Disabling SNMP on a Cisco Router

Russ Suter
Russ Suter used Ask the Experts™
on
I'm still learning how to do this stuff but I have a vulnerability scan that is telling me about "Multiple SNMP v1 Request Handling Vulnerabilities"

The recommendations are as follows:

Fix Multiple SNMP v1 Request Handling Vulnerabilities

If SNMP is not required, the service should be disabled on the device. Please refer to the device manufacturer's documentation for the steps involved with disabling SNMP.

I'm not a network expert. To be honest I'm not entirely certain what SNMP is used for or why I need it. I've looked in my configuration file and found the following entries:

snmp-server community XXXXXXXX RO 20 (X's represent I believe password data - redacted)
snmp-server trap-source Vlan10
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps syslog

Based on this information should I disable SNMP? If so, how?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You may not want to disable SNMP; however, reconfiguring it so that it's not using SNMPv1 would definitely be a good idea! It's been a while since I've played with this stuff, but I think the following should give you all the information you need: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html

edit: this may vary depending on your version of cisco ios
Russ SuterSenior Software Developer

Author

Commented:
Sorry but that link went way over my head. Why would I not want to disable SNMP? What purpose would it serve to leave it enabled? Do you have any more specific instructions on how I could disable SNMP v1? A step-by-step list of commands would be great!
Top Expert 2012
Commented:
To disable simply do this command

conf t
no snmp-server community XXXXXXXX RO 20

If you want do the same with the other lines as well, just add a no in front of each to remove from the running config

Then make sure to copy to startup-config by running
copy run start
Technology Support Specialist
Commented:
SNMP is for monitoring purpose. If you need it, try having snmp v3. If not then completely remove the SNMP configs as shown below.

 conf t
 no   snmp-server community XXXXXXXX RO 20
 no snmp-server trap-source Vlan10
 no snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
 no snmp-server enable traps tty
 no snmp-server enable traps syslog

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial