SNMPv1 and v2c vs SNMPv3
SNMP version 2c is enabled by default. This protocol is used to manage switches and routers from a central management server such as AirWave or IMC. SNMPv2c uses community names for read and write access, much like passwords are used for authentication; these community names are sent across the wire as . If a malicious user were to capture these community names, they could potentially issue SNMP set commands to make unauthorized and potentially harmful configuration changes to a network device.
SNMP version 3 was developed to overcome this weakness by using asymmetric cryptography, similar to that used by SSH, to encrypt SNMP traffic over the wire. To enable SNMPv3, create an SNMPv3 user, and disable SNMPv1 and v2c, follow these steps:
switch(config)# snmpv3 enable SNMPv3 Initialization process. Creating user 'initial' Authentication Protocol: MD5 Enter authentication password: ******** Privacy protocol is DES Enter privacy password: ******** User 'initial' has been created Would you like to create a user that uses SHA? [y/n] y Enter user name: snmpv3user Authentication Protocol: SHA Enter authentication password: ******** Privacy protocol is DES Enter privacy password: ******** User creation is done. SNMPv3 is now functional. Would you like to restrict SNMPv1 and SNMPv2c messages to have read only access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] y switch(config)# snmpv3 only
If for any reason SNMPv3 is not an option for your network, you can enable SNMPv2c in restricted mode to allow management devices to retrieve information from, but not change any settings on, the switch:
switch(config)# snmp-server community readonly_community restricted
In any SNMP operating mode, disable the "public" community name by entering the following command:
switch(config)# no snmp-server community public
Some security policies may mandate that SNMP be disabled altogether. Disable all SNMP features by entering the following command:
switch(config)# no snmp-server enable
For further details, refer to:
“Using SNMP To View and Configure Switch Authentication Features” in the chapter titled “RADIUS Authentication, Authorization, and Accounting” in the ArubaOS-Switch Access Security Guide.
“CLI: Viewing and Configuring SNMP Community Names” and “Using SNMP Tools To Manage the Switch” in the chapter titled “Configuring for Network Management Applications” in the ArubaOS-Switch Management and Configuration Guide.