Many candidates think 'auth' means encryption. Remember: auth = HMAC (proof of identity), priv = encryption (confidentiality).
3. Using the wrong syntax for `snmp-server host`: The correct syntax includes the version and security level. For example, snmp-server host 1.1.1.1 version 3 auth priv username. Omitting the security level is a common error.
4. Forgetting that the group must exist before creating the user: The snmp-server user command will fail if the specified group does not exist.
Specific values to remember:
Default authentication protocol: MD5 or SHA? IOS defaults to MD5 if not specified, but SHA is preferred. The exam may show both.
Privacy protocols: DES (56-bit) and AES (128-bit). AES is more secure.
The password minimum length is 8 characters.
Decision strategy: If a question asks for a secure SNMP configuration, always choose SNMPv3 with authPriv. If the question asks for a quick setup for lab testing, SNMPv2c may be acceptable but v3 is still better. For scenario-based questions, look for keywords like 'secure', 'encrypt', 'authenticate' – these point to v3.
SNMPv3 provides three security levels: noAuthNoPriv, authNoPriv, and authPriv.
Configuration requires creating a group with `snmp-server group` before creating a user with `snmp-server user`.
The `snmp-server host` command for traps must include the version and security level, e.g., `version 3 auth priv`.
Authentication algorithms: MD5 or SHA; privacy algorithms: DES or AES (AES 128 is common).
Use `show snmp user` and `show snmp group` to verify SNMPv3 configuration.
ACLs should be applied to restrict SNMP access to authorized NMS hosts only.
SNMPv3 keys are derived from passwords and the engine ID; changing the engine ID invalidates existing keys.
These come up on the exam all the time. Here's how to tell them apart.
SNMPv2c
Uses community strings (plaintext passwords) for authentication.
No encryption; data sent in clear text.
No integrity checking (no HMAC).
Easier to configure but insecure.
Still widely used in lab environments.
SNMPv3
Uses usernames and authentication keys (HMAC).
Supports encryption (DES, AES) for privacy.
Provides integrity checking via HMAC.
More complex configuration but secure.
Required for production networks with security requirements.
Mistake
SNMPv3 is just SNMPv2c with a password.
Correct
SNMPv3 uses a username and separate authentication and privacy keys, not a shared community string. It also supports encryption (privacy) and integrity checking.
Candidates often think the community string is replaced by a simple password, but the mechanism is fundamentally different.
Mistake
authNoPriv encrypts the SNMP payload.
Correct
authNoPriv provides authentication only (HMAC), not encryption. Only authPriv provides encryption.
The word 'auth' is often misinterpreted as including encryption, but privacy is a separate feature.
Mistake
The `snmp-server user` command can be used without a group.
Correct
The user must be associated with an existing group. The group defines the security model and access rights.
Candidates may omit the group creation step, leading to configuration failure.
Mistake
SNMPv3 traps are sent in clear text by default.
Correct
Traps can be configured with the same security level as polling, so they can be authenticated and encrypted if desired.
Some think traps are always unencrypted, but the `snmp-server host` command allows specifying the security level.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, create an access list to permit your NMS. Then create an SNMP group with `snmp-server group GROUPNAME v3 priv read VIEWNAME access ACL`. Then create a user with `snmp-server user USERNAME GROUPNAME v3 auth sha AUTHPASSWORD priv aes 128 PRIVPASSWORD`. Finally, configure trap destination with `snmp-server host NMS_IP version 3 auth priv USERNAME`. Verify with `show snmp user` and `show snmp group`.
SNMPv2c uses community strings (plaintext passwords) and has no security features. SNMPv3 uses usernames with authentication (HMAC) and optional encryption (privacy). SNMPv3 also provides integrity checking. For the CCNA exam, know that v3 is the secure version and v2c is legacy.
The three levels are: noAuthNoPriv (no authentication, no encryption), authNoPriv (authentication only, no encryption), and authPriv (authentication and encryption). authPriv is the most secure and is recommended for production.
No, SNMPv3 uses a different message format and security model. The management software must support SNMPv3. Most modern NMS platforms (e.g., SolarWinds, PRTG) support SNMPv3. You would need to configure the NMS with the same username and credentials.
Common issues: ACL blocking the NMS, mismatched authentication or privacy passwords, incorrect security level in the `snmp-server host` command, or the group not existing before the user. Verify with `show snmp user` and `show snmp group`. Also check that the NMS is using the same engine ID (if using informs).
The default is MD5 if no authentication protocol is specified. However, SHA is recommended for stronger security. In the `snmp-server user` command, you can specify `md5` or `sha`. If omitted, MD5 is used.
Use the `no snmp-server user USERNAME GROUPNAME v3` command. For example: `no snmp-server user monitor READONLY v3`. This removes the user. You may also need to remove the group with `no snmp-server group GROUPNAME v3` if no other users exist.
You've just covered Lab: Configure SNMPv3 — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?