index_67
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
67
§ Erase existing community strings, and set a hard-to-guess, read-only
community string.
§ Apply a simple IP access list to SNMP denying all traffic.
§ Disable SNMP system shutdown and trap features.
§ Disable SNMP system processing.
The example below shows how to disable SNMP by implementing these
recommendations. It starts with listing the current configuration to find the SNMP
community strings. The configuration listing is often quite long, but there is no other
mechanism in Cisco IOS for viewing the configured SNMP community strings.
Central# show running-config
Building configuration...
.
.
snmp-server community public RO
snmp-server community admin RW
.
.
Central#
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# ! remove old community strings
Central(config)# no snmp community public RO
Central(config)# no snmp community admin RW
Central(config)# ! create a very restrictive access list
Central(config)# no access-list 70
Central(config)# access-list 70 deny any
Central(config)# ! make SNMP read-only and subject to access list
Central(config)# snmp community aqiytj1726540942 ro 70
Central(config)# ! disable SNMP trap and system-shutdown features
Central(config)# no snmp enable traps
Central(config)# no snmp system-shutdown
Central(config)# no snmp trap-auth
Central(config)# ! disable the SNMP service
Central(config)# no snmp-server
Central(config)# end
The last command in the example, no snmp-server, shuts down all SNMP
processing on the router. While SNMP processing is shut down, SNMP
configuration will not appear in any listing of the running configuration, but it can
still be there! The safest way to ensure that SNMP is really unavailable to an
attacker, and will remain so, is to follow the full course of commands listed above
and in the configuration example.
For information on setting up and using SNMP securely, see Section 4.5.3.