After I noticed that insecured method is being proposed in an knowledge base article in ManageEngine –
Enabling SNMP in Cisco Routers / Switches, I decided to write an guide to secure SNMP in Cisco Switches and Router
1. Telnet to the router/switch
prompt# telnet testrouter
2. Go to the enable mode by specifying the password:
3. Go into configuration mode:
Router# configure terminal
Enter configuration commands, one per line. End
4. Use the command below to add a Read-Only community string:
Router(config)#snmp-server community public RO
where “public” is the Read-only community string.
Never use default community string. Always use strong community strings –with lowercase, uppercase, special characters and keep them long and strong.
Router(config)#access-list 12 permit 172.20.100.156
Router(config)#snmp-server community Q!@#$tNsecure RO 12
where ” Q!@#$tNsecure” is the Read-only community string.
Above command will secure your SNMP by allowing only legitimate host (172.20.100.156) to access your SNMP enabled device.
5. To add a Read-Write Community string, use the command below:
Router(config)#snmp-server community private RW
where “private” is the Read-write community string.
This is the worst possible configuration as you provide a common community string with RW privilege. If your goal is purely network monitoring purpose, then you do need this configuration at all.
6. Exit the configuration mode and save the settings: