When enabling the SNMP proccess on a Cisco router or switch by configuring an SNMP v1/v2c community, it also automatically enables SNMPv3.
The issue is, that no mater how much I restrcit SNMP access with ACLs, the IOS device will always respond to SNMPv3 with manufacture ID and uptime, when not specifying any SNMP username or community.
(Try it out with nmap: nmap -sU -p 161 -A -v 1.2.3.4)
The device always responds with the following OIDs: enterprise, engineIDFormat, engineIDData, snmpEngineBoots, snmpEngineTime
This concerns me, because I do not want any information to be avalible via SNMP to unauthorized users.
I applied ACLs in the following ways. None of them work.
ip access-list standard V3_DENY
deny any
snmp-server group ILMI v1 access V3_DENY
snmp-server group ILMI v2c access V3_DENY
snmp-server group ILMI v3 noauth access V3_DENY
snmp-server group TESTGROUP v3 priv read TESTVIEW access V3_DENY
snmp-server view TESTVIEW system excluded
snmp-server community TEST RO V3_DENY
So the question is: How can I completely restrict SNMPv3 access?
One solution would be to use infrastructure ACLs on layer-3 interface. But this does not scale for devices with many interfaces.
Another solution is to drop the trafic via Control-plane policing. But this feature is not avalible on all devices.
What would you recommend?