cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1874
Views
0
Helpful
0
Replies

How to completely restrict SNMPv3 access

andreassb
Level 4
Level 4

When enabling the SNMP proccess on a Cisco router or switch by configuring an SNMP v1/v2c community, it also automatically enables SNMPv3.

The issue is, that no mater how much I restrcit SNMP access with ACLs, the IOS device will always respond to SNMPv3 with manufacture ID and uptime, when not specifying any SNMP username or community.

(Try it out with nmap: nmap -sU -p 161 -A -v 1.2.3.4)

The device always responds with the following OIDs:  enterprise, engineIDFormat, engineIDData, snmpEngineBoots, snmpEngineTime

This concerns me, because I do not want any information to be avalible via SNMP to unauthorized users.

I applied ACLs in the following ways. None of them work.

ip access-list standard V3_DENY

  deny   any

snmp-server group ILMI v1 access V3_DENY

snmp-server group ILMI v2c access V3_DENY

snmp-server group ILMI v3 noauth access V3_DENY

snmp-server group TESTGROUP v3 priv read TESTVIEW access V3_DENY

snmp-server view TESTVIEW system excluded

snmp-server community TEST RO V3_DENY

So the question is: How can I completely restrict SNMPv3 access?

One solution would be to use infrastructure ACLs on layer-3 interface. But this does not scale for devices with many interfaces.

Another solution is to drop the trafic via Control-plane policing. But this feature is not avalible on all devices.

What would you recommend?

0 Replies 0

Review Cisco Networking for a $25 gift card