How to enable SNMP v3 manually on ESXi 7.0

Hi, I want to enable SNMP v3 manually on my ESXi 7.0.

In ESXi 5.1 and later releases, the SNMP agent adds support for version 3 of the SNMP protocol, offering increased security and improved functionality, including the ability to send informs.

As an alternative to configuring SNMP manually using esxcli commands, you can use host profiles to configure SNMP for an ESXi host. 

By default, the embedded SNMP agent listens on UDP port 161 for polling requests from management systems. You can use the esxcli system snmp set command with the –port option to configure an alternative port. To avoid conflicting with other services, use a UDP port that is not defined in /etc/services.


1- (Optional) If you want to change the default port, you could use this command:

esxcli system snmp set --port port

2- Every SNMP v3 agent has an engine ID which serves as a unique identifier for the agent. The engine ID is used with a hashing function to generate keys for authentication and encryption of SNMP v3 messages.
If you do not specify an engine ID, when you enable the SNMP agent, an engine ID is automatically generated.

esxcli system snmp set --engineid id

Here, id is the engine ID and it must be a hexadecimal string between 5 and 32 characters long.

esxcli system snmp set --engineid 80001ADC05876457531638093177

3- SNMPv3 optionally supports authentication and privacy protocols.

Authentication is used to ensure the identity of users. Privacy allows for encryption of SNMP v3 messages to ensure confidentiality of data. These protocols provide a higher level of security than is available in SNMPv1 and SNMPv2c, which use community strings for security.

Both authentication and privacy are optional. However, you must enable authentication to enable privacy.

esxcli system snmp set --authentication protocol

Here, protocol must be either none (for no authentication), SHA1, or MD5.

esxcli system snmp set --privacy protocol

Here, protocol must be either none (for no privacy) or AES128.

esxcli system snmp set -a SHA1 -x AES128

4- You can configure up to 5 users who can access SNMP v3 information. User names must be no more than 32 characters long.

While configuring a user, you generate authentication and privacy hash values based on the user’s authentication and privacy passwords and the SNMP agent’s engine ID. If you change the engine ID, the authentication protocol, or the privacy protocol after configuring users, the users are no longer valid and must be reconfigured.

esxcli system snmp hash --auth-hash secret1 --priv-hash secret2

The produced output might be the following:

Authhash: 08248c6eb8b333e75a29ca0af06b224faa7d22d6

Privhash: 232ba5cbe8c55b8f979455d3c9ca8b48812adb97

esxcli system snmp hash -r -A password1 -X password2

Authhash: 08248c6eb8b333e75a29ca0af06b224faa7d22d6
Privhash: 232ba5cbe8c55b8f979455d3c9ca8b48812adb97 

5- Configure the user

esxcli system snmp set --user userid/authhash/privhash/security
esxcli system snmp set --users user1/08248c6eb8b333e75a29ca0af06b224faa7d22d6/232ba5cbe8c55b8f979455d3c9ca8b48812adb97/priv
useridThe user name.
authhashThe authentication hash value.
privhashThe privacy hash value.
securityThe level of security enabled for that user, which can be auth (for authentication only), priv (for authentication and privacy), or none (for no authentication or privacy).

6- (Optional) If the ESXi SNMP agent is not enabled, run the following command:

esxcli system snmp set --enable true

7- (Optional) Send a test notification to verify that the agent is configured correctly.

esxcli system snmp test
Finish :-)