SNMPv3 across 54 switches and four firmware generations

Sector: Utility OT · Platform: FortiSwitch + Cisco Catalyst · Timeline: 5 weeks

The situation

54 OT switches still polling on SNMPv2c communities. Mixed estate: FortiSwitch-224E running v6.2 through v7.6, Cisco C9500 / C9300 on IOS-XE 17.6, and a handful of older 3750s on IPBASE images. Compliance needed v3 with auth+priv across the board.

What we discovered

• FortiSwitch v6.2 and IOS-XE 17.6 on Cat9K can do SHA256+AES256 cleanly -- modern crypto, modern credentials.
• FortiOS 6.0.9 (still running on LIBCS 80E firewalls fronting some sites) tops out at SHA1+AES256.
• Older Cisco IPBASE / UNIVERSAL images can do auth only -- no priv -- and there is no path to v3 with privacy on those switches.
• Without an fnsysctl kill -9 snmpd after live FortiOS v3 user changes, the OID table doesn't rebuild and IF-MIB walks silently drop.

The credential policy

Rather than rotate every credential to a lowest-common-denominator, we built a tiered SolarWinds credential map:

• Cred 48 -- SHA256+AES256 for FortiOS 7.x and modern Cisco.
• Cred 49 -- SHA1+AES128 for FortiSwitch v6.2 / older IOS-XE.
• Cred 57 -- SHA1+AES256 for FortiOS 6.0.x.
• Cred 58 -- SHA1+AES128 for net-snmp 5.7 / CentOS 7.

Each node was tagged with the matching credential at provisioning time, with the mapping logic encoded in our config push script so new devices land on the correct credential automatically.

Outcome

All 54 switches converted with no polling gaps measurable in SolarWinds. v2c communities decommissioned. The credential-mapping policy is now part of the client's standard onboarding for any new switch or firewall.

---

← Back to case studies