cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
671
Views
0
Helpful
2
Replies
LondonCisco
Beginner

SNMP Newbee Security Queries

Hi All

I want to enable the snmp agent on the Cisco devices in our infrastructure using the following command

snmp-server community string [view view-name] [ro | rw] [ipv6 nacl] [access-list-number | extended-access-list-number | access-list-name]

For security, I know how to do the following:

  • Use access lists to limit the ip addresses that can query the snmp service
  • Use a complex "communitystring"

However, I don't know how to do the following and whether it is possible. Could anybody help?!?

Query 1:

When you enable the snmp agent on a Cisco device, can it be queried on any ip address that the router/switch holds?

For example, if a switch has 7 vlans with 7 ip addresses, will the snmp agent respond to snmp requests directed to all 7 of the ip addresses? If this is the case, can you limit the snmp agent to respond to snmp requests to a particular vlan/ip address?

Query 2:

If somebody were to try a dictionary attach againts the snmp service, what defences can you use?

For example, for logging onto the vty of a cisco device, we use:

login block-for 120 attempts 5 within 30

login delay 3

Would this apply to attempts to "log onto" the snmp service or is there an equivalent for snmp?

Thanks to all!

John

1 ACCEPTED SOLUTION

Accepted Solutions
smitesh kharecha
Contributor

Hi John,

For your Q1: 

R1(config)#snmp-server source-interface

Q2:

R1(config)#snmp-server trap authentication ?

  acl-failure      enable authentication traps for access list failure

  unknown-context  enable authentication traps for unknown context error

  vrf              enable authentication traps for packets on a vrf

HTH,

Smitesh

View solution in original post

2 REPLIES 2
smitesh kharecha
Contributor

Hi John,

For your Q1: 

R1(config)#snmp-server source-interface

Q2:

R1(config)#snmp-server trap authentication ?

  acl-failure      enable authentication traps for access list failure

  unknown-context  enable authentication traps for unknown context error

  vrf              enable authentication traps for packets on a vrf

HTH,

Smitesh

View solution in original post

Hi Smitesh

Yes, that did help.

Thanks

John

Content for Community-Ad