SNMPv1 and v2c vs SNMPv3 - snmpv3 enable

Information

SNMP version 2c is enabled by default. This protocol is used to manage switches and routers from a central management server such as AirWave or IMC. SNMPv2c uses community names for read and write access, much like passwords are used for authentication; these community names are sent across the wire as . If a malicious user were to capture these community names, they could potentially issue SNMP set commands to make unauthorized and potentially harmful configuration changes to a network device.

Solution

SNMP version 3 was developed to overcome this weakness by using asymmetric cryptography, similar to that used by SSH, to encrypt SNMP traffic over the wire. To enable SNMPv3, create an SNMPv3 user, and disable SNMPv1 and v2c, follow these steps:

switch(config)# snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: ********
Privacy protocol is DESEnter privacy password: ********

User 'initial' has been created
Would you like to create a user that uses SHA? [y/n] y
Enter user name: snmpv3user
Authentication Protocol: SHA
Enter authentication password: ********
Privacy protocol is DES
Enter privacy password: ********

User creation is done. SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] y

switch(config)# snmpv3 only

If for any reason SNMPv3 is not an option for your network, you can enable SNMPv2c in restricted mode to allow management devices to retrieve information from, but not change any settings on, the switch:

switch(config)# snmp-server community readonly_community restricted

In any SNMP operating mode, disable the "public" community name by entering the following command:

switch(config)# no snmp-server community public

Some security policies may mandate that SNMP be disabled altogether. Disable all SNMP features by entering the following command:

switch(config)# no snmp-server enable

See Also

https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-6b., 800-53|SI-2c.

Plugin: ArubaOS

Control ID: 4ce3d56cd663179f5ac3f9913cd8539bab838b171c9e402bfcde98fe50046f26