SNMPv3 Secure Configuration and Testing with Open-Source Tools
A complete guide to configuring SNMPv3 with authentication and encryption — on network devices, Linux servers, and testing with open-source tools like Net-SNMP, Zabbix, and LibreNMS.
Why SNMPv3?
SNMP versions 1 and 2c transmit community strings (passwords) in plain text. Anyone capturing network traffic can read your community string and gain full access to device management data — or worse, modify device configurations.
SNMPv3 adds three critical security features:
| Feature | SNMPv1/v2c | SNMPv3 | |---------|-----------|--------| | Authentication | Community string (plain text) | Username + HMAC (SHA/MD5) | | Encryption | None | AES/DES encryption | | Access Control | IP-based only | User-based (USM) + VACM | | Integrity | None | Message integrity verification |
SNMPv3 Security Levels
| Level | Authentication | Encryption | Use Case | |-------|---------------|------------|----------| | noAuthNoPriv | No | No | Testing only (not recommended) | | authNoPriv | Yes (SHA/MD5) | No | Authentication without privacy | | authPriv | Yes (SHA) | Yes (AES) | Recommended for production |
Always use authPriv in production — it provides both authentication and encryption.
Configuring SNMPv3 on Network Devices
Cisco IOS/IOS-XE
! Create SNMPv3 group with authPriv
snmp-server group MONITORING v3 priv
! Create SNMPv3 user
snmp-server user snmpuser MONITORING v3 auth sha AuthP@ssw0rd! priv aes 128 PrivP@ssw0rd!
! (Optional) Restrict access to read-only
snmp-server group MONITORING v3 priv read ALL
! (Optional) Restrict source IP
snmp-server group MONITORING v3 priv access SNMP_ACL
ip access-list standard SNMP_ACL
permit 10.0.10.50 ! NMS server
deny any
! Enable SNMP traps
snmp-server enable traps
snmp-server host 10.0.10.50 version 3 priv snmpuser
! Verify
show snmp user
show snmp group
MikroTik RouterOS
# Create SNMPv3 community/user
/snmp set enabled=yes
/snmp community remove [find] # Remove default communities
/snmp set trap-community="" trap-version=3
# Note: MikroTik uses "community" with SNMPv3 parameters
/snmp community add name=snmpuser \
security=private \
authentication-protocol=SHA1 \
authentication-password="AuthP@ssw0rd!" \
encryption-protocol=AES \
encryption-password="PrivP@ssw0rd!" \
read-access=yes \
write-access=no \
addresses=10.0.10.50/32
HP/Aruba ProCurve
snmpv3 enable
snmpv3 user snmpuser auth sha AuthP@ssw0rd! priv aes PrivP@ssw0rd!
snmpv3 group MONITORING user snmpuser sec-model ver3
snmpv3 access MONITORING sec-model ver3 exact-match sec-level authpriv read-view AllView
Configuring SNMPv3 on Linux (Net-SNMP)
Installation
sudo apt install snmpd snmp libsnmp-dev # Debian/Ubuntu
sudo yum install net-snmp net-snmp-utils # CentOS/RHELCreate SNMPv3 User
# Stop SNMP daemon first
sudo systemctl stop snmpd
# Create user with authentication (SHA) and encryption (AES)
sudo net-snmp-create-v3-user -ro \
-A "AuthP@ssw0rd!" -a SHA \
-X "PrivP@ssw0rd!" -x AES \
snmpuser
# Start SNMP daemon
sudo systemctl start snmpdConfigure snmpd.conf
# /etc/snmp/snmpd.conf
# System information
sysLocation "Server Room, Building A"
sysContact "admin@company.com"
sysName "web-server-01"
