Manually Remove SNMP Community Names
Note: The following workaround is only effective until the device is
reloaded. Upon each reload of the device this workaround must be re-applied.
Cisco encourages performing a Cisco IOS Software upgrade as a permanent fix for
Log in to the device, and enter configuration mode. Enter the following
no snmp-server community public RO
no snmp-server community private RW
Saving the configuration will update the start-up configuration files;
however the hard-coded community names will be reinserted to the running
configuration when the device reloads. This workaround must be applied each
time the device is reloaded.
Automatically Remove SNMP Community Names
By creating an Embedded Event Manager (EEM) policy, it is possible to
automatically remove the hard-coded SNMP community names each time the device
is reloaded. The following example shows an EEM policy that runs each time the
device is reloaded and removes the hard-coded SNMP community names.
event manager applet cisco-sa-20100707-snmp
event timer countdown time 30
action 10 cli command "enable"
action 20 cli command "configure terminal"
action 30 cli command "no snmp-server community public RO"
action 40 cli command "no snmp-server community private RW"
action 50 cli command "end"
action 60 cli command "disable"
action 70 syslog msg "Hard-coded SNMP community names as per Cisco Security Advisory cisco-sa-20100707-snmp removed"
For more information on EEM policies consult the Cisco IOS Network
Management Configuration Guide - Embedded Event Manager Overview at the
Infrastructure Access Control Lists
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be allowed to
target infrastructure devices and block that traffic at the device interface or
the border of networks.
If SNMP management is not required on the IE3000, then dropping all
SNMP traffic to the device is a sufficient workaround. The iACL below shows an
example of an IE3000 with two interfaces configured with layer 3 access,
dropping all SNMP queries destined to the IE3000:
!--- Deny SNMP traffic from all other sources destined to
!--- configured IP addresses on the IE3000.
access-list 150 deny udp any host 192.168.0.1 eq snmp
access-list 150 deny udp any host 192.168.1.1 eq snmp
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
!--- Apply access-list to all Layer 3 interfaces
!--- (only two examples shown)
ip address 192.168.0.1 255.255.255.0
ip access-group 150 in
ip address 192.168.1.1 255.255.255.0
ip access-group 150 in
The white paper "Protecting Your Core: Infrastructure Protection Access
Control Lists" presents guidelines and recommended deployment techniques for
infrastructure protection access lists. This white paper can be obtained at the