Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
170
Views
0
Helpful
2
Replies

Disable SNMPv3 on IOS XR

weylin.piegorsch
Level 1
Level 1

‎05-07-2024 11:26 AM

I have an 8000-series router running IOS XR.  I need SNMPv2 to work, but by default that enables SNMPv3.  I need to explicitely disable SNMPv3 without disabling SNMPv2.

ACLs don't seem to work on the SNMPv2 configuration line.  ACL'ing the physical interface that the packets enter through is a challenge, unless there's a way to distinguish SNMPv2 and v3 in an interface ACL.

Can I disable SNMPv3 without disabling SNMPv2?

(I'm told that it's due to this:https://arxiv.org/abs/2109.15095 which I disagree with being a thing to defend against but I've been over-ridden.)

weylin

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎05-07-2024 11:06 PM

Hello,

interesting subject. I guess SNMPv3 was introduced specifically to address security concerns. I read the paper about SNMPv3 fingerprinting, and it looks like your co-workers might have a point. Either way, the first thing I would do is change the default UDP port SNMPv2 and SNMPv3 are using (161/162):

snmp-server port <port-number>

and then block UDP 161 and 162 with an access list. The access list would look something like this:

ipv4 access-list BLOCK-SNMP-UDP
deny udp any any eq snmp
deny udp any any eq snmptrap
permit ip any any

!

control-plane
management-plane
inband
service-policy input BLOCK-SNMP-UDP

!

commit

Other than that, I am not sure if you can explicitly block v3; if you specify 2c when you configure SNMP, you have the option to specify the version:

snmp-server host <hostname-or-ip> <community-string> [version {1 | 2c | 3 [auth | noauth | priv]}] [udp-port <port>] [ipv6]

The comand:

no snmp-server group <group-name> v3

might also help.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎05-07-2024 11:08 PM

you can use below syntax :

snmp-server user username groupname {v1 | v2c | v3 [auth {md5 | sha} {clear | encryptedauth-password [priv des56 {clear | encryptedpriv-password]]} [access-list-name]

even though SNMPv3 and v2 co-exists in the router - its ok - you can setup SNMPv3 different users (not to share with any one) - share only SNMPv2 information with ACL to allow devices to poll.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents