When you configure the ESXi SNMP agent for SNMPv3, the agent supports sending notifications (traps and informs) and receiving GET, GETBULK, and GETNEXT requests. SNMPv3 also provides stronger security than SNMPv1 or SNMPv2c, including key authentication and encryption.

Inform is a notification that the sender resends up to three times or until the receiver acknowledges the notification.

Configure the SNMP Engine ID

Every SNMP v3 agent has an engine ID which serves as a unique identifier for the agent. The engine ID is used with a hashing function to generate keys for authentication and encryption of SNMP v3 messages.

If you do not specify an engine ID, when you enable the SNMP agent, an engine ID is automatically generated.

If you run ESXCLI commands through ESXCLI, you must supply connection options that specify the target host and login credentials. If you use ESXCLI commands directly on a host using the ESXi Shell, you can use the commands as given without specifying connection options. For more information on connection options see ESXCLI Concepts and Examples.

Prerequisites

Configure the ESXi SNMP agent by using the ESXCLI commands. See Getting Started with ESXCLI for more information on how to use ESXCLI.

Procedure

  • Run the esxcli system snmp set command with the --engineid option to configure the SNMP engine ID.
    For example, run the following command:
    esxcli system snmp set --engineid id
    Here, id is the engine ID and it must be a hexadecimal string between 5 and 32 characters long.

Configure SNMP Authentication and Privacy Protocols

SNMPv3 optionally supports authentication and privacy protocols.

Authentication is used to ensure the identity of users. Privacy allows for encryption of SNMP v3 messages to ensure confidentiality of data. These protocols provide a higher level of security than is available in SNMPv1 and SNMPv2c, which use community strings for security.

Both authentication and privacy are optional. However, you must enable authentication to enable privacy.

The SNMPv3 authentication and privacy protocols are licensed vSphere features and might not be available in some vSphere editions.

If you run ESXCLI commands through ESXCLI, you must supply connection options that specify the target host and login credentials. If you use ESXCLI commands directly on a host using the ESXi Shell, you can use the commands as given without specifying connection options. For more information on connection options see ESXCLI Concepts and Examples.

Prerequisites

Configure the ESXi SNMP agent by using the ESXCLI commands. See Getting Started with ESXCLI for more information on how to use ESXCLI.

Procedure

  1. (Optional) Run the esxcli system snmp set command with the --authentication option to configure authentication.
    For example, run the following command:
    esxcli system snmp set --authentication protocol
    Here, protocol must be either none (for no authentication) or SHA1.
  2. (Optional) Run the esxcli system snmp set command with the --privacy option to configure privacy.
    For example, run the following command:
    esxcli system snmp set --privacy protocol
    Here, protocol must be either none (for no privacy) or AES128.

Configure SNMP Users

You can configure up to 5 users who can access SNMP v3 information. User names must be no more than 32 characters long.

While configuring a user, you generate authentication and privacy hash values based on the user's authentication and privacy passwords and the SNMP agent's engine ID. If you change the engine ID, the authentication protocol, or the privacy protocol after configuring users, the users are no longer valid and must be reconfigured.

If you run ESXCLI commands through ESXCLI, you must supply connection options that specify the target host and login credentials. If you use ESXCLI commands directly on a host using the ESXi Shell, you can use the commands as given without specifying connection options. For more information on connection options see ESXCLI Concepts and Examples.

Prerequisites

  • Verify that you have configured the authentication and privacy protocols before configuring users.
  • Verify that you know the authentication and privacy passwords for each user you plan to configure. Passwords must be at least 7 characters long. Store these passwords in files on the host system.
  • Configure the ESXi SNMP agent by using the ESXCLI commands. See Getting Started with ESXCLI for more information on how to use ESXCLI.

Procedure

  1. If you are using authentication or privacy, get the authentication and privacy hash values for the user by running the esxcli system snmp hash command with the --auth-hash and --priv-hash flags.
    For example, run the following command:
    esxcli system snmp hash --auth-hash secret1 --priv-hash secret2
    Here, secret1 is the path to the file containing the user's authentication password and secret2 is the path to the file containing the user's privacy password.

    Alternatively, you can pass the --raw-secret flag and specify the passwords directly on the command line.

