{
	"id": "c2886235-f555-453e-8a06-ae12cd0326d3",
	"created_at": "2026-04-06T00:16:20.205961Z",
	"updated_at": "2026-04-10T03:35:21.386954Z",
	"deleted_at": null,
	"sha1_hash": "56dd77fdc39b14a5ab7380709bb4d154ac875195",
	"title": "Secure Your Simple Network Management Protocol",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101675,
	"plain_text": "Secure Your Simple Network Management Protocol\r\nBy Contributed by Cisco Engineers Cisco TAC Engineers\r\nPublished: 2024-03-14 · Archived: 2026-04-05 17:31:35 UTC\r\nIntroduction\r\nThis document describes how to secure your Simple Network Management Protocol (SNMP).\r\nPrerequisites\r\nRequirements\r\nThere are no specific requirements for this document.\r\nComponents Used\r\nThe information in this document is based on these software and hardware versions:\r\nSNMP View — Cisco IOS® Software Release 10.3 or later.\r\nSNMP version 3 — Introduced in Cisco IOS Software Release 12.0(3)T.\r\nThe information in this document was created from the devices in a specific lab environment. All of the devices\r\nused in this document started with a cleared (default) configuration. If your network is live, ensure that you\r\nunderstand the potential impact of any command.\r\nConventions\r\nFor more information on document conventions, refer to the Cisco Technical Tips Conventions.\r\nBackground Information\r\nIt is important to secure your SNMP especially when the vulnerabilities of SNMP can be repeatedly exploited to\r\nproduce a denial of service (DoS).\r\nStrategies to Secure SNMP\r\nChoose a Good SNMP Community String\r\nIt is not a good practice to use public as read-only and private as read-write community strings.\r\nSetup SNMP View\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 1 of 9\n\nThe Setup SNMP view command can block the user with only access to limited Management Information Base\r\n(MIB). By default, there is no SNMP view entry exists . This command is configured at the global\r\nconfiguration mode and first introduced in Cisco IOS Software version 10.3. It works similar to access-list in\r\nthat if you have any SNMP View   on certain MIB trees, every other tree is denied inexplicably. However, the\r\nsequence is not important and it goes through the entire list for a match before it stops.\r\nTo create or update a view entry, use the snmp-server view global configuration command. To remove the\r\nspecified SNMP server view entry, use the no form of this command.\r\nSyntax:\r\nsnmp-server view view-name oid-tree {included | excluded}\r\nno snmp-server view view-name\r\nSyntax Description:\r\nview-name — Label for the view record that you update or create. The name is used to reference the\r\nrecord.\r\noid-tree  — Object identifier of the Abstract Syntax Notation One (ASN.1) subtree to be included or\r\nexcluded from the view. To identify the subtree, specify a text string that consists of numbers, such as\r\n1.3.6.2.4, or a word, such as system .  Replace a single sub-identifier with the asterisk (*) wildcard to\r\nspecify a subtree family; for example 1.3.*.4.\r\nincluded | excluded — Type of view. You must specify either included or excluded.\r\nTwo standard predefined views can be used when a view is required instead of a view that must be defined. One is\r\neverything, which indicates that the user can see all objects. The other is restricted , which indicates that the user\r\ncan see three groups: system , snmpStats , and snmpParties . The predefined views are described in RFC\r\n1447.\r\nNote: The first snmp-server   command that you enter enables both versions of SNMP.\r\nThis example creates a view that includes all objects in the MIB-II system group except for sysServices\r\n(System 7) and all objects for interface 1 in the MIB-II interfaces group:\r\nsnmp-server view agon system included\r\nsnmp-server view agon system.7 excluded\r\nsnmp-server view agon ifEntry.