New to SNMPv3.
Should every switch have a unique group name, user name and Priv/Auth passwords?
What is the norm when configuring multiple switches for snmp?
Don't over-complicate things. Just going to SNMPv3 puts you ahead of 80% of corporate networks :)
IMHO, "best practice" is to keep all the switches in a given site or security level with the same credentials. A device which is located in a less secure area (physically or logically) should probably not use the SNMP and passwords as the sites inside the perimeter.
Devices at a remote site where you share access with the local admins, get a separate site-level set of credentials so a rogue admin at that site can't compromise devices at HQ.
add another thing that needs to be addressed at place of employment, thanks for some pointers.
This has been my mentality when working with SNMP/SNMPv3.
Turn it on. Don’t let that crappy “[CompanyName]Public” community string hangout there any longer! Anything is better than that. (I only allow AES+SHA if it only supports MDA + DES it goes away)
Each site gets their own password + priv. Rotate them yearly.
Add an ACL to only allow incoming and outgoing SNMP requests from/to your NMS.
Restrict to read only.
If applicable, restrict the SNMP view to only the OIDs you want to read.
We normally keep it the same per system/network. Makes adding it all to solar winds so much easier.
For questions like this the answer is usually whatever your regulations tell you to do. If there are no regulations then write some and begin enforcing them.
Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.