Configuring Secure SNMP Community Names

Configuring Secure Community Names provides an example of a recommended configuration that will prevent unsecured SNMPv1/v2c access of potentially security compromising information.

As discussed previously in this document, SNMP v1 and v2c are inherently insecure device management protocols. Community names used to define access levels are passed in clear text in all protocol frames sent to the managed entity and may be visible by read-only SNMP users when querying certain SNMP configuration-related objects. In addition, you may be further exposing your network due to configuration conventions which reuse the community names in other aspects of entity management, such as CLI login passwords, and SNMP security names.

Extreme Networks recommends that you “secure” all SNMP community names. You do this by creating a configuration that hides, through the use of “views” sensitive information from SNMP v1/v2c users as follows:

Click to expand in new window

Configuring Secure Community Names

Step Task Command(s)
1 Create the following SNMP view group configurations.
  • An admin (v3) view group with secure read, write, and notify access
  • A read-only view group with unsecure (v1 and v2c) access
  • A read-write view group with unsecure (v1 and v2c) access
set snmp access admin-groupname security-model usm privacy exact read secured-viewname write secure-viewname notify secured-viewname

set snmp access read-only-groupname security-model v1 exact read unsecured-viewname

set snmp access read-only-groupname security-model v2c exact read unsecured-viewname

set snmp access read-write-groupname security-model v1 exact read unsecure-viewname write unsecured-viewname

set snmp access read-write-groupname security-model v2c exact read unsecured-viewname write unsecured-viewname

2 Create v1/v2c “public” and “private” community names and security names. set snmp community private-communityname securityname read-write-securityname

set snmp community public-communityname securityname read-only-securityname

3 Create user groups and bind them to the security names created in Step 2. set snmp group admin-groupname user admin-username

set snmp group read-only-groupname user read-only-securityname security-model v1

set snmp group read-write-groupname user read-write-securityname security-model v1

set snmp group read-only-groupname user read-only-securityname security-model v2c

set snmp group read-write-groupname user read-write-securityname security-model v2c

4 Using the admin-username assigned in Step 3, create the v3 user and define authentication keys. set snmp user admin-username authentication sha auth-key privacy priv-key
5 Using the viewnames assigned in Step 1, create restricted views for v1/v2c users, and unrestricted views for v3 users. set snmp view viewname secured-viewname subtree 1

set snmp view viewname secured-viewname subtree 0.0

set snmp view viewname unsecured-viewname subtree 1

set snmp view viewname unsecured-viewname subtree 0.0

6 Exclude the following from the restricted view
  • snmpUsmMIB (which contains v3 user names, but no passwords)
  • snmpVacmMIB (which contains SNMP view configurations)
  • snmpCommunityTable (which contains community names)
set snmp view viewname unsecured-viewname subtree 1.3.6.1.6.3.15 excluded

set snmp view viewname unsecured-viewname subtree 1.3.6.1.6.3.16 excluded

set snmp view viewname unsecured-viewname subtree 1.3.6.1.6.3.18.1.1 excluded