index_117
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
117
Table 4-5: SNMPv3 Security
Security Level
Authentication
Encryption
SNMPv3
noAuthNoPriv
Username sent in the clear
None
authNoPriv
HMAC-MD5 or HMAC-SHA
None
authPriv
HMAC-MD5 or HMAC-SHA
DES (56-bit)
The Cisco documentation indicates that IOS 12.0 supports all three security levels.
However, DES 56-bit encryption was not supported in the versions of IOS used for
preparation of this section (12.0(7) and 12.0(5)).
Configuring SNMP - Getting Started
In both IOS versions 11 and 12, there are some basic commands you must run to
enable SNMP. By default, SNMP is not turned on in the router. In order to enable
SNMP a default community string must be set. This string is stored on the router in
clear text and will be sent across the network in the clear. So, anybody who knows
this community string has access to essentially the entire MIB. SNMP logging must
also be enabled (see section 4.5.1). It is a good idea to run the show snmp command
to display the SNMP status and statistics, as shown below.
East# config t
Enter configuration commands, one per line. End with CNTL/Z
East(config)# snmp-server community publicstring
East(config)# snmp-server host 14.2.6.6 traps public
East(config)# exit
East# show snmp
Chassis: east
Contact: John Doe
Location: Headquarters
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 SNMP packets output
0 Too big errors (Maximum packet size 2048)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP logging: enabled
Logging to 14.2.6.6.162, 0/10, 0 sent, 0 dropped.
East#