Enabling SNMP v3 - Part 1: Cisco IOS Devices - Disable SNMP v1 and SNMP v2c - 91Sec

Latest

91Sec

Learning, Sharing, Creating

Sunday, May 18, 2014

Enabling SNMP v3 - Part 1: Cisco IOS Devices - Disable SNMP v1 and SNMP v2c

1. Enable SNMPv3

It is time to retire SNMPv2 on our network environment. Here is sample configuration for all of our Cisco devices. Some of old devices do not support AES , then DES will be the choice.

 ip access-list standard snmp-Allow
permit 192.168.1.0 0.0.0.255

 snmp-server view ReadAccess iso included
snmp-server view ReadAccess 1.3.6.1.6.3.18 excluded
snmp-server view ReadAccess 1.3.6.1.6.3.16 excluded
snmp-server view ReadAccess 1.3.6.1.6.3.15 excluded
snmp-server view ReadAccess 1.3.6.1.2.1.4.21 excluded
snmp-server view ReadAccess 1.3.6.1.2.1.4.22 excluded

snmp-server view ReadAccess iso included
snmp-server view ReadAccess internet included
snmp-server view ReadAccess system included
snmp-server view ReadAccess interfaces included
snmp-server view ReadAccess chassis included
snmp-server view WriteAccess iso included
snmp-server view WriteAccess internet included
snmp-server view WriteAccess system included
snmp-server view WriteAccess interfaces included
snmp-server view WriteAccess chassis included

 snmp-server view WriteAccess iso included
snmp-server view WriteAccess 1.3.6.1.6.3.18 excluded
snmp-server view WriteAccess 1.3.6.1.6.3.16 excluded
snmp-server view WriteAccess 1.3.6.1.6.3.15 excluded
snmp-server view WriteAccess 1.3.6.1.2.1.4.21 excluded
snmp-server view WriteAccess 1.3.6.1.2.1.4.22 excluded

snmp-server group AccessRW v3 priv read ReadAccess write WriteAccess  access snmp-Allow

snmp-server group AccessRO v3 priv read ReadAccess access snmp-Allow

snmp-server user NetServices-RW  AccessRW v3 auth sha cisco priv aes 128 cisco

 snmp-server user NetServices-RO AccessRO v3 auth sha cisco priv aes 128 cisco

 snmp-server host 192.168.1.40 trap version 3 priv NetService-RO

 snmp-server enable traps

2. Disable SNMP v1 and SNMP v2C

CiscoTest#show snmp group 
groupname: ILMI                             security model:v1 
contextname: <no context specified>         storage-type: permanent
readview : *ilmi                            writeview: *ilmi                           
notifyview: <no notifyview specified>       
row status: active

 groupname: ILMI                             security model:v2c 
contextname: <no context specified>         storage-type: permanent
readview : *ilmi                            writeview: *ilmi                           
notifyview: <no notifyview specified>       
row status: active

 groupname: SNMPv3-RO                        security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : ReadView-All                     writeview: <no writeview specified>        
notifyview: <no notifyview specified>       
row status: active      access-list: snmp-Allow

 groupname: SNMPv3-RW                        security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : ReadView-All                     writeview: WriteView-All                   
notifyview: <no notifyview specified>       
row status: active      access-list: snmp-Allow

 groupname: NetService-RO                    security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : <no readview specified>          writeview: <no writeview specified>        
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active

CiscoTest(config)#no snmp-server group ILMI v1
CiscoTest(config)#no snmp-server group ILMI v2c
CiscoTest(config)#do sh snmp group
groupname: SNMPv3-RO                        security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : ReadView-All                     writeview: <no writeview specified>        
notifyview: <no notifyview specified>       
row status: active      access-list: snmp-Allow

 groupname: SNMPv3-RW                        security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : ReadView-All                     writeview: WriteView-All                   
notifyview: <no notifyview specified>       
row status: active      access-list: snmp-Allow

 groupname: NetService-RO                    security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : <no readview specified>          writeview: <no writeview specified>        
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active

Unfortunately those groups will come back after system rebooted. Best way is to remove them from system view by following commands:

snmp-server view *ilmi system excluded
snmp-server view *ilmi atmForumUni excluded
snmp-server view v1default iso excluded

R-Test-Lab#show snmp view
*ilmi system - excluded nonvolatile active
*ilmi atmForumUni - excluded nonvolatile active
cac_view pimMIB - included read-only active
cac_view msdpMIB - included read-only active
cac_view interfaces - included read-only active
cac_view ip - included read-only active
cac_view ospf - included read-only active
cac_view bgp - included read-only active
cac_view dot1dBridge - included read-only active
cac_view ifMIB - included read-only active
cac_view nhrpMIB - included read-only active
cac_view ipMRouteStdMIB - included read-only active
cac_view igmpStdMIB - included read-only active
cac_view ipForward - included read-only active
cac_view ipTrafficStats - included read-only active
cac_view ospfTrap - included read-only active
cac_view sysUpTime.0 - included read-only active
cac_view ciscoPingMIB - included read-only active
cac_view ciscoIpSecFlowMonitorMIB - included read-only active
cac_view ciscoIpSecPolMapMIB - included read-only active
cac_view ciscoPimMIB - included read-only active
cac_view ciscoMgmt.187 - included read-only active
cac_view ciscoIfExtensionMIB - included read-only active
cac_view ciscoEigrpMIB - included read-only active
cac_view ciscoCefMIB - included read-only active
cac_view ciscoNhrpExtMIB - included read-only active
cac_view ciscoIpMRouteMIB - included read-only active
cac_view ciscoIPsecMIB - included read-only active
cac_view cospf - included read-only active
cac_view ciscoExperiment.101 - included read-only active
cac_view ciscoIetfIsisMIB - included read-only active
cac_view ciscoIetfBfdMIB - included read-only active
cac_view ifIndex - included read-only active
cac_view ifDescr - included read-only active
cac_view ifType - included read-only active
cac_view ifAdminStatus - included read-only active
cac_view ifOperStatus - included read-only active
cac_view snmpTraps.3 - included read-only active
cac_view snmpTraps.4 - included read-only active
cac_view snmpTrapOID.0 - included read-only active
cac_view internet.6.3.1.1.4.3.0 - included read-only active
cac_view lifEntry.20 - included read-only active
cac_view cciDescriptionEntry.1 - included read-only active
v1default iso - excluded nonvolatile active
v1default internet.6.3.15 - excluded permanent active
v1default internet.6.3.16 - excluded permanent active
v1default internet.6.3.18 - excluded permanent active
v1default ciscoMgmt.394 - excluded permanent active
v1default ciscoMgmt.395 - excluded permanent active
v1default ciscoMgmt.399 - excluded permanent active
v1default ciscoMgmt.400 - excluded permanent active

Read more

Subscribe via email

Author Image

About Netsec
Netsec - Learning, Sharing, Creating!

By -
Tags:

2 comments:

  1. AnonymousNovember 7, 2014 at 1:22 AM

    Good topic thanks !

    But after disabling v1 and v2c groups, if you reboot your routeur, these groups will again be enabled...

    ReplyDelete
    Replies
    1. ITProSecNovember 7, 2014 at 7:16 AM

      You are right. Remove those hidden default cisco group will not survive a reboot. Best way is to disable them from those system view by following commands:

      snmp-server view *ilmi system excluded
      snmp-server view *ilmi atmForumUni excluded
      snmp-server view v1default iso excluded

      Delete

Subscribe to: Post Comments (Atom)

Banner

BANNER 728X90