Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1518
Views
0
Helpful
0
Replies

How to completely restrict SNMPv3 access

andreassb
Level 4
Level 4

‎11-12-2015 01:08 AM

When enabling the SNMP proccess on a Cisco router or switch by configuring an SNMP v1/v2c community, it also automatically enables SNMPv3.

The issue is, that no mater how much I restrcit SNMP access with ACLs, the IOS device will always respond to SNMPv3 with manufacture ID and uptime, when not specifying any SNMP username or community.

(Try it out with nmap: nmap -sU -p 161 -A -v 1.2.3.4)

The device always responds with the following OIDs:  enterprise, engineIDFormat, engineIDData, snmpEngineBoots, snmpEngineTime

This concerns me, because I do not want any information to be avalible via SNMP to unauthorized users.

I applied ACLs in the following ways. None of them work.

ip access-list standard V3_DENY

  deny   any

snmp-server group ILMI v1 access V3_DENY

snmp-server group ILMI v2c access V3_DENY

snmp-server group ILMI v3 noauth access V3_DENY

snmp-server group TESTGROUP v3 priv read TESTVIEW access V3_DENY

snmp-server view TESTVIEW system excluded

snmp-server community TEST RO V3_DENY

So the question is: How can I completely restrict SNMPv3 access?

One solution would be to use infrastructure ACLs on layer-3 interface. But this does not scale for devices with many interfaces.

Another solution is to drop the trafic via Control-plane policing. But this feature is not avalible on all devices.

What would you recommend?

4 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents