From: Tim (ccie2be@nyc.rr.com)
Date: Sun Sep 25 2005 - 10:03:37 GMT-3
Have a look at this link:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun
_c/fcfprt3/fcf014.htm#wp1017597
(Watch the wrap around)
Cisco IOS software supports the following versions of SNMP:
.SNMPv1-The Simple Network Management Protocol: A Full Internet Standard,
defined in RFC 1157. (RFC 1157 replaces the earlier versions that were
published as RFC 1067 and RFC 1098.) Security is based on community strings.
.SNMPv2c-The community-string based Administrative Framework for SNMPv2.
SNMPv2c (the "c" stands for "community") is an Experimental Internet
Protocol defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update
of the protocol operations and data types of SNMPv2p (SNMPv2 Classic), and
uses the community-based security model of SNMPv1.
.SNMPv3-Version 3 of SNMP. SNMPv3 is an interoperable standards-based
protocol defined in RFCs 2273 to 2275. SNMPv3 provides secure access to
devices by a combination of authenticating and encrypting packets over the
network.
The security features provided in SNMPv3 are as follows:
-Message integrity-Ensuring that a packet has not been tampered with in
transit.
-Authentication-Determining that the message is from a valid source.
-Encryption-Scrambling the contents of a packet prevent it from being
learned by an unauthorized source.
Both SNMPv1 and SNMPv2c use a community-based form of security. The
community of managers able to access the agent MIB is defined by an IP
address Access Control List and password.
SNMPv2c support includes a bulk retrieval mechanism and more detailed error
message reporting to management stations. The bulk retrieval mechanism
supports the retrieval of tables and large quantities of information,
minimizing the number of round-trips required. The SNMPv2C improved error
handling support includes expanded error codes that distinguish different
kinds of error conditions; these conditions are reported through a single
error code in SNMPv1. Error return codes now report the error type. Three
kinds of exceptions are also reported: no such object exceptions, no such
instance exceptions, and end of MIB view exceptions.
SNMPv3 is a security model.A security model is an authentication strategy
that is set up for a user and the group in which the user resides. A
security level is the permitted level of security within a security model. A
combination of a security model and a security level will determine which
security mechanism is employed when handling an SNMP packet. See Table 18
for a list of security levels available in SNMPv3.
Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. Table 18
identifies what the combinations of security models and levels mean.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Jens
Petter Eikeland
Sent: Sunday, September 25, 2005 4:04 AM
To: ccielab@groupstudy.com
Subject: snmp
Can anybody please tell me what the difference with using snmp v2 and snmp
v3 when it comes to authentication with the snmp-server. I am trying to
set up snmp traps from my router, and want to use strongest authentication
possible. Also I know that snmp traps are sent on udp port 162, but do I
also
Need to enable udp port 161 in my acl's for this to reach the server. Do I
need to think about anything specially by configuring v3 versus version 2
This is how I have configured this :
snmp-server community cisco RO 10
snmp-server enable traps
snmp-server host 10.10.44.114 version 3 auth cisco
snmp-server contact admin@cisco.com
snmp-server location San Jose
access-list 10 permit host 10.10.44.114
Will this give me the best possible security?
Thanks
Jens
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:16 GMT-3