Configure SNMPv3 for ESXi 6.5
Article ID: 324269
Updated On: 08-06-2020
Products
VMware vSphere ESXi
Issue/Introduction
This article provides steps with example to configure SNMPv3 for ESXi 6.5.
Resolution
Example:
SNMP Server x.x.x.x
Port: 161
MAC: 00-50-56-89-30-1B (00505689301B)
user: vmawaremon
SHA1: f!zgFB1dw#WXsqRh
AES128: XebZxLOuDdoDjzxs
1 . esxcli system snmp set -E=00505689301B ( Engine ID Can also be MAC ID of target )
or
esxcli system snmp set --engineid id
2 . Command with the --authentication option to configure authentication.
esxcli system snmp set -x=SHA1
or
esxcli system snmp set --authentication SHA1
3 . Command with the --privacy option to configure privacy.
esxcli system snmp set -a=AES128
or
esxcli system snmp set --privacy AES128
4 . If you are using authentication or privacy, get the authentication and privacy hash values for the user by running the esxcli system snmp hash command with the --auth-hash and --priv-hash flags.
esxcli system snmp hash --auth-hash /tmp/secret1 --priv-hash /tmp/secret2
Example output below :-
Authhash: 9f2dcc4761a6c3f26544934a29c60cfd52ef389b
Privhash: a8fc564e9190d84998822404190b534bdc278f4f
secret1 is the path to the file containing the user's authentication password and secret2 is the path to the file containing the user's privacy password
5 . Configure the SNMP user by running the esxcli system snmp set command with the --users flag
esxcli system snmp set --users userid/authhash/privhash/security
For example, run the following command to configure vmwaresnmp for access with authentication and privacy: -
esxcli system snmp set --users vmwaresnmp/9f2dcc4761a6c3f26544934a29c60cfd52ef389b/a8fc564e9190d84998822404190b534bdc278f4f/priv
6 . Test the user configuration by running the following command: -
esxcli system snmp test --user vmwaresnmp --auth-hash /tmp/secret1 --priv-hash /tmp/secret2
Comments: Testing SNMPv3 user 'vmwaresnmp', User validated correctly for given engine id and security level: authPriv
If the configuration is correct, this command returns the following message: "User username validated correctly using engine id and security level: protocols". Here, protocols indicates the security protocols configured.
7 . If you are configuring informs, configure the remote users by running the esxcli system snmp set command with the --remote-users option.
esxcli system snmp set --remote-users userid/auth-protocol/auth-hash/priv-protocol/priv-hash/engine-id
Ex:- esxcli system snmp set --remote-users vmwaresnmpSHA1/9f2dcc4761a6c3f26544934a29c60cfd52ef389b/AES128/a8fc564e9190d84998822404190b534bdc278f4f/00505689301B
8 . Configure SNMP v3 Targets
esxcli system snmp set --v3targets hostname@port/userid/secLevel/message-type
Ex:- esxcli system snmp set --v3targets x.x.x.x@161/vmwaresnmp/priv/trap
9 . To check the SNMP configuration :- esxcli system snmp get
Authentication: SHA1
Communities:
Enable: true
Engineid: 00505689301B
Hwsrc: indications
Largestorage: true
Loglevel: debug
Notraps:
Port: 161
Privacy: AES128
Remoteusers: vmwaresnmp/SHA1/9f2dcc4761a6c3f26544934a29c60cfd52ef389b/AES128/a8fc564e9190d84998822404190b534bdc278f4f/00505689301B/
Syscontact:
Syslocation:
Targets:
Users: vmwaresnmp/9f2dcc4761a6c3f26544934a29c60cfd52ef389b/a8fc564e9190d84998822404190b534bdc278f4f/priv
V3targets: x.x.x.x@161 vmwaresnmp priv trap
9 . If the ESXi SNMP agent is not enabled, run the following command:
esxcli system snmp set --enable true
Restart snmpd service :- /etc/init.d/snmpd restart
10 . Send a test notification to verify that the agent is configured correctly
esxcli system snmp test
Comments: There is 1 target configured, send warmStart requested, test completed normally.
Workaround:
SNMP Server x.x.x.x
Port: 161
MAC: 00-50-56-89-30-1B (00505689301B)
user: vmawaremon
SHA1: f!zgFB1dw#WXsqRh
AES128: XebZxLOuDdoDjzxs
1 . esxcli system snmp set -E=00505689301B ( Engine ID Can also be MAC ID of target )
or
esxcli system snmp set --engineid id
2 . Command with the --authentication option to configure authentication.
esxcli system snmp set -x=SHA1
or
esxcli system snmp set --authentication SHA1
3 . Command with the --privacy option to configure privacy.
esxcli system snmp set -a=AES128
or
esxcli system snmp set --privacy AES128
4 . If you are using authentication or privacy, get the authentication and privacy hash values for the user by running the esxcli system snmp hash command with the --auth-hash and --priv-hash flags.
esxcli system snmp hash --auth-hash /tmp/secret1 --priv-hash /tmp/secret2
Example output below :-
Authhash: 9f2dcc4761a6c3f26544934a29c60cfd52ef389b
Privhash: a8fc564e9190d84998822404190b534bdc278f4f
secret1 is the path to the file containing the user's authentication password and secret2 is the path to the file containing the user's privacy password
5 . Configure the SNMP user by running the esxcli system snmp set command with the --users flag
esxcli system snmp set --users userid/authhash/privhash/security
For example, run the following command to configure vmwaresnmp for access with authentication and privacy: -
esxcli system snmp set --users vmwaresnmp/9f2dcc4761a6c3f26544934a29c60cfd52ef389b/a8fc564e9190d84998822404190b534bdc278f4f/priv
6 . Test the user configuration by running the following command: -
esxcli system snmp test --user vmwaresnmp --auth-hash /tmp/secret1 --priv-hash /tmp/secret2
Comments: Testing SNMPv3 user 'vmwaresnmp', User validated correctly for given engine id and security level: authPriv
If the configuration is correct, this command returns the following message: "User username validated correctly using engine id and security level: protocols". Here, protocols indicates the security protocols configured.
7 . If you are configuring informs, configure the remote users by running the esxcli system snmp set command with the --remote-users option.
esxcli system snmp set --remote-users userid/auth-protocol/auth-hash/priv-protocol/priv-hash/engine-id
Ex:- esxcli system snmp set --remote-users vmwaresnmpSHA1/9f2dcc4761a6c3f26544934a29c60cfd52ef389b/AES128/a8fc564e9190d84998822404190b534bdc278f4f/00505689301B
8 . Configure SNMP v3 Targets
esxcli system snmp set --v3targets hostname@port/userid/secLevel/message-type
Ex:- esxcli system snmp set --v3targets x.x.x.x@161/vmwaresnmp/priv/trap
9 . To check the SNMP configuration :- esxcli system snmp get
Authentication: SHA1
Communities:
Enable: true
Engineid: 00505689301B
Hwsrc: indications
Largestorage: true
Loglevel: debug
Notraps:
Port: 161
Privacy: AES128
Remoteusers: vmwaresnmp/SHA1/9f2dcc4761a6c3f26544934a29c60cfd52ef389b/AES128/a8fc564e9190d84998822404190b534bdc278f4f/00505689301B/
Syscontact:
Syslocation:
Targets:
Users: vmwaresnmp/9f2dcc4761a6c3f26544934a29c60cfd52ef389b/a8fc564e9190d84998822404190b534bdc278f4f/priv
V3targets: x.x.x.x@161 vmwaresnmp priv trap
9 . If the ESXi SNMP agent is not enabled, run the following command:
esxcli system snmp set --enable true
Restart snmpd service :- /etc/init.d/snmpd restart
10 . Send a test notification to verify that the agent is configured correctly
esxcli system snmp test
Comments: There is 1 target configured, send warmStart requested, test completed normally.
Workaround:
Additional Information
https://kb.vmware.com/s/article/2148987 ( SNMP issue)
Feedback
Was this article helpful?
Yes
No
Powered by