# SNMPv3 access (created by net-snmp-create-v3-user)
# rouser snmpuser authpriv
# Restrict to specific OIDs (optional)
# view systemview included .1.3.6.1.2.1.1 # System
# view systemview included .1.3.6.1.2.1.2 # Interfaces
# view systemview included .1.3.6.1.2.1.25 # Host resources
# Listen on specific interface
agentAddress udp:161
# Disable v1/v2c (remove any rocommunity lines)
# rocommunity public ← DELETE THISRestart and Verify
sudo systemctl restart snmpd
sudo systemctl enable snmpd
# Test locally
snmpwalk -v3 -u snmpuser -l authPriv \
-a SHA -A "AuthP@ssw0rd!" \
-x AES -X "PrivP@ssw0rd!" \
localhost .1.3.6.1.2.1.1
# Expected output:
# SNMPv2-MIB::sysDescr.0 = STRING: Linux web-server-01 6.1.0 ...
# SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
# SNMPv2-MIB::sysUpTime.0 = Timeticks: (123456) 0:20:34.56
# SNMPv2-MIB::sysContact.0 = STRING: admin@company.com
# SNMPv2-MIB::sysName.0 = STRING: web-server-01
# SNMPv2-MIB::sysLocation.0 = STRING: Server Room, Building ATesting with Open-Source Tools
Net-SNMP Command-Line Tools
# snmpwalk — Walk the entire MIB tree
snmpwalk -v3 -u snmpuser -l authPriv \
-a SHA -A "AuthP@ssw0rd!" \
-x AES -X "PrivP@ssw0rd!" \
10.0.30.1
# snmpget — Get a specific OID
snmpget -v3 -u snmpuser -l authPriv \
-a SHA -A "AuthP@ssw0rd!" \
-x AES -X "PrivP@ssw0rd!" \
10.0.30.1 sysUpTime.0
# snmptable — Display SNMP table data
snmptable -v3 -u snmpuser -l authPriv \
-a SHA -A "AuthP@ssw0rd!" \
-x AES -X "PrivP@ssw0rd!" \
10.0.30.1 ifTable
# snmpbulkwalk — Faster walk using GETBULK
snmpbulkwalk -v3 -u snmpuser -l authPriv \
-a SHA -A "AuthP@ssw0rd!" \
-x AES -X "PrivP@ssw0rd!" \
-Cr50 10.0.30.1 .1.3.6.1.2.1.2Verify Encryption with Wireshark
Capture SNMP traffic to verify encryption is working:
1. Start Wireshark capture on the NMS interface
2. Filter: snmp
3. Run an snmpwalk command
SNMPv2c (insecure):
You can see the community string and all OID values in plain text
SNMPv3 authPriv (secure):
You see "msgAuthoritativeEngineID" and "msgPrivacyParameters"
but the actual data (PDU) is encrypted — shows as "encryptedPDU"
Configure in Zabbix
Zabbix → Configuration → Hosts → Create Host
SNMP Interface:
- IP: 10.0.30.1
- Port: 161
- SNMP version: SNMPv3
- Security name: snmpuser
- Security level: authPriv
- Authentication protocol: SHA
- Authentication passphrase: AuthP@ssw0rd!
- Privacy protocol: AES
- Privacy passphrase: PrivP@ssw0rd!
- Context name: (leave empty unless needed)
Then link appropriate SNMP templates.
Configure in LibreNMS
LibreNMS → Devices → Add Device
Hostname: 10.0.30.1
SNMP Version: v3
Auth Level: authPriv
Auth Username: snmpuser
Auth Password: AuthP@ssw0rd!
Auth Algorithm: SHA
Crypto Password: PrivP@ssw0rd!
Crypto Algorithm: AES
Click "Add Device"
Configure in Grafana (via SNMP Exporter)
For Prometheus + Grafana monitoring:
# snmp.yml (SNMP Exporter config)
auths:
my_v3_auth:
version: 3
security_level: authPriv
username: snmpuser
auth_protocol: SHA
auth_passphrase: "AuthP@ssw0rd!"
priv_protocol: AES
priv_passphrase: "PrivP@ssw0rd!"SNMPv3 Troubleshooting
Common Issues
| Problem | Cause | Fix | |---------|-------|-----| | "Timeout" | Firewall blocking UDP 161 | Open port, check ACL | | "Authentication failure" | Wrong password or algorithm | Verify credentials match exactly | | "Decryption error" | Wrong priv password or algorithm | Verify AES/DES and passphrase | | "Unknown user name" | User not configured on device | Create user, restart SNMP daemon | | "Engine ID mismatch" | User configured for different engine | Recreate user after engine change |
Debugging
# Verbose output for troubleshooting
snmpwalk -v3 -u snmpuser -l authPriv \
-a SHA -A "AuthP@ssw0rd!" \
-x AES -X "PrivP@ssw0rd!" \
-d 10.0.30.1 sysDescr.0
# Check SNMP daemon logs
sudo journalctl -u snmpd -f
# Test with different security levels
# If authPriv fails, try authNoPriv to isolate the issue
snmpget -v3 -u snmpuser -l authNoPriv \
-a SHA -A "AuthP@ssw0rd!" \
10.0.30.1 sysDescr.0Migration from SNMPv2c to SNMPv3
Step-by-Step Migration
1. Inventory: List all devices and their SNMP communities
2. Create: Configure SNMPv3 users on all devices
3. Test: Verify SNMPv3 connectivity to each device
4. Update NMS: Change monitoring to use SNMPv3
5. Verify: Confirm all devices are being polled successfully
6. Disable: Remove SNMPv2c community strings from devices
7. Firewall: Ensure UDP 161/162 is only allowed from NMS IPs
8. Document: Record all SNMPv3 credentials securely
Password Management
- Store SNMPv3 credentials in a password manager or vault
- Use unique passwords per device or device group
- Rotate passwords periodically (every 6-12 months)
- Never use the same password for auth and priv
Best Practices
- Always use authPriv — Authentication AND encryption
- Use SHA over MD5 — SHA is more secure (prefer SHA-256 if supported)
- Use AES over DES — AES-128 minimum, AES-256 if supported
- Restrict SNMP access — ACLs to allow only NMS server IPs
- Disable SNMPv1/v2c — Remove all community strings after migration
- Unique credentials — Different users/passwords per device group
- Read-only access — Only enable SNMP write if absolutely necessary
- Monitor SNMP traffic — Alert on SNMP access from unexpected sources
- Firewall rules — Only allow UDP 161 (query) and 162 (traps) from/to NMS
- Regular audits — Verify SNMPv3 configuration and remove stale users
Conclusion
SNMPv3 is the secure way to monitor network devices. The migration from SNMPv2c requires effort — configuring users on every device and updating your NMS — but the security benefits are essential. With authentication and encryption, your monitoring traffic is protected from eavesdropping and tampering. Use the open-source tools covered here (Net-SNMP, Zabbix, LibreNMS) to build a secure, comprehensive monitoring infrastructure.
Related: Understanding SNMP, Best Open-Source SNMP Tools, and Network Monitoring Best Practices.