For security reasons for SNMPv1 and SNMPv2, the SNMP agent validates each request from an SNMP manager before responding to the request by verifying that the manager belongs to a valid SNMP community. An SNMP community is a logical relationship between an SNMP agent and one or more SNMP managers (the manager software implements the protocols used to exchange data with SNMP agents). You define communities locally at the agent level.
The agent establishes one community for each combination of authentication and access control characteristics that you choose. You assign each community a unique name (community string), and all members of a community have the same access privileges, either read-only or read-write:
Read-only: members can view configuration and performance information.
Read-write: members can view configuration and performance information, and change the configuration.
By defining a community, an agent limits access to its MIB to a selected set of management stations. By using more than one community, the agent can provide different levels of MIB access to different management stations.
SNMP community strings are used when a user logs on to the device over SNMP, for example, using an SNMP-based management software. You set the SNMP community strings using CLI . If you have read/write/all access authority, you can modify the SNMP community strings for access to the device through Enterprise Device Manager (EDM).
You are provided with community strings for SNMPv1 and SNMPv2. If you want to use SNMPv3 only, you must disable SNMPv1 and SNMPv2 access by deleting the default community string entries and create the SNMPv3 user and group.SNMPv3.
Note
If you enable enhanced secure mode, the switch does not support the default SNMPv1 and default SNMPv2 community strings, and default SNMPv3 user name. The individual in the administrator access level role can configure a non-default value for the community strings, and the switch can continue to support SNMPv1 and SNMPv2. The individual in the administrator access level role can also configure a non-default value for the SNMPv3 user name and the switch can continue to support SNMPv3.
If you disable enhanced secure mode, the SNMPv1 and SNMPv2 support for community strings remains the same, and the default SNMPv3 user name remains the same. Enhanced secure mode is disabled by default.
For more information on enhanced secure mode, see Enhanced secure mode authentication access levels.
The following table lists the default community strings for SNMPv1 and SNMPv2.
VRF |
Default community string |
Access |
---|---|---|
GlobalRouter VRF |
public |
Read access |
private |
Write access |
|
ManagementRouter VRF |
public:512 |
Read access |
private:512 |
Write access |
Community strings are encrypted using the AES encryption algorithm. Community strings do not appear on the device and are not stored in the configuration file.
Caution
Security risk
For security reasons, as a best practice, set the community strings to values other than the factory defaults.
The switch handles community string encryption in the following manner:
When the device starts up, community strings are restored from the hidden file.
When the SNMP community strings are modified, the modifications are updated to the hidden file.
Stale snmp-server community entries for different VRFs appear after reboot with no VRFs . On an node with any valid config file saved with more than the default vrf0 , snmp_community entries for that VRF are created and maintained in a separate txt file, snmp_comm.txt, on every boot. The node reads this file and updates the snmp communities available on the node. As a result for a boot with config having no VRFs, you may still see snmp_community entries for VRFs other than the globalRouter vrf0.
If you enable hsecure, the system disables SNMPv1, SNMPv2 and SNMPv3. If you want to use SNMP, you must use the command no boot config flag block-snmp to re-enable SNMP.