Skip to main content

Configuring SNMPv3 in a MetroCluster configuration

The authentication and privacy protocols on the switches and on the ONTAP system must be the same.

ONTAP currently supports AES-128 and AES-256 encryption.

  1. Create an SNMP user for each switch from the controller prompt: security login create 

    Controller_A_1::> security login create -user-or-group-name monitoringv3ro -application snmp -authentication-method usm -role none -remote-switch-ipaddress 10.10.10.10
  2. Respond to the following prompts as required at your site: 

    Enter the authoritative entity's EngineID [remote EngineID]:

    Which authentication protocol do you want to choose (none, md5, sha, sha2-256) [none]: sha

    Enter the authentication protocol password (minimum 8 characters long):

    Enter the authentication protocol password again:

    Which privacy protocol do you want to choose (none, des, aes128) [none]: aes128

    Enter privacy protocol password (minimum 8 characters long):

    Enter privacy protocol password again:

    Note
    The same username can be added to different switches with different IP addresses.
  3. Create an SNMP user for the rest of the switches.

    The following example shows how to create a username for a switch with the IP address 10.10.10.10.
    Controller_A_1::> security login create -user-or-group-name  -application snmp -authentication-method usm -role none -remote-switch-ipaddress 10.
    10.10.10
  4. Check that there is one login entry for each switch: security login show 

    Controller_A_1::> security login show -user-or-group-name snmpv3user -fields remote-switch-ipaddress

    vserver      user-or-group-name application authentication-method remote-switch-ipaddress

    ------------ ------------------ ----------- --------------------- -----------------------

    node_A_1 SVM 1 snmpv3user     snmp        usm                   10.10.10.10

    node_A_1 SVM 2 snmpv3user     snmp        usm                   10.10.10.11

    node_A_1 SVM 3 snmpv3user    snmp        usm                   10.10.10.12

    node_A_1 SVM 4 snmpv3user     snmp        usm                   10.10.10.13

    4 entries were displayed.
  5. Configure SNMPv3 on the switches from the switch prompt: snmpconfig --set snmpv3 

    Switch-A1:admin> snmpconfig --set snmpv3
    SNMP Informs Enabled (true, t, false, f): [false] true
    SNMPv3 user configuration(snmp user not configured in FOS user database will have physical AD and admin role as the default):
    User (rw): [snmpadmin1]
    Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3]
    Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (2..2) [2]
    Engine ID: [00:00:00:00:00:00:00:00:00]
    User (ro): [snmpuser2] snmpv3user
    Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [2]
    Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (2..2) [3]


    The example shows how to configure a read-only user. You can adjust the RW users if needed. You should also set passwords on unused accounts to secure them and use the best encryption available in your ONTAP release.
  6. Configure encryption and passwords on the remaining switch users as required on your site.