I recently discovered that SNMPv3 stopped working on one of my VSP’s. I discovered that it had stopped working when I started using access policies on that device.
After some research, I found out that the default access-policy blocks SNMPv3. This is how the default access-policy looks like:
VSP#show access-policy ************************************************************************************ Command Execution Time: Thu Oct 15 14:06:16 2020 CEST ************************************************************************************ AccessPolicyEnable: on Id: 1 Name: default PolicyEnable: true Mode: allow Service: ftp|http|tftp|telnet|ssh|snmpv3 Precedence: 128 NetAddrType: any NetAddr: N/A NetMask: N/A TrustedHostAddr: N/A TrustedHostUserName: none AccessLevel: readOnly AccessStrict: false Usage: 12
In the above output, you can see that SNMPv3 is allowed. However, you have to specify the SNMP group(s) which should be allowed:
conf t access-policy 5 access-policy 5 name "SNMPv3" network X.X.X.X/X access-policy 5 http ssh snmpv3 access-policy 5 snmp-group <MySNMPGroup> usm
The “snmp-group” property won’t be shown in a “show access-policy”, but it seems to be required for SNMPv3 access to work IF you use access-policies at all.
More info about access-policies and SNMPv3 on VOSS can be found on the Extreme KB.