When you configure the ESXi SNMP agent for SNMPv3, the agent supports sending notifications (traps and informs) and receiving GET, GETBULK, and GETNEXT requests. SNMPv3 also provides stronger security than SNMPv1 or SNMPv2c, including key authentication and encryption.
Configure the SNMP Engine ID
Every SNMP v3 agent has an engine ID which serves as a unique identifier for the agent. The engine ID is used with a hashing function to generate keys for authentication and encryption of SNMP v3 messages.
If you do not specify an engine ID, when you enable the SNMP agent, an engine ID is automatically generated.
If you run ESXCLI commands through ESXCLI, you must supply connection options that specify the target host and login credentials. If you use ESXCLI commands directly on a host using the ESXi Shell, you can use the commands as given without specifying connection options. For more information on connection options see ESXCLI Concepts and Examples.
Prerequisites
Configure the ESXi SNMP agent by using the ESXCLI commands. See Getting Started with ESXCLI for more information on how to use ESXCLI.
Procedure
- ♦ Run the esxcli system snmp set command with the --engineid option to configure the SNMP engine ID.
For example, run the following command:
esxcli system snmp set --engineid id
Here, id is the engine ID and it must be a hexadecimal string between 5 and 32 characters long.
Configure SNMP Authentication and Privacy Protocols
SNMPv3 optionally supports authentication and privacy protocols.
Authentication is used to ensure the identity of users. Privacy allows for encryption of SNMP v3 messages to ensure confidentiality of data. These protocols provide a higher level of security than is available in SNMPv1 and SNMPv2c, which use community strings for security.
Both authentication and privacy are optional. However, you must enable authentication to enable privacy.
The SNMPv3 authentication and privacy protocols are licensed vSphere features and might not be available in some vSphere editions.
If you run ESXCLI commands through ESXCLI, you must supply connection options that specify the target host and login credentials. If you use ESXCLI commands directly on a host using the ESXi Shell, you can use the commands as given without specifying connection options. For more information on connection options see ESXCLI Concepts and Examples.
Prerequisites
Configure the ESXi SNMP agent by using the ESXCLI commands. See Getting Started with ESXCLI for more information on how to use ESXCLI.
Procedure
Configure SNMP Users
You can configure up to 5 users who can access SNMP v3 information. User names must be no more than 32 characters long.
While configuring a user, you generate authentication and privacy hash values based on the user's authentication and privacy passwords and the SNMP agent's engine ID. If you change the engine ID, the authentication protocol, or the privacy protocol after configuring users, the users are no longer valid and must be reconfigured.
If you run ESXCLI commands through ESXCLI, you must supply connection options that specify the target host and login credentials. If you use ESXCLI commands directly on a host using the ESXi Shell, you can use the commands as given without specifying connection options. For more information on connection options see ESXCLI Concepts and Examples.
Prerequisites
- Verify that you have configured the authentication and privacy protocols before configuring users.
- Verify that you know the authentication and privacy passwords for each user you plan to configure. Passwords must be at least 7 characters long. Store these passwords in files on the host system.
-
Configure the ESXi SNMP agent by using the ESXCLI commands. See Getting Started with ESXCLI for more information on how to use ESXCLI.
Procedure
Configure SNMP v3 Targets
Configure SNMP v3 targets to allow the ESXi SNMP agent to send SNMP v3 traps and informs.
SNMP v3 allows for sending both traps and informs. An inform message is a type of a message that the sender resends a maximum of three times. The sender waits for 5 seconds between each attempt, unless the message is acknowledged by the receiver.
You can configure a maximum of three SNMP v3 targets, in addition to a maximum of three SNMP v1/v2c targets.
To configure a target, you must specify a hostname or IP address of the system that receives the traps or informs, a user name, a security level, and whether to send traps or informs. The security level can be either none (for no security), auth (for authentication only), or priv (for authentication and privacy).
If you run ESXCLI commands through ESXCLI, you must supply connection options that specify the target host and login credentials. If you use ESXCLI commands directly on a host using the ESXi Shell, you can use the commands as given without specifying connection options. For more information on connection options see ESXCLI Concepts and Examples.
Prerequisites
-
Ensure that the users who access the traps or informs are configured as SNMP users for both the ESXi SNMP agent and the target management system.
- If you are configuring informs, you need the engine ID for the SNMP agent on the remote system that receives the inform message.
-
Configure the ESXi SNMP agent by using the ESXCLI commands. See Getting Started with ESXCLI for more information on how to use ESXCLI.