Answers: SNMPv3 2

By certskills September 23, 2016 09:10

This lab asks you to use both authentication and privacy with SNMPv3, so it takes a few longer commands compared to some SNMP configurations. Focus on the basics, because there are many basics with SNMPv3 configuration. Especially for this lab, it is very important to try the lab first, to make your brain think through the options.


Figure 72.16: Topology Used for SNMPv3 Labs


Example 3: Router R1 and R2 – Identical Config



The four configuration commands show the correct syntax that then matches the logic shown in the requirements. Working through the sample answer’s four commands in the same order as listed in Example 3:

Command 1: snmp-server group

The first command creates an SNMP group, which is a configuration concept which gathers some SNMPv3 parameters for easy reference by the snmp-user user command. It is simply the way Cisco’s team built the SNMPv3 configuration.

The command lists these key parameters:

group Certskills: defines the name of the group with a name that I made up, and that you used based on the requirements for the lab.

v3: keyword that defines the version.

priv: defines that this group performs authentication and privacy

access ServerOnly: references IPv4 ACL ServerOnly, which will be used to filter incoming SNMP messages. This ACL matches packet with source address, which is the SNMP server’s IP address.

Also, this command can be the starting point for some common mistakes. In this case, note the absence of a write viewname set of parameters, which means that this group does not support writing to the MIB (that is, it does not support the Set command). Also, note that the use of the priv keyword on this command means that both auth and priv must be used on any snmp-server user commands that refer to this group.


Command 2: snmp-server user

The second command completes the work to enable support for Get commands.  This command defines the user (Youdda per the instructions) and links it to the first command. Specifically:

Certskills: refers to the name listed in the snmp-server group Certskills command.

v3: keyword that defines the version.

auth sha mysecretpassword: defines that the user should use authentication, with SHA as the protocol, with a password of mysecretpassword.

priv aes 128 mysecretpassword: defines that the user should use privacy, with AES using 128 bit keys, with a password of mysecretpassword.


Command 3: snmp-server enable traps

The third command is simple: it enables the router to send Trap (and Inform) messages assuming the rest of the related configuration in command 4 is completed. The fourth command is the one that defines whether Traps or Informs are sent (Informs for this lab).


Command 4: snmp-server host

The last command completes the configuration to enable the sending of Inform messages. Traps (and Informs) require that the router know to what IP address to send the Trap or Inform message, that is, the address of the SNMP manager. This command defines the address, and whether to send Traps or Informs, as follows:

host Identifies the IP address of the SNMP manager.

informs: keyword that tells IOS this command is enabling the sending of Inform messages rather than Trap messages.

version 3: keywords that define the version.

priv: defines that the user should both authentication and privacy

Youdda: defines the username (per the snmp-server user command) used for SNMPv3 authentication and privacy.

SNMPv3 2
Local Span 2
By certskills September 23, 2016 09:10
Write a comment


  1. Giuseppe December 6, 06:16

    Good day Wendell, thank you for this SNMPv3 2 valuable lab resource!
    I noticed that there is no explicit access-list configured in the answer, so I wanted to submit my config extract and gather your thoughts about it.

    R2: ip access-list extended ServerOnly
    R2(access-list): permit udp host any eq snmp

    R2: int gig0/1
    R2(int-config): ip access-class ServerOnly in

    As I fear that my ACL would deny all the other ip traffic coming in the referred-to interface, how can we best satisfy the requirement and allow only the mentioned NMS to send SNMP messages to the routers?

    Reply to this comment
    • certskills Author December 6, 12:10

      Thanks for the note – glad you like the labs!

      First, on your suggested ACL: I like the ACL itself. However, you don’t need to enable it on an interface with the “ip access-class” command. Note that the reference to the ACL “ServerOnly” in the snap-server group command tells IOS to use that ACL to filter incoming SNMP traffic going to the SNMP server/agent in the router.

      Going a bit further, in fact, given that fact, you could just match the could host address, without even nothing to match SNMP ports, because by definition, it’s filtering only messages the router wants to pass to the SNMP agent.

      Note that I added a sample ACL to the config in response to your comment – thanks for letting me know.

      Finally, the lab post and this answer used some incorrect IP address references – I cleaned them all up. Some had used 172.16, some 172.20. The lab and answer should be consistent now.

      Thanks for the note!
      Wendell Odom

      Reply to this comment
  2. Viktor February 22, 06:32

    Hello, Wendell,
    I suppose ….
    In the Comments 1. In the Command 1 we use “priv”(not “auth”), because if we support both authentication and encryption it would be enough to use “priv”
    2. Command 2 should be snmp-server USER and command 4 – snmp-HOST

    Reply to this comment
    • John Phillips July 24, 08:25

      I confirm with you, the configuration of the snmp-server host statement should use the keyword “priv” not “auth”, otherwise communication fails, and without throwing up any errors!

      Reply to this comment
  3. John Phillips July 24, 08:23

    Hi Wendell,
    To confirm with Viktor, the configuration of the snmp-server host statement should use the keyword “priv” not “auth”, otherwise communication fails, and without throwing up any errors!

    Reply to this comment
    • certskills Author July 25, 10:11

      Hi John,
      Nice catch – I agree! Just changed it. Thanks much.

      Reply to this comment
      • John Phillips July 26, 03:00

        Hi Wendell,
        Sorry to be a stickler, but as Viktor also mentioned, under the commentary, command 1 section the parameters, the keyword should be priv not auth.
        It’s ok, I learn more from finding mistakes than from getting it right first time.

        Reply to this comment
  4. Peter Arsenault February 10, 19:52

    I don’t know why but when I configure the snmp-server group Certskills v3 priv with a read v1default access ServerOnly command. When I use the MIB Browser and click Get snmp variable it says request failed to Get response PDU from error indication in response. There is no such object in this MIB. But when I take out the read v1default from the snmp-server group Certskills v3 priv access ServerOnly command. When I click on Get snmp variable I can get the status of the object Id without read v1default command. I just want to know why is it doing that? I am running on cisco 1841 router with IOS C1841-ADVENTERPRISEK9-M Version 15.1(4)M8.

    Reply to this comment
  5. Jon January 23, 21:49

    I missed this on both SNMP labs. So if I don’t put the SNMP enable traps but I put the snmp-server host (4th) command, what happens? Doesn’t the putting the snmp-server host command enable sending the informs?

    I need more explanation please.

    Reply to this comment
    • certskills Author February 28, 15:28

      I haven’t tested that combination, and don’t have a place to do a quick test. That said, my expectation is that neither traps nor informs would be sent to the server. That “informs” keyword on line 5 of the example (4th line of config – the one you noted) means “when sending, use the inform message, not the trap message”. But you need “snmp-server enable” to enable the sending of either traps or informs.

      IOS doc appears to back up the above, quoting:

      The snmp-server host command is used in conjunction with the snmp-server enable command. Use the snmp-server enable command to specify which SNMP notifications are sent globally. For a host to receive most notifications, at least one snmp-server enable command and the snmp-server host command for that host must be enabled.

      Reply to this comment
View comments

Write a comment

Leave a Reply to John Phillips Cancel reply