Document No. 10-300077, Issue 2 5-3
Configuring SNMP
Authentication and Encryption

Localized Keys

To perform authentication and encryption, the switch and NMS (network
management system) share loca lized keys. When sending a PDU to the
switch, the NMS (network management system) generates the localized key
and places it in the PDU. When the switch receives the PDU, it compares
the localized key in the PDU to the localized key stored in the switch
memory. If the two versions match, the PDU is authenticated or decrypted.
To generate a localized key, the switch and NMS use HMAC- MD 5 or
HMAC-SHA to:
1. Hash the user password. The hashed user password is called the non-
localized key.
2. Hash a combination of the non-localized key and the engine ID of the
switch. This hashed combination is the localized key.
The NMS stores the non-localized key and generates the localized key onl y
before sending a PDU to the switch. Each time you create a new SNMP
user, the switch generates and stores the localized key for that user.
If authentication is enabled for a user, he or she must ha ve an a ut hentic ation
password. And if encryption is enabled for a user, he or she must have an
encryption password. For information on setting these passwords, see
Configuring an SNMPv3 User.”

Engine ID

To perform authentication or encryption, the switch must have an engine
ID. By default the engine ID is based on the IP address of the ethernet
console port. You can, however, change the engine ID of the switch. For
information on how to change the engine ID of the switch, see “Changing
the Engine ID of the Switch.”
If the switch is using the default engine ID and you change the IP address of
the ethernet console port, the engine ID is also changed. All user accounts
are invalid if the engine ID changes, and you must reconfigure them.