Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SNMP Newbee Security Queries

Hi All

I want to enable the snmp agent on the Cisco devices in our infrastructure using the following command

snmp-server community string [view view-name] [ro | rw] [ipv6 nacl] [access-list-number | extended-access-list-number | access-list-name]

For security, I know how to do the following:

  • Use access lists to limit the ip addresses that can query the snmp service
  • Use a complex "communitystring"

However, I don't know how to do the following and whether it is possible. Could anybody help?!?

Query 1:

When you enable the snmp agent on a Cisco device, can it be queried on any ip address that the router/switch holds?

For example, if a switch has 7 vlans with 7 ip addresses, will the snmp agent respond to snmp requests directed to all 7 of the ip addresses? If this is the case, can you limit the snmp agent to respond to snmp requests to a particular vlan/ip address?

Query 2:

If somebody were to try a dictionary attach againts the snmp service, what defences can you use?

For example, for logging onto the vty of a cisco device, we use:

login block-for 120 attempts 5 within 30

login delay 3

Would this apply to attempts to "log onto" the snmp service or is there an equivalent for snmp?

Thanks to all!

John

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

SNMP Newbee Security Queries

Hi John,

For your Q1: 

R1(config)#snmp-server source-interface

Q2:

R1(config)#snmp-server trap authentication ?

  acl-failure      enable authentication traps for access list failure

  unknown-context  enable authentication traps for unknown context error

  vrf              enable authentication traps for packets on a vrf

HTH,

Smitesh

2 REPLIES

SNMP Newbee Security Queries

Hi John,

For your Q1: 

R1(config)#snmp-server source-interface

Q2:

R1(config)#snmp-server trap authentication ?

  acl-failure      enable authentication traps for access list failure

  unknown-context  enable authentication traps for unknown context error

  vrf              enable authentication traps for packets on a vrf

HTH,

Smitesh

New Member

SNMP Newbee Security Queries

Hi Smitesh

Yes, that did help.

Thanks

John

382
Views
0
Helpful
2
Replies
CreatePlease to create content