Information About SNMP Support over VPNs—Context-Based
Access Control
SNMP Versions and Security
Cisco software supports the following versions of SNMP:
• SNMPv1—Simple Network Management Protocol: a full Internet standard, defined in RFC 1157. (RFC
1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based
on community strings.
• SNMPv2c—The community string-based Administrative Framework for SNMPv2. SNMPv2c (the "c"
is for "community") is an experimental Internet protocol defined in RFC 1901, RFC 1905, and RFC
1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic)
and uses the community-based security model of SNMPv1.
For more information about SNMP Versions, see the “ Configuring SNMP Support ” module in the Cisco
Network Management Configuration Guide.
SNMPv1 or SNMPv2 Security
Cisco IOS software supports the following versions of SNMP:
• SNMPv1—Simple Network Management Protocol: a full Internet standard, defined in RFC 1157. (RFC
1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based
on community strings.
• SNMPv2c—The community string-based Administrative Framework for SNMPv2. SNMPv2c (the "c"
is for "community") is an experimental Internet protocol defined in RFC 1901, RFC 1905, and RFC
1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic)
and uses the community-based security model of SNMPv1.
SNMPv1 and SNMPv2 are not as secure as SNMPv3. SNMP version 1 and 2 use plain text communities and
do not perform the authentication or security checks that SNMP version 3 performs. To configure the SNMP
Support over VPNs—Context-Based Access Control feature when using SNMP version 1 or SNMP version
2, you need to associate a community name with a VPN. This association causes SNMP to process requests
coming in for a particular community string only if it comes in from the configured VRF. If the community
string contained in the incoming packet does not have an associated VRF, it is processed only if it came in
through a non-VRF interface. This process prevents users outside the VPN from snooping a clear text
community string to query the VPN’s data. These methods of source address validation are not as secure as
using SNMPv3.
SNMPv3 Security
If you are using SNMPv3, the security name should always be associated with authentication or privileged
passwords. Source address validation is not performed on SNMPv3 users. To ensure that a VPN’s user has
Cisco cBR Series Converged Broadband Routers Troubleshooting and Network Management Configuration Guide
for Cisco IOS XE Fuji 16.8.x
69
SNMP Support over VPNs—Context-Based Access Control
Information About SNMP Support over VPNs—Context-Based Access Control
To Next Page
Loading...
Need help?
General
