SNMP v3 encryption

Solved
pdeleuw
Getting noticed

SNMP v3 encryption

Hi community,

the documentation https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/SNMP_Overview_and_C... says:

"SNMP v1/v2c sends the community string in plain text. If v3 is selected, you will need to configure a username and password. When using v3, Cisco Meraki devices will use SHA1 for authentication and DES for privacy, with the configured password used for both."

Is this true? DES encryption in 2023? The doc is last updated on Jun 28, 2023 ...

 

Regards,

Peter

 

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Yes, it is. ,😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

Yes, it is. ,😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
pdeleuw
Getting noticed

Thank you, @alemabrahao. I managed to test it:

 

~$ snmpget -v3 -l authPriv -u snmpuser -a SHA -A snmpuser -x DES -X snmpuser 10.3.0.4 iso.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "Meraki MR33 Cloud Managed AP"
~$ snmpget -v3 -l authPriv -u snmpuser -a SHA -A snmpuser -x AES -X snmpuser 10.3.0.4 iso.3.6.1.2.1.1.1.0
snmpget: Decryption error

 

Additionaly, you can poll the dashboard via snmp.meraki.com. You enable and configure it on Organization > Settings. Here you can choose between DES and AES (128).
~$ snmpget -v3 -l authPriv -u xxxxxx -a SHA -A snmpuser1 -x AES -X snmpuser1 snmp.meraki.com:16100 iso.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco Meraki Cloud Controller"

You can poll::
Device MAC address
Device Serial number
Device Name
Device Status (Online or Offline)
Device Last Contacted - Date and Time
Mesh Status (Gateway or Repeater)
Public IP Address
Product Code (e.g. MR18-HW)
Product Description (e.g. Meraki Cloud-controller 802.11n AP)
Name of the Network that the device resides in (Dashboard Network)
Packets/Bytes In/Out on each physical interface

 

Regards

Peter

GreenMan
Meraki Employee
Meraki Employee

Worth remembering that, in a Meraki world, SNMP cannot be used for configuration.   I think it's safe to say that, as a cloud-native platform, we think there are probably better ways of securely managing IT systems these days, too.

pdeleuw
Getting noticed

Yes, of course. The RestAPI is your friend. Secure remote administration via HTTPS. Flexible and scriptable. Scalable with action batches.

SNMP (read-only) is reasonable for integration with exiting monitoring systems.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.