---

---

UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 117   Table 4-5: SNMPv3 Security Security Level Authentication Encryption SNMPv3 noAuthNoPriv Username sent in the clear None authNoPriv HMAC-MD5 or HMAC-SHA None authPriv HMAC-MD5 or HMAC-SHA DES (56-bit) The Cisco documentation indicates that IOS 12.0 supports all three security levels. However, DES 56-bit encryption was not supported in the versions of IOS used for preparation of this section (12.0(7) and 12.0(5)). Configuring SNMP - Getting Started In both IOS versions 11 and 12, there are some basic commands you must run to enable SNMP. By default, SNMP is not turned on in the router. In order to enable SNMP a default community string must be set. This string is stored on the router in clear text and will be sent across the network in the clear. So, anybody who knows this community string has access to essentially the entire MIB. SNMP logging must also be enabled (see section 4.5.1). It is a good idea to run the show snmp command to display the SNMP status and statistics, as shown below.   East# config t Enter configuration commands, one per line.  End with CNTL/Z East(config)# snmp-server community publicstring East(config)# snmp-server host 14.2.6.6 traps public East(config)# exit East# show snmp Chassis: east   Contact: John Doe   Location: Headquarters 0 SNMP packets input     0 Bad SNMP version errors     0 Unknown community name     0 Illegal operation for community name supplied     0 Encoding errors     0 Number of requested variables     0 Number of altered variables     0 Get-request PDUs     0 Get-next PDUs     0 Set-request PDUs 0 SNMP packets output     0 Too big errors (Maximum packet size 2048)     0 No such name errors     0 Bad values errors     0 General errors     0 Response PDUs     0 Trap PDUs SNMP logging: enabled     Logging to 14.2.6.6.162, 0/10, 0 sent, 0 dropped. East#