Riverstone Networks WICT1-12 Dokumentacja Pobierz pdf (Strona 82)

4-16 Riverstone Networks RS 32000 Switch Router Getting Started Guide

Setting Up SNMP Initial Configuration

By default, SNMP information is sent and received on the Control Module’s en0 Ethernet port. If you want SNMP to

use a different port on the RS 32000, use the following command.

Here is an example:

SNMP will now use the port with IP address 134.152.78.192. Remember, to make this change permanent, enter the

save startup command.

4.6.2 Improving SNMP Security

SNMPv1 is not a secure protocol. Messages containing community strings are sent in plain text from manager

application to agent. Anyone with a protocol decoder and access to the wire can capture, modify, and replay messages.

Applying ACLs to SNMP

When using SNMPv1, it is important to protect your RS 32000 by applying an Access Control List (ACL) to the

SNMP agent to prevent unauthorized access and route your SNMP traffic through trusted networks only.

Here are the basic configuration commands to apply an ACL to the RS 32000’s SNMP agent, allowing access to the

RS 32000 by only one management station.

The above ACL applied to the SNMP service allows messages from source IP address <IPaddr> to be processed by

the SNMP agent, packets form any other source IP address are dropped.

Disabling Authentication Traps

To provide additional security to the RS 32000, disable the sending of authentication traps. Authentication traps are

sent when SNMP v1 packets are received with invalid community strings. A common security attack on an SNMP v1

agent is to send a message containing an invalid message, and then capture the authentication trap to learn the

community string.

Here is an example of how to turn off the sending of authentication traps:

snmp set trap-source <interface>|<IPaddr>

rs(config)# snmp set trap-source 134.152.78.192

rs(config)# acl mgmt_only permit udp <IPaddr> any any any

rs(config)# acl mgmt_only apply service snmp

rs(config)#snmp disable trap authentication

1 2 ... 77 78 79 80 81 82 83 84 85 86 87 ... 110 111

Brak uwag

Riverstone Networks WICT1-12 Dokumentacja Strona 82