Hi everyone and Happy New Year,
I'm just securing SNMP on some C-series switches (and will also do so for 2 x N7's) and was thinking about best practice so I have 4 questions below. I've disabled the public user and communities and also set v3 to use privacy (auth + privacy). (I haven't added a read-write user yet) What's best practice though for read-only access? 1. Would you use v1 (unlikely) or v2c or v3 usm. 2. If v3 usm, which security level would you use? 3. Is there any benefit of using v3 usm with noauth, over v2c? I suppose there's no reason not to max it up and use v3 usm privacy for all users regardless of whether access is read-only or read-write, but am unsure of any adverse implications of doing so - cpu usage implications or otherwise. 4. Lastly, if we end up not using v1 or v2c for anything (depending on answers above), then I could clear out all the commands in the snmp config relating to v1 or v2c, but since I've already cleared the v1 / v2c community names, access via v1 / v2c isn't possible - so am I correct in saying there's no real need to clear out the rest of the default v1 / v2c commands? Thanks for any advice - further info below if you want. Nick. This is the default config on a C2 (with latest firmware): #snmp set snmp access ro security-model v1 exact read All notify All nonvolatile set snmp access ro security-model v2c exact read All notify All nonvolatile set snmp access public security-model v1 exact read All write All notify All nonvolatile set snmp access public security-model v2c exact read All write All notify All nonvolatile set snmp access public security-model usm exact read All write All notify All nonvolatile set snmp community :3fb03022e4966512343b511c263dcf1240739359ec6cad7d8c6277007e7e0657521e064 1967b150156: (this is the default 'public' community) set snmp group ro user ro security-model v1 set snmp group public user public security-model v1 set snmp group ro user ro security-model v2c set snmp group public user public security-model v2c set snmp group public user public security-model usm set snmp user public authentication md5 :072833fa6f9ce94cc22e50cccc7837d1: privacy :072833fa6f9ce94cc22e50cccc7837d1: set snmp view viewname All subtree 1 These are the commands I've added: (with an explanation in brackets) clear snmp community public (gets rid of the default v1 / v2c community 'public' which has full read-write access) clear snmp user public (gets rid of the default v3 user 'public' which has full read-write access without requiring authentication or privacy) clear snmp access public security-model usm (removing this since by default it doesn't require privacy) set snmp access ro security-model usm privacy exact read All notify All nonvolatile (make sure members of the ro group can use v3 usm and require privacy) set snmp access public security-model usm privacy exact read All write All notify All nonvolatile (make sure members of the public group can use v3 usm and require privacy) set snmp user MYREADONLYUSER authentication md5 PASSWORD1 privacy PASSWORD2 nonvolatile (create my custom read-only v3 user) set snmp group ro user MYREADONLYUSER security-model usm (join my v3 user to the read-only group) And this is the resulting config: #snmp clear snmp access public security-model usm set snmp access ro security-model v1 exact read All notify All nonvolatile set snmp access ro security-model v2c exact read All notify All nonvolatile set snmp access ro security-model usm privacy exact read All notify All nonvolatile set snmp access public security-model v1 exact read All write All notify All nonvolatile set snmp access public security-model v2c exact read All write All notify All nonvolatile set snmp access public security-model usm privacy exact read All write All notify All nonvolatile clear snmp community :3fb03022e4966512343b511c263dcf1240739359ec6cad7d8c6277007e7e0657521e064 1967b150156: set snmp group ro user ro security-model v1 set snmp group public user public security-model v1 set snmp group ro user ro security-model v2c set snmp group public user public security-model v2c set snmp group public user public security-model usm set snmp group ro user MYREADONLYUSER security-model usm set snmp user MYREADONLYUSER authentication md5 :c75647c7f952ff003ca55b7312aa3dd1: privacy :f39cdd7fd76dfe3ab9063a93e1173cc1: clear snmp user public set snmp view viewname All subtree 1 -- If emails save time, not printing them saves trees. Please don't print this email if you don't really need to. TBWA\LONDON www.tbwa-london.com _______________________________________________________________________ This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to [email protected] and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. Reg. Office: TBWA UK GROUP Ltd, 76-80 Whitfield Street, London, W1T 4EZ Company Reg. #: 4332188 (UK) Company VAT #: GB 656 8994 61 --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
