Guest

IP Application Services

Disable SNMP v1 or SNMP v2c While Other Versions Remain Enabled

Cisco - Disable SNMP v1 or SNMP v2c While Other Versions Remain Enabled

Document ID: 113469

Updated: Mar 02, 2012

Contributed by Mauricio Quesada, Cisco Content Engineer.

   Print

Introduction

This document describes how to disable SNMP version 1 or version 2c while other versions are enabled.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is valid for any Cisco IOS® device that runs 12.0(3)T or higher. The procedure in this document was verified on a Cisco 2821 that runs 15.2(2)T.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for information on document conventions.

Procedure

Given the Internet security issues with Simple Network Management Protocol (SNMP) versions 1 and 2c, users often choose to disable community-based SNMP in favor of the more secure SNMP version 3 User Security Model (USM). However, sometimes it is desirable to leave community-based SNMP enabled for legacy applications.

In order to make sure that applications can get the most accurate data, as well as benefit from the more scalable SNMP GETBULK message type, you can disable SNMPv1 while SNMPv2c remains enabled.

Every time an SNMP community string is configured, the device internally configures two SNMP groups for that community: one group for v1 and another group for v2c. In order to disable one of the protocol versions, that group must be deleted.

The command to delete a group is no snmp-server group <community> v1.

For example, consider this community is configured:

Router(config)#snmp-server community public ro

The device creates these groups:

groupname: public                          security model:v1
readview : v1default                       writeview: <no writeview specified> 
notifyview: <no notifyview specified>
row status: active

groupname: public                          security model:v2c
readview : v1default                       writeview: <no writeview specified>

When the command no snmp-server group public v1 is configured, the public group for SNMPv1 is removed, and SNMPv1 requests to the device are ignored.

This procedure must be performed for all community strings configured on the device.

Related Information

Updated: Mar 02, 2012
Document ID: 113469