1. Enable SNMPv3
It is time to retire SNMPv2 on our network environment. Here is sample configuration for all of our Cisco devices. Some of old devices do not support AES , then DES will be the choice.
ip access-list standard snmp-Allow
permit 192.168.1.0 0.0.0.255
snmp-server view ReadAccess iso included
snmp-server view ReadAccess 1.3.6.1.6.3.18 excluded
snmp-server view ReadAccess 1.3.6.1.6.3.16 excluded
snmp-server view ReadAccess 1.3.6.1.6.3.15 excluded
snmp-server view ReadAccess 1.3.6.1.2.1.4.21 excluded
snmp-server view ReadAccess 1.3.6.1.2.1.4.22 excluded
snmp-server view ReadAccess iso included
snmp-server view ReadAccess internet included
snmp-server view ReadAccess system included
snmp-server view ReadAccess interfaces included
snmp-server view ReadAccess chassis included
snmp-server view WriteAccess iso included
snmp-server view WriteAccess internet included
snmp-server view WriteAccess system included
snmp-server view WriteAccess interfaces included
snmp-server view WriteAccess chassis included
snmp-server view WriteAccess iso included
snmp-server view WriteAccess 1.3.6.1.6.3.18 excluded
snmp-server view WriteAccess 1.3.6.1.6.3.16 excluded
snmp-server view WriteAccess 1.3.6.1.6.3.15 excluded
snmp-server view WriteAccess 1.3.6.1.2.1.4.21 excluded
snmp-server view WriteAccess 1.3.6.1.2.1.4.22 excluded
snmp-server group AccessRW v3 priv read ReadAccess write WriteAccess access snmp-Allow
snmp-server group AccessRO v3 priv read ReadAccess access snmp-Allow
snmp-server user NetServices-RW AccessRW v3 auth sha cisco priv aes 128 cisco
snmp-server user NetServices-RO AccessRO v3 auth sha cisco priv aes 128 cisco
snmp-server host 192.168.1.40 trap version 3 priv NetService-RO
snmp-server enable traps
2. Disable SNMP v1 and SNMP v2C
CiscoTest#show snmp group
groupname: ILMI security model:v1
contextname: <no context specified> storage-type: permanent
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active
groupname: ILMI security model:v2c
contextname: <no context specified> storage-type: permanent
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active
groupname: SNMPv3-RO security model:v3 priv
contextname: <no context specified> storage-type: nonvolatile
readview : ReadView-All writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active access-list: snmp-Allow
groupname: SNMPv3-RW security model:v3 priv
contextname: <no context specified> storage-type: nonvolatile
readview : ReadView-All writeview: WriteView-All
notifyview: <no notifyview specified>
row status: active access-list: snmp-Allow
groupname: NetService-RO security model:v3 priv
contextname: <no context specified> storage-type: nonvolatile
readview : <no readview specified> writeview: <no writeview specified>
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active
CiscoTest(config)#no snmp-server group ILMI v1
CiscoTest(config)#no snmp-server group ILMI v2c
CiscoTest(config)#do sh snmp group
groupname: SNMPv3-RO security model:v3 priv
contextname: <no context specified> storage-type: nonvolatile
readview : ReadView-All writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active access-list: snmp-Allow
groupname: SNMPv3-RW security model:v3 priv
contextname: <no context specified> storage-type: nonvolatile
readview : ReadView-All writeview: WriteView-All
notifyview: <no notifyview specified>
row status: active access-list: snmp-Allow
groupname: NetService-RO security model:v3 priv
contextname: <no context specified> storage-type: nonvolatile
readview : <no readview specified> writeview: <no writeview specified>
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active
Unfortunately those groups will come back after system rebooted. Best way is to remove them from system view by following commands:
snmp-server view *ilmi system excluded
snmp-server view *ilmi atmForumUni excluded
snmp-server view v1default iso excluded
R-Test-Lab#show snmp view
*ilmi system – excluded nonvolatile active
*ilmi atmForumUni – excluded nonvolatile active
cac_view pimMIB – included read-only active
cac_view msdpMIB – included read-only active
cac_view interfaces – included read-only active
cac_view ip – included read-only active
cac_view ospf – included read-only active
cac_view bgp – included read-only active
cac_view dot1dBridge – included read-only active
cac_view ifMIB – included read-only active
cac_view nhrpMIB – included read-only active
cac_view ipMRouteStdMIB – included read-only active
cac_view igmpStdMIB – included read-only active
cac_view ipForward – included read-only active
cac_view ipTrafficStats – included read-only active
cac_view ospfTrap – included read-only active
cac_view sysUpTime.0 – included read-only active
cac_view ciscoPingMIB – included read-only active
cac_view ciscoIpSecFlowMonitorMIB – included read-only active
cac_view ciscoIpSecPolMapMIB – included read-only active
cac_view ciscoPimMIB – included read-only active
cac_view ciscoMgmt.187 – included read-only active
cac_view ciscoIfExtensionMIB – included read-only active
cac_view ciscoEigrpMIB – included read-only active
cac_view ciscoCefMIB – included read-only active
cac_view ciscoNhrpExtMIB – included read-only active
cac_view ciscoIpMRouteMIB – included read-only active
cac_view ciscoIPsecMIB – included read-only active
cac_view cospf – included read-only active
cac_view ciscoExperiment.101 – included read-only active
cac_view ciscoIetfIsisMIB – included read-only active
cac_view ciscoIetfBfdMIB – included read-only active
cac_view ifIndex – included read-only active
cac_view ifDescr – included read-only active
cac_view ifType – included read-only active
cac_view ifAdminStatus – included read-only active
cac_view ifOperStatus – included read-only active
cac_view snmpTraps.3 – included read-only active
cac_view snmpTraps.4 – included read-only active
cac_view snmpTrapOID.0 – included read-only active
cac_view internet.6.3.1.1.4.3.0 – included read-only active
cac_view lifEntry.20 – included read-only active
cac_view cciDescriptionEntry.1 – included read-only active
v1default iso – excluded nonvolatile active
v1default internet.6.3.15 – excluded permanent active
v1default internet.6.3.16 – excluded permanent active
v1default internet.6.3.18 – excluded permanent active
v1default ciscoMgmt.394 – excluded permanent active
v1default ciscoMgmt.395 – excluded permanent active
v1default ciscoMgmt.399 – excluded permanent active
v1default ciscoMgmt.400 – excluded permanent active
Good topic thanks !
But after disabling v1 and v2c groups, if you reboot your routeur, these groups will again be enabled…
You are right. Remove those hidden default cisco group will not survive a reboot. Best way is to disable them from those system view by following commands:
snmp-server view *ilmi system excluded
snmp-server view *ilmi atmForumUni excluded
snmp-server view v1default iso excluded