    For example, you can run the following command:
    esxcli system snmp hash --auth-hash authsecret --priv-hash privsecret --raw-secret
    The produced output might be the following:
    Authhash: 08248c6eb8b333e75a29ca0af06b224faa7d22d6
    Privhash: 232ba5cbe8c55b8f979455d3c9ca8b48812adb97
    The authentication and privacy hash values are displayed.
  2. Configure the user by running the esxcli system snmp set command with the --user flag.
    For example, you can run the following command:
    esxcli system snmp set --user userid/authhash/privhash/security
    The command accepts the following parameters:
    Parameter Description
    userid The user name.
    authhash The authentication hash value.
    privhash The privacy hash value.
    security The level of security enabled for that user, which can be auth (for authentication only), priv (for authentication and privacy), or none (for no authentication or privacy).
    For example, run the following command to configure user1 for access with authentication and privacy:
    esxcli system snmp set --user user1/08248c6eb8b333e75a29ca0af06b224faa7d22d6/
    232ba5cbe8c55b8f979455d3c9ca8b48812adb97/priv
    You must run the following command to configure user2 for access with no authentication or privacy:
    esxcli system snmp set --user user2/-/-/none
  3. (Optional) Test the user configuration by running the following command:
    esxcli system snmp test --user username --auth-hash secret1 --priv-hash secret2
    If the configuration is correct, this command returns the following message: "User username validated correctly using engine id and security level: protocols". Here, protocols indicates the security protocols configured.

Configure SNMP v3 Targets

Configure SNMP v3 targets to allow the ESXi SNMP agent to send SNMP v3 traps and informs.

SNMP v3 allows for sending both traps and informs. An inform message is a type of a message that the sender resends a maximum of three times. The sender waits for 5 seconds between each attempt, unless the message is acknowledged by the receiver.

You can configure a maximum of three SNMP v3 targets, in addition to a maximum of three SNMP v1/v2c targets.

To configure a target, you must specify a hostname or IP address of the system that receives the traps or informs, a user name, a security level, and whether to send traps or informs. The security level can be either none (for no security), auth (for authentication only), or priv (for authentication and privacy).

If you run ESXCLI commands through ESXCLI, you must supply connection options that specify the target host and login credentials. If you use ESXCLI commands directly on a host using the ESXi Shell, you can use the commands as given without specifying connection options. For more information on connection options see ESXCLI Concepts and Examples.

Prerequisites

  • Ensure that the users who access the traps or informs are configured as SNMP users for both the ESXi SNMP agent and the target management system.

  • If you are configuring informs, you need the engine ID for the SNMP agent on the remote system that receives the inform message.
  • Configure the ESXi SNMP agent by using the ESXCLI commands. See Getting Started with ESXCLI for more information on how to use ESXCLI.

Procedure

  1. (Optional) If you are configuring informs, configure the remote users by running the esxcli system snmp set command with the --remote-users option.
    For example, run the following command:
    esxcli system snmp set --remote-users userid/auth-protocol/auth-hash/priv-protocol/priv-hash/engine-id
    The command accepts the following parameters:
    Parameter Description
    userid The user name.
    auth-protocol The authentication protocol, none (for no authentication) or SHA1.
    auth-hash The authentication hash or - if the authentication protocol is none.
    priv-protocol The privacy protocol, AES128, or none.
    priv-hash The privacy hash, or - if the privacy protocol is none.
    engine-id The engine ID of the SNMP agent on the remote system that receives the inform message.
  2. Run the esxcli system snmp set command with the --v3targets option.
    For example, run the following command:
    esxcli system snmp set --v3targets hostname@port/userid/secLevel/message-type
    The parameters of the command are as follows.
    Parameter Description
    hostname The host name or IP address of the management system that receives the traps or informs.
    port The port on the management system that receives the traps or informs. If you do not specify a port, the default port, 162, is used.
    userid The user name.
    secLevel The level of authentication and privacy you have configured. Use auth if you have configured authentication only, priv if you have configured both authentication and privacy, and none if you have configured neither.
    message-type The type of the messages received by the management system. Use trap or inform.
  3. (Optional) If the ESXi SNMP agent is not enabled, run the following command:
    esxcli system snmp set --enable true
  4. (Optional) Send a test notification to verify that the agent is configured correctly by running the esxcli system snmp test command.
    The agent sends a warmStart notification to the configured target.