Solved: SNMP Newbee Security Queries

LondonCisco · ‎11-24-2011

Hi All

I want to enable the snmp agent on the Cisco devices in our infrastructure using the following command

snmp-server community string [view view-name] [ro | rw] [ipv6 nacl] [access-list-number | extended-access-list-number | access-list-name]

For security, I know how to do the following:

Use access lists to limit the ip addresses that can query the snmp service
Use a complex "communitystring"

However, I don't know how to do the following and whether it is possible. Could anybody help?!?

Query 1:

When you enable the snmp agent on a Cisco device, can it be queried on any ip address that the router/switch holds?

For example, if a switch has 7 vlans with 7 ip addresses, will the snmp agent respond to snmp requests directed to all 7 of the ip addresses? If this is the case, can you limit the snmp agent to respond to snmp requests to a particular vlan/ip address?

Query 2:

If somebody were to try a dictionary attach againts the snmp service, what defences can you use?

For example, for logging onto the vty of a cisco device, we use:

login block-for 120 attempts 5 within 30

login delay 3

Would this apply to attempts to "log onto" the snmp service or is there an equivalent for snmp?

Thanks to all!

John

smitesh kharecha · ‎11-24-2011

Hi John,

For your Q1:

R1(config)#snmp-server source-interface

Q2:

R1(config)#snmp-server trap authentication ?

acl-failure enable authentication traps for access list failure

unknown-context enable authentication traps for unknown context error

vrf enable authentication traps for packets on a vrf

HTH,

Smitesh

View solution in original post

smitesh kharecha · ‎11-24-2011