Friday, April 30, 2010

Enabling SNMP Community Strings on a Cisco Router (and Other IOS Devices)

Abstract: We're enabling SNMP community strings (SNMP's concept of a password) on a Cisco router named 'C2600' running Cisco's IOS (Internetwork Operating System). The router has never previously been configured for SNMP.



WARNING: SNMP in IOS versions 11.x-12.0 had a security vulnerability. More here.


Notes: IOS is also used in other Cisco managed network equipment and the generic term 'device' will be used onward in reference to the router.
Full IOS commands are used but many can be shortened: 'configure terminal' to 'conf term'; 'show' to 'sh'. Pressing *Tab* autocompletes a command if the letter combination is unique. Entering 're' *Tab* will fail as it could be for 'reload', 'rename','restart', or 'resume'. Entering 'ren' *Tab* will complete to 'rename'. If you forget a command, the '?' *Enter* will display most of the commands.



C2600> enable

Enable mode is used to view a device's settings.



C2600# show running-config

If SNMP is mentioned it was previously configured.


C2600# configure terminal

Configure allows you to change the device's settings.



C2600(config)# snmp-server community 'public-string' RO

'RO' stands for 'Read-Only' meaning that someone who knows the device's public string can view the device's SNMP settings. A relatively harmless ability.



C2600(config)# snmp-server community 'private-string' RW (RW read-write)

RW stands for Read-Write meaning that someone who knows the private string can change the device's settings. Someone with this knowledge can ruin your plans for the day, especially if the device is thousands of miles away. An instance: here's instructions for "How To Copy Configurations To and From Cisco Devices Using SNMP"



Replace 'public-string' and 'private-string' with appropriate substitutions. The common default strings are 'public' & 'private'. These strings are not recommended for securing the device.



C2600(config)# exit

Exits configure mode back to enable mode.



C2600# show running-config

A few lines about SNMP should appear.



C2600# write memory

This writes the new settings to memory. If you skip this step, you'll need to start over.



To check that configuration was successful:

C2600# show snmp

Empty stats about usage will display if SNMP is correctly configured.

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete