SNMP is the starting point for many network management applications. The earlier standards SNMPv1 and SNMPv2c are notoriously insecure. If you care about network security (and don't we all?) and you need SNMP, you really should be using SNMPv3.
SNMPv3 sometimes appears to be complex and difficult to configure. That's partly because it is very flexible in the way that users and views can be manipulated. PTP 650/700 provide two different approaches: You can take advantage of the in-built flexibility of SNMPv3 by configuring the management agent on PTP 650/700 via the SNMPv3 MIB. This is fine for expert users, but undoubtedly less friendly than our second option. The second (and easier) option is to configure SNMPv3 on PTP 650/700 through the web-based interface. Web-based configuration of SNMPv3 is straightforward, but ultimately less flexible that the MIB-based approach. However, the web-based configuration is flexible enough for most applications.
In the rest of this message, we look at how to configure SNMPv3 using the simpler web-based method. It's probably simpler than you think!
Find the SNMP Wizard on the Management | SNMP web page. In Step 1, select SNMP State = Enabled, SNMP Version = SNMPv3, and SNMP Security Mode = Web-based.
In Step 3, set the policy for the System Admin and Read Only roles. The Authentication protocol can be MD5 or SHA-1. If your management system supports SHA-1 then this is a more secure option. The Privacy protocol can be DES or AES. The unit we used in the example here does not have the optional AES license, so the Privacy protocol is fixed at DES.
Here we are operating the Read Only user without privacy, just to demonstrate the options. In practice, it's difficult to see why you would not use Auth and Priv for both roles.
Next, you need to set up one or more accounts:
Here we've created one account in each of the roles. The Authentication and Privacy passphrases can be the same, but probably shouldn't be.
Continue to the end of the Wizard and, if necessary, reboot. SNMPv3 is now available to your management system.
You need to configure the management system to match the configuration on the ODU. Here is the options screen in the iReasoning MIB browser. Other MIB browsers are available.
Here's a Wireshark screen shot showing an SNMP Get sent to the PTP 650 unit. The contents of the GET message are encrypted.
And here's the response from the PTP 650. The Get Response is also encrypted.
Just for completeness, here's the Get Response for Transmit Frequency kHz, with authentication, but without privacy:
If you're using SNMP, considering switching to SNMPv3. Configuration on the ODU is really simple, as long as the web-based approach has enough flexibility for your application.
If security is REALLY important purchase the optional AES upgrade and configure SNMPv3 to use AES instead of DES.