SNMPv1 and v2c vs SNMPv3 - snmp-server community

Information

SNMP is disabled by default in ArubaOS-CX. This protocol is used to monitor switches and routers from a central management server such as AirWave or IMC. The commonly used SNMP versions 1 and 2c use community names for read and write access, much like passwords are used for authentication. These community names are sent across the wire as cleartext. If a malicious user were to capture these community names, they could pull configuration parameters and monitoring data from the switch.

SNMP version 3 was developed to overcome this weakness by using asymmetric cryptography, similar to that used by SSH, to encrypt SNMP traffic over the wire.

Solution

Follow these steps to create an SNMPv3 user, and assign SNMP functionality to the mgmt VRF instance:

switch(config)# snmpv3 user myUser auth sha auth-pass plaintext myAuthPswrd priv des priv-pass plaintext myPrivPswrd
switch(config)# snmp-server vrf mgmt

In addition to enabling SNMPv3, the default SNMPv1/v2c community name public should be replaced with a nonstandard community name:

switch(config)# snmp-server community ReadOnlyCommunity

This community name can instead be used if SNMPv3 cannot be used due to functional limitations within theenvironment, but SNMP is still required for device monitoring.

See Also

https://support.hpe.com/hpesc/public/docDisplay?docId=a00053695en_us

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5e.

Plugin: ArubaOS

Control ID: 671093f5bc7c3b7a8db37d78aea22bf4b35b4d326de68b0299e3383f8b4e1ee4