Enabling SNMP v3 - Part 1: Cisco IOS Devices - Disable SNMP v1 and SNMP v2c
1. Enable SNMPv3
It is time to retire SNMPv2 on our network environment. Here is sample configuration for all of our Cisco devices. Some of old devices do not support AES , then DES will be the choice.ip access-list standard snmp-Allow
permit 192.168.1.0 0.0.0.255
snmp-server view ReadAccess iso included
snmp-server view ReadAccess 1.3.6.1.6.3.18 excluded
snmp-server view ReadAccess 1.3.6.1.6.3.16 excluded
snmp-server view ReadAccess 1.3.6.1.6.3.15 excluded
snmp-server view ReadAccess 1.3.6.1.2.1.4.21 excluded
snmp-server view ReadAccess 1.3.6.1.2.1.4.22 excluded
snmp-server view ReadAccess iso included
snmp-server view ReadAccess internet included
snmp-server view ReadAccess system included
snmp-server view ReadAccess interfaces included
snmp-server view ReadAccess chassis included
snmp-server view WriteAccess iso included
snmp-server view WriteAccess internet included
snmp-server view WriteAccess system included
snmp-server view WriteAccess interfaces included
snmp-server view WriteAccess chassis included
snmp-server view WriteAccess iso included
snmp-server view WriteAccess 1.3.6.1.6.3.18 excluded
snmp-server view WriteAccess 1.3.6.1.6.3.16 excluded
snmp-server view WriteAccess 1.3.6.1.6.3.15 excluded
snmp-server view WriteAccess 1.3.6.1.2.1.4.21 excluded
snmp-server view WriteAccess 1.3.6.1.2.1.4.22 excluded
snmp-server group AccessRW v3 priv read ReadAccess write WriteAccess  access snmp-Allow
snmp-server group AccessRO v3 priv read ReadAccess access snmp-Allow
snmp-server user NetServices-RW Â AccessRW v3 auth sha cisco priv aes 128 cisco
snmp-server user NetServices-RO AccessRO v3 auth sha cisco priv aes 128 cisco
snmp-server host 192.168.1.40 trap version 3 priv NetService-RO
snmp-server enable traps
2. Disable SNMP v1 and SNMP v2C
CiscoTest#show snmp groupÂgroupname: ILMI Â Â Â Â Â Â Â Â Â Â Â Â Â Â security model:v1Â
contextname: <no context specified> Â Â Â Â storage-type: permanent
readview : *ilmi               writeview: *ilmi              Â
notifyview: <no notifyview specified> Â Â Â Â
row status: active
groupname: ILMI Â Â Â Â Â Â Â Â Â Â Â Â Â Â security model:v2cÂ
contextname: <no context specified> Â Â Â Â storage-type: permanent
readview : *ilmi               writeview: *ilmi              Â
notifyview: <no notifyview specified> Â Â Â Â
row status: active
groupname: SNMPv3-RO Â Â Â Â Â Â Â Â Â Â Â Â security model:v3 privÂ
contextname: <no context specified> Â Â Â Â storage-type: nonvolatile
readview : ReadView-All           writeview: <no writeview specified>    Â
notifyview: <no notifyview specified> Â Â Â Â
row status: active    access-list: snmp-Allow
groupname: SNMPv3-RW Â Â Â Â Â Â Â Â Â Â Â Â security model:v3 privÂ
contextname: <no context specified> Â Â Â Â storage-type: nonvolatile
readview : ReadView-All           writeview: WriteView-All          Â
notifyview: <no notifyview specified> Â Â Â Â
row status: active    access-list: snmp-Allow
groupname: NetService-RO Â Â Â Â Â Â Â Â Â Â security model:v3 privÂ
contextname: <no context specified> Â Â Â Â storage-type: nonvolatile
readview : <no readview specified> Â Â Â Â Â writeview: <no writeview specified> Â Â Â Â
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active
CiscoTest(config)#no snmp-server group ILMI v1
CiscoTest(config)#no snmp-server group ILMI v2c
CiscoTest(config)#do sh snmp group
groupname: SNMPv3-RO Â Â Â Â Â Â Â Â Â Â Â Â security model:v3 privÂ
contextname: <no context specified> Â Â Â Â storage-type: nonvolatile
readview : ReadView-All           writeview: <no writeview specified>    Â
notifyview: <no notifyview specified> Â Â Â Â
row status: active    access-list: snmp-Allow
groupname: SNMPv3-RW Â Â Â Â Â Â Â Â Â Â Â Â security model:v3 privÂ
contextname: <no context specified> Â Â Â Â storage-type: nonvolatile
readview : ReadView-All           writeview: WriteView-All          Â
notifyview: <no notifyview specified> Â Â Â Â
row status: active    access-list: snmp-Allow
groupname: NetService-RO Â Â Â Â Â Â Â Â Â Â security model:v3 privÂ
contextname: <no context specified> Â Â Â Â storage-type: nonvolatile
readview : <no readview specified> Â Â Â Â Â writeview: <no writeview specified> Â Â Â Â
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active
Unfortunately those groups will come back after system rebooted. Best way is to remove them from system view by following commands:
snmp-server view *ilmi system excluded
snmp-server view *ilmi atmForumUni excluded
snmp-server view v1default iso excluded
R-Test-Lab#show snmp view
*ilmi system - excluded nonvolatile active
*ilmi atmForumUni - excluded nonvolatile active
cac_view pimMIB - included read-only active
cac_view msdpMIB - included read-only active
cac_view interfaces - included read-only active
cac_view ip - included read-only active
cac_view ospf - included read-only active
cac_view bgp - included read-only active
cac_view dot1dBridge - included read-only active
cac_view ifMIB - included read-only active
cac_view nhrpMIB - included read-only active
cac_view ipMRouteStdMIB - included read-only active
cac_view igmpStdMIB - included read-only active
cac_view ipForward - included read-only active
cac_view ipTrafficStats - included read-only active
cac_view ospfTrap - included read-only active
cac_view sysUpTime.0 - included read-only active
cac_view ciscoPingMIB - included read-only active
cac_view ciscoIpSecFlowMonitorMIB - included read-only active
cac_view ciscoIpSecPolMapMIB - included read-only active
cac_view ciscoPimMIB - included read-only active
cac_view ciscoMgmt.187 - included read-only active
cac_view ciscoIfExtensionMIB - included read-only active
cac_view ciscoEigrpMIB - included read-only active
cac_view ciscoCefMIB - included read-only active
cac_view ciscoNhrpExtMIB - included read-only active
cac_view ciscoIpMRouteMIB - included read-only active
cac_view ciscoIPsecMIB - included read-only active
cac_view cospf - included read-only active
cac_view ciscoExperiment.101 - included read-only active
cac_view ciscoIetfIsisMIB - included read-only active
cac_view ciscoIetfBfdMIB - included read-only active
cac_view ifIndex - included read-only active
cac_view ifDescr - included read-only active
cac_view ifType - included read-only active
cac_view ifAdminStatus - included read-only active
cac_view ifOperStatus - included read-only active
cac_view snmpTraps.3 - included read-only active
cac_view snmpTraps.4 - included read-only active
cac_view snmpTrapOID.0 - included read-only active
cac_view internet.6.3.1.1.4.3.0 - included read-only active
cac_view lifEntry.20 - included read-only active
cac_view cciDescriptionEntry.1 - included read-only active
v1default iso - excluded nonvolatile active
v1default internet.6.3.15 - excluded permanent active
v1default internet.6.3.16 - excluded permanent active
v1default internet.6.3.18 - excluded permanent active
v1default ciscoMgmt.394 - excluded permanent active
v1default ciscoMgmt.395 - excluded permanent active
v1default ciscoMgmt.399 - excluded permanent active
v1default ciscoMgmt.400 - excluded permanent active
Good topic thanks !
ReplyDeleteBut after disabling v1 and v2c groups, if you reboot your routeur, these groups will again be enabled...
You are right. Remove those hidden default cisco group will not survive a reboot. Best way is to disable them from those system view by following commands:
Deletesnmp-server view *ilmi system excluded
snmp-server view *ilmi atmForumUni excluded
snmp-server view v1default iso excluded
okkkkk
ReplyDeleteCisco
ReplyDelete