SNMP trap community string usage

Mark Pace Balzan · ‎10-11-2009

Hi,

this may seem like a silly question but I really cant get round to understanding why it is so.

when a cisco box is configured to send traps, a community string is also required.

however as far as i can understand the receving management station does not use the community string.

So what is the point of using a community string when sending a trap ?

What is considered best practise for this config ? Using a community string that has no real meaning (ie not the same for snmpget access) ? or other ?

thanks

Mark

Joe Clarke · ‎10-11-2009

This sounds like an issue with your trap manager. Most trap managers I know DO make use of the community string in the trap to decide whether or not to process the trap. Think of an attacker flooding your manager with bogus traps. If there was no filtering on the community string, your console could fill with "noise," and you may miss some real events.

The best practice is to use a hard-to-guess string which is different than your polling community strings.

Mark Pace Balzan · ‎10-11-2009

thanks - i'll check my trap manager, and sort out my configs as you recommend.

SNMP trap community string usage

Community Help

SNMP Community String Encryption

Cisco ISE SNMP Traps - Port unreachable

CUCM - Add SNMP community string via API

SNMP community string