1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-server


NX-OS allows administrators to restrict SNMPv2 access to known management stations, usually servers with an NMS (Network Management System) installed. It is recommended that only known NMS servers have access to SNMPv2 functions on network infrastructure. While SNMP is not enabled by default on the NX-OS platform, historically the SNMP strings of 'public' (for read-only access) and 'private' (for read-write access) have been used. These well-known values should never be configured.


Since SNMPv2 is a clear-text UDP protocol, this combination means that even this precaution still exposes this traffic to spoofing, eavesdropping and in-flight modification attacks. It also means that the switch can be used as a DDOS amplification host if the NMS server's IP address is known.

For all of these reasons, the best recommendation is in fact to disable SNMPv2 and use SNMPv3. Proceed with this recommendation only if you must use SNMPv2 for some reason.


If SNMPv2 is configured, not restricting access to SNMPv2 allows an attacker to launch a dictionary and/or a brute force attack to compromise the SNMPv2 community string. This would then give the attacker the ability to collect key information from the target switch, including it's version, interface status and configuration parameters.


Create the ACL:

switch(config)# ip access-list ACL-IPV4-SNMPv2
switch(config-acl)# permit udp eq 161
switch(config-acl)# deny ip any any log

Then apply the ACL to the configured SNMP Community. The snmp-server community must be configured before applying the ACL.

switch(config)# snmp-server community <somecomplexstring> ro
switch(config)# snmp-server community <somecomplexstring> use-ipv4acl ACL-IPV4-SNMPV2

For IPv6, the parameter 'use-ipv6acl' would be used instead. Note that either an IPv4 OR an IPv6 ACL can be applied to a given SNMP community string, not both.
In releases prior to Cisco NX-OS Release 7.0(3)I4(1), this CLI command includes use-acl rather than use-ipv4acl.

Default Value:

By default SNMP is not configured on NX-OS platforms.

See Also


Item Details


References: 800-53|SC-3, 800-53|SC-7(15), CSCv7|4.6, CSCv7|11.6, CSCv7|11.7

Plugin: Cisco

Control ID: 895fe83e31929c64bfa55188a9c4e6fc0773f13086fee8849cc523af76589b48