Solved: Disable SNMPv3 on IOS XR

weylin.piegorsch · ‎05-07-2024

I have an 8000-series router running IOS XR. I need SNMPv2 to work, but by default that enables SNMPv3. I need to explicitely disable SNMPv3 without disabling SNMPv2.

ACLs don't seem to work on the SNMPv2 configuration line. ACL'ing the physical interface that the packets enter through is a challenge, unless there's a way to distinguish SNMPv2 and v3 in an interface ACL.

Can I disable SNMPv3 without disabling SNMPv2?

(I'm told that it's due to this:https://arxiv.org/abs/2109.15095 which I disagree with being a thing to defend against but I've been over-ridden.)

weylin

Georg Pauwen · ‎05-07-2024

Hello,

interesting subject. I guess SNMPv3 was introduced specifically to address security concerns. I read the paper about SNMPv3 fingerprinting, and it looks like your co-workers might have a point. Either way, the first thing I would do is change the default UDP port SNMPv2 and SNMPv3 are using (161/162):

snmp-server port <port-number>

and then block UDP 161 and 162 with an access list. The access list would look something like this:

ipv4 access-list BLOCK-SNMP-UDP
deny udp any any eq snmp
deny udp any any eq snmptrap
permit ip any any

!

control-plane
management-plane
inband
service-policy input BLOCK-SNMP-UDP

!

commit

Other than that, I am not sure if you can explicitly block v3; if you specify 2c when you configure SNMP, you have the option to specify the version:

snmp-server host <hostname-or-ip> <community-string> [version {1 | 2c | 3 [auth | noauth | priv]}] [udp-port <port>] [ipv6]

The comand:

no snmp-server group <group-name> v3

might also help.

View solution in original post

Georg Pauwen · ‎05-07-2024

Hello,

interesting subject. I guess SNMPv3 was introduced specifically to address security concerns. I read the paper about SNMPv3 fingerprinting, and it looks like your co-workers might have a point. Either way, the first thing I would do is change the default UDP port SNMPv2 and SNMPv3 are using (161/162):

snmp-server port <port-number>

and then block UDP 161 and 162 with an access list. The access list would look something like this:

ipv4 access-list BLOCK-SNMP-UDP
deny udp any any eq snmp
deny udp any any eq snmptrap
permit ip any any

!

control-plane
management-plane
inband
service-policy input BLOCK-SNMP-UDP

!

commit

Other than that, I am not sure if you can explicitly block v3; if you specify 2c when you configure SNMP, you have the option to specify the version:

snmp-server host <hostname-or-ip> <community-string> [version {1 | 2c | 3 [auth | noauth | priv]}] [udp-port <port>] [ipv6]

The comand:

no snmp-server group <group-name> v3

might also help.

weylin.piegorsch · ‎01-07-2025

We ended up just implementing a Port ACL to block all SNMP traffic. A bit of a cudgel response, but was deemed operationally more supportable. Ah well, would've loved to try this.

balaji.bandi · ‎05-07-2024

you can use below syntax :

snmp-server user username groupname {v1 | v2c | v3 [auth {md5 | sha} {clear | encrypted} auth-password [priv des56 {clear | encrypted} priv-password]]} [access-list-name]

even though SNMPv3 and v2 co-exists in the router - its ok - you can setup SNMPv3 different users (not to share with any one) - share only SNMPv2 information with ACL to allow devices to poll.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help