Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SNMP Settings - Lock down

Hi All

Pls how can I seriously tighten down SNMP access to the switches? IOS and CatOS.

This is to include password so that only my PC can access them.

I have chnaged the following

snmp-server community secret RW 10

snmp-server community aaaaa RO 10

snmp-server community bbbbb RW 10

snmp-server host 2.2.2.2 aaaaa ( Ciscoworks server)

Did an access-list

access-list 10 permit 1.1.1.1 - my PC

access-list 10 permit 2.2.2.2 - CiscoWorks.

But someone ran a SNMP analyzer and was still able to gain access to the Switch. How? What else do I still need to do to further enhance this?

Thanks

3 REPLIES
Cisco Employee

Re: SNMP Settings - Lock down

Was the person running the snmp analyzer from IP address 1.1.1.1 or 2.2.2.2? Other than this the access-list should prevent them from polling via RO or RW.

What kind of access did they gain?

You could try snmp v3 which adds more security than v2c including encryption.

New Member

Re: SNMP Settings - Lock down

Thanks.

They were actually trying it from a PC that was included in the access list.

Thanks for your help.

Cisco Employee

Re: SNMP Settings - Lock down

What kind of access did they gain? What community string did they end up using? You have done a good job securing SNMP here. My only comment would be why have two RW community strings? They are both granted the same access level to the same hosts.

If someone from a host other than 1.1.1.1 or 2.2.2.2 was able to poll this device using one of those three community strings, then there is a problem. We have seen bugs in the past, but they should all be fixed on newer versions of IOS. What version are you running?

Of course, if they were running the analyzer from either 1.1.1.1 or 2.2.2.2, then obtaining the SNMP community strings is a trivial task. The only step up from what you have now would be to convert to SNMPv3 authNoPriv. SNMPv3 authNoPriv will give you the added security of encrypted passwords while still allowing CiscoWorks to function.

More on securing SNMP, including configuring SNMPv3, can be found at http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml .

644
Views
6
Helpful
3
Replies