1.4.5 Configure SNMP Source Interface for Traps - snmp-server host

Information

The administrator can configure SNMP to the interfaces source IP address for notifications

Rationale:

By using a source interface the administrator can ensure that the source IP of SNMP traps does not change as the network topology changes. For instance, if a link fails or is reconfigured, and a different IP address is now topologically 'closer' to the SNMP trap server. There are a few typical candidates for an SNMP source IP address:

A loopback address, as loopbacks are always up, and can then route over any transit interface.

The MGMT 0 address, as that provides an out-of-band path to the SNMP server. SNMP traffic volume will not affect traffic volumes, and SNMP cannot be 'starved' for bandwidth by production traffic. If the entire path is out-of-band, this also provides excellent protection from eavesdropping by malicious actors that may be on the 'production data side' of the switch.

A combination of the two (this is less common) - for instance a loopback address in the management VRF

Solution

switch(config)# snmp-server host 1.2.3.4 source-interface mgmt 0

or

switch(config)# snmp-server host 1.2.3.4 source-interface loopback 0

SNMP Server traps or informs:

switch(config)# snmp-server source-interface traps loopback 0
switch(config)# snmp-server source-interface informs loopback 0

or

switch(config)# snmp-server source-interface traps mgmt 0
switch(config)# snmp-server source-interface informs mgmt 0

Default Value:

Not configured. By default SNMP traffic is sourced from the layer 3 interface that is topologically closest to the configured SNMP server

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Cisco

Control ID: a0e18db7b3c538a2e8a7604a0b0440cfed777c3b49be542f1667de5e67cefa2d