---

---

UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 67   § Erase existing community strings, and set a hard-to-guess, read-only community string. § Apply a simple IP access list to SNMP denying all traffic. § Disable SNMP system shutdown and trap features. § Disable SNMP system processing. The example below shows how to disable SNMP by implementing these recommendations.  It starts with listing the current configuration to find the SNMP community strings.  The configuration listing is often quite long, but there is no other mechanism in Cisco IOS for viewing the configured SNMP community strings. Central# show running-config Building configuration... .   . snmp-server community public RO snmp-server community admin RW .   . Central# Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# ! remove old community strings Central(config)# no snmp community public RO Central(config)# no snmp community admin RW Central(config)# ! create a very restrictive access list Central(config)# no access-list 70 Central(config)# access-list 70 deny any Central(config)# ! make SNMP read-only and subject to access list Central(config)# snmp community aqiytj1726540942 ro 70 Central(config)# ! disable SNMP trap and system-shutdown features Central(config)# no snmp enable traps Central(config)# no snmp system-shutdown Central(config)# no snmp trap-auth Central(config)# ! disable the SNMP service Central(config)# no snmp-server Central(config)# end The last command in the example, no snmp-server, shuts down all SNMP processing on the router.  While SNMP processing is shut down, SNMP configuration will not appear in any listing of the running configuration, but it can still be there!  The safest way to ensure that SNMP is really unavailable to an attacker, and will remain so, is to follow the full course of commands listed above and in the configuration example. For information on setting up and using SNMP securely, see Section 4.5.3.