Document ID: 113469
Updated: Mar 02, 2012
Contributed by Mauricio Quesada, Cisco Content Engineer.
This document describes how to disable SNMP version 1 or version 2c while other versions are enabled.
There are no specific requirements for this document.
This document is valid for any Cisco IOS® device that runs 12.0(3)T or higher. The procedure in this document was verified on a Cisco 2821 that runs 15.2(2)T.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for information on document conventions.
Given the Internet security issues with Simple Network Management Protocol (SNMP) versions 1 and 2c, users often choose to disable community-based SNMP in favor of the more secure SNMP version 3 User Security Model (USM). However, sometimes it is desirable to leave community-based SNMP enabled for legacy applications.
In order to make sure that applications can get the most accurate data, as well as benefit from the more scalable SNMP GETBULK message type, you can disable SNMPv1 while SNMPv2c remains enabled.
Every time an SNMP community string is configured, the device internally configures two SNMP groups for that community: one group for v1 and another group for v2c. In order to disable one of the protocol versions, that group must be deleted.
The command to delete a group is no snmp-server group <community> v1.
For example, consider this community is configured:
Router(config)#snmp-server community public ro
The device creates these groups:
groupname: public security model:v1 readview : v1default writeview: <no writeview specified> notifyview: <no notifyview specified> row status: active groupname: public security model:v2c readview : v1default writeview: <no writeview specified>
When the command no snmp-server group public v1 is configured, the public group for SNMPv1 is removed, and SNMPv1 requests to the device are ignored.
This procedure must be performed for all community strings configured on the device.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.