cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2234
Views
6
Helpful
3
Replies

SNMP Settings - Lock down

londint
Level 1
Level 1

Hi All

Pls how can I seriously tighten down SNMP access to the switches? IOS and CatOS.

This is to include password so that only my PC can access them.

I have chnaged the following

snmp-server community secret RW 10

snmp-server community aaaaa RO 10

snmp-server community bbbbb RW 10

snmp-server host 2.2.2.2 aaaaa ( Ciscoworks server)

Did an access-list

access-list 10 permit 1.1.1.1 - my PC

access-list 10 permit 2.2.2.2 - CiscoWorks.

But someone ran a SNMP analyzer and was still able to gain access to the Switch. How? What else do I still need to do to further enhance this?

Thanks

3 Replies 3

David Stanford
Cisco Employee
Cisco Employee

Was the person running the snmp analyzer from IP address 1.1.1.1 or 2.2.2.2? Other than this the access-list should prevent them from polling via RO or RW.

What kind of access did they gain?

You could try snmp v3 which adds more security than v2c including encryption.

Thanks.

They were actually trying it from a PC that was included in the access list.

Thanks for your help.

Joe Clarke
Cisco Employee
Cisco Employee

What kind of access did they gain? What community string did they end up using? You have done a good job securing SNMP here. My only comment would be why have two RW community strings? They are both granted the same access level to the same hosts.

If someone from a host other than 1.1.1.1 or 2.2.2.2 was able to poll this device using one of those three community strings, then there is a problem. We have seen bugs in the past, but they should all be fixed on newer versions of IOS. What version are you running?

Of course, if they were running the analyzer from either 1.1.1.1 or 2.2.2.2, then obtaining the SNMP community strings is a trivial task. The only step up from what you have now would be to convert to SNMPv3 authNoPriv. SNMPv3 authNoPriv will give you the added security of encrypted passwords while still allowing CiscoWorks to function.

More on securing SNMP, including configuring SNMPv3, can be found at http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: