193 
• aes256: Specifies the AES encryption algorithm that uses a 256-bit key. 
• des56: Specifies the DES encryption algorithm that uses a 56-bit key. 
priv-password: Specifies an encryption key. This argument is case sensitive. 
•  The plaintext form of the key in non-FIPS mode is a string of 1 to 64 characters. The plaintext 
form of the key in FIPS mode is a string of 15 to 64 characters, which must contain numbers, 
uppercase letters, lowercase letters, and special characters. 
•  The encrypted form of the key can be calculated by using the snmp-agent 
calculate-password command. 
acl: Specifies a basic or advanced IPv4 ACL for the user. 
ipv4-acl-number: Specifies a basic or advanced IPv4 ACL by its number. The basic IPv4 ACL 
number is in the range of 2000 to 2999. The advanced IPv4 ACL number is in the range of 3000 to 
3999. 
name ipv4-acl-name: Specifies a basic or advanced IPv4 ACL by its name, a case-insensitive string 
of 1 to 63 characters. 
acl ipv6: Specifies a basic or advanced IPv6 ACL for the user. 
ipv6-acl-number: Specifies a basic or advanced IPv6 ACL by its number. The basic IPv6 ACL 
number is in the range of 2000 to 2999. The advanced IPv6 ACL number is in the range of 3000 to 
3999. 
name ipv6-acl-name: Specifies a basic or advanced IPv6 ACL by its name, a case-insensitive string 
of 1 to 63 characters. 
local: Specifies the local SNMP engine. By default, an SNMPv3 user is associated with the local 
SNMP engine. 
engineid engineid-string: Specifies an SNMP engine ID. The engineid-string argument is an even 
number of hexadecimal characters. All-zero and all-F strings are invalid. The even number is in the 
range of 10 to 64. If you change the local engine ID, the existing SNMPv3 users and keys become 
invalid. To delete an invalid username, specify the engine ID associated with the username in the 
undo snmp-agent usm-user v3 command. 
Usage guidelines 
Only users with the network-admin or level-15 user role can execute this command. Users with other 
user roles cannot execute this command even if these roles are granted access to commands of the 
SNMP feature or this command. 
You can use either of the following modes to control SNMPv3 user access to MIB objects. 
• VACM—Controls user access to MIB objects by assigning the user to an SNMP group. To make 
sure the user takes effect, make sure the group has been created. An SNMP group contains 
one or multiple users and specifies the MIB views and security model for the users. The 
authentication and encryption algorithms for each user are specified when they are created. 
• RBAC—Controls user access to MIB objects by assigning user roles to the user. A user role 
specifies the MIB objects accessible to the user and the operations that the user can perform on 
the objects. After you create a user in RBAC mode, you can use the snmp-agent usm-user v3 
user-role command to assign more user roles to the user. You can assign a maximum of 64 
user roles to a user.  
RBAC mode controls access on a per MIB object basis, and VACM mode controls access on a MIB 
view basis. As a best practice to enhance MIB security, use RBAC mode. 
You can execute the snmp-agent usm-user v3 command multiple times to create different SNMPv3 
users in VACM mode. If you do not change the username each time, the most recent configuration 
takes effect. 
You can execute the snmp-agent usm-user v3 command in RBAC mode multiple times to assign 
different user roles to an SNMPv3 user. The following restrictions and guidelines apply: