Network technologies and trends

Jul 15 2008   6:36AM GMT

How to Secure SNMP in Cisco Switches and Routers



Posted by: Yasir Irfan
Tags:
Access List
Cisco
Cisco 2950
Cisco 3560
Cisco 3560-E
Cisco 3745
Cisco 3750-E
Cisco 6500
Cisco Learning
Cisco Tips
Networking
Routers
SNMP
Switches

This article focus on the ways how we can secure SNMP access in Cisco Switches and Routers

Simple Network Management Protocol (SNMP)   uses the default UDP port 161 for general SNMP messages and UDP port 162 for SNMP trap messages.

SNMP is a service used to perform network management functions using a data structure called a Management Information Base (MIB). Unfortunately, SNMP version 1 is widely implemented but not very secure, using only clear-text community strings for access to information on the switch, including its configuration file.

If SNMP is not being used, then executing the following commands will disable the service.
Switch(config)# no snmp-server community
Switch(config)# no snmp-server enable traps
Switch(config)# no snmp-server system-shutdown
Switch(config)# no snmp-server

If SNMP is required for a switch or router configure the switch or router  for SNMP version 3. This version is more secure than SNMP version 1 because version 3 can use cryptographic hashes for authentication to protect the community string. The above commands for disabling SNMP are recommended for use before deploying SNMP version 3 to remove any possible default community strings. The following commands show an example User Security Model for SNMP version 3 for the switch. The model begins with creating a standard access-list (e.g., 12) that allows only those systems that manage the switch. Next, define a group (e.g., admins) with read and write MIB views (e.g., adminview). Then each user (e.g., root) is added to the group with a password (e.g., 5ecret-5TR1N) that can be hashed (e.g., using md5) before being sent across the network. Also, the standard access-list (e.g., 12) is applied to the user. Finally, the MIB view (e.g., adminview) is defined by one or more statements to include or to exclude portions of the MIB. The MIB view in the following example gives access to the Internet branch of the MIB except the branches that display IP addresses and IP routing information.

Switch(config)# no access-list 12
Switch(config)# access-list 12 permit 10.0.0.2
Switch(config)# access-list 12 permit 10.0.0.4
Switch(config)# snmp-server group admins v3 auth read adminview write adminview
Switch(config)# snmp-server user root admins v3 auth md5 5ecret-5TR1N access 12

Switch(config)# snmp-server view adminview internet included
Switch(config)# snmp-server view adminview ipAddrEntry excluded
Switch(config)# snmp-server view adminview ipRouteEntry excluded

If SNMP is required for a switch and only SNMP version 1 is available, then the following commands show an example of how to configure the switch with a community string (e.g., g00d-5tr1n9) that has read-only permissions and a standard access-list (e.g., 12) applied to it.

Switch(config)# no access-list 12
Switch(config)# access-list 12 permit 10.0.0.2
Switch(config)# access-list 12 permit 10.0.0.4
Switch(config)# snmp-server community g00d-5tr1n9 ro 12

In addition to the configuration of the SNMP service, SNMP Trap information can be sent to the systems that manage the switches. The following commands show an example of this configuration.

Switch(config)# snmp-server host 10.0.0.2 traps g00d-5tr1n9-2
Switch(config)# snmp-server host 10.0.0.4 traps g00d-5tr1n9-2
Switch(config)# snmp-server trap-source Loopback0
Switch(config)# snmp-server enable traps

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: