Secure SNMP configuration in Cisco Switches and Routers

After I noticed that insecured method is being proposed in an knowledge base article in ManageEngine – Enabling SNMP in Cisco Routers / Switches, I decided to write an guide to secure SNMP in Cisco Switches and Router

1. Telnet to the router/switch

prompt# telnet testrouter

 2. Go to the enable mode by specifying the password:

Router>enable

Password:

Router#

 3. Go into configuration mode:

Router# configure terminal

Enter configuration commands, one per line. End

with CNTL/Z.

Router(config)#

 4. Use the command below to add a Read-Only community string:

Router(config)#snmp-server community public RO

where “public” is the Read-only community string.

Never use default community string. Always use strong community strings –with lowercase, uppercase, special characters and keep them long and strong.

 Router(config)#access-list 12 permit 172.20.100.156

Router(config)#snmp-server community Q!@#$tNsecure RO 12

where ” Q!@#$tNsecure” is the Read-only community string.

Above command will secure your SNMP by allowing only legitimate host (172.20.100.156) to access your SNMP enabled device.

5. To add a Read-Write Community string, use the command below:

Router(config)#snmp-server community private RW

where “private” is the Read-write community string.

 This is the worst possible configuration as you provide a common community string with RW privilege. If your goal is purely network monitoring purpose, then you do need this configuration at all.

 6. Exit the configuration mode and save the settings:

Router(config)#exit

Router#write memory

Building configuration…

[OK]

Router#

Leave a Reply