*.1 included\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 2 of 9\n\nThis is a complete example for how to apply the MIB with community string and the output of the snmpwalk\r\nwith view in place. This configuration defines a view that denies the SNMP access for the Address Resolution\r\nProtocol (ARP) table ( atEntry ) and allows it for MIB-II and Cisco private MIB:\r\nsnmp-server view myview mib-2 included\r\nsnmp-server view myview atEntry excluded\r\nsnmp-server view myview cisco included\r\nsnmp-server community public view myview RO 11\r\nsnmp-server community private view myview RW 11\r\nsnmp-server contact pvanderv@cisco.com\r\nThis is the command and output for the MIB-II System group:\r\nNMSPrompt 82 % snmpwalk cough system\r\nsystem.sysDescr.0 : DISPLAY STRING- (ascii):Cisco Internetwork Operating System Software\r\nCisco IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(1)T,RELEASE SOFTWARE (fc2)\r\nCopyright (c) 1986-1998 by cisco Systems, Inc.\r\nCompiled Wed 04-Nov-98 20:37 by dschwart\r\nsystem.sysObjectID.0 : OBJECT IDENTIFIER:\r\n .iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.cisco2520\r\nsystem.sysUpTime.0 : Timeticks: (306588588) 35 days, 11:38:05.88\r\nsystem.sysContact.0 : DISPLAY STRING- (ASCII):pvanderv@cisco.com\r\nsystem.sysName.0 : DISPLAY STRING- (ASCII):cough\r\nsystem.sysLocation.0 : DISPLAY STRING- (ASCII):\r\nsystem.sysServices.0 : INTEGER: 78\r\nsystem.sysORLastChange.0 : Timeticks: (0) 0:00:00.00\r\nNMSPrompt 83 %\r\nThis is the command and output for the local Cisco System group:\r\nNMSPrompt 83 % snmpwalk cough lsystem\r\ncisco.local.lsystem.romId.0 : DISPLAY STRING- (ASCII):\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 3 of 9\n\nSystem Bootstrap, Version 11.0(10c), SOFTWARE\r\nCopyright (c) 1986-1996 by cisco Systems\r\ncisco.local.lsystem.whyReload.0 : DISPLAY STRING- (ASCII):power-on\r\ncisco.local.lsystem.hostName.0 : DISPLAY STRING- (ASCII):cough\r\nThis is the command and output for the MIB-II ARP table:\r\nNMSPrompt 84 % snmpwalk cough atTable\r\nno MIB objects contained under subtree.\r\nNMSPrompt 85 %\r\nSetup SNMP Community with Access-list\r\nThe best current practices recommend that you apply Access Control Lists (ACLs) to community strings and\r\nensure that the requests community strings are not identical to notifications community strings. Access lists\r\nprovide further protection when used in combination with other protective measures.\r\nThis example sets up ACL to community string:\r\naccess-list 1 permit 10.1.1.1\r\nsnmp-server community string1 ro 1\r\nWhen you use different community strings for requests and trap messages, it reduces the likelihood of further\r\nattacks or compromises if the community string is discovered by an attacker. Otherwise, an  attacker could\r\ncompromise a remote device or sniff a trap message from the network without authorization.\r\nOnce you enable trap with a community string, the string can be enabled for SNMP access in some Cisco IOS\r\nsoftware. You must explicitly disable this community. For example:\r\naccess-list 10 deny any\r\nsnmp-server host 10.1.1.1 mystring1\r\nsnmp-server community mystring1 RO 10\r\nSetup SNMP Version 3\r\nDo these steps to configure SNMP version 3:\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 4 of 9\n\n1. Assign an Engine ID for the SNMP Entity (Optional).\r\n2. Define a user, userone that belongs to the group groupone and apply noAuthentication (no password)\r\nand noPrivacy (no encryption) to this user.\r\n3. Define a user, usertwo\u0026nbsp ;that belongs the group grouptwo and apply noAuthentication (no\r\npassword) and noPrivacy (no encryption) to this user.\r\n4. Define a user, userthree  that belongs the group groupthree and apply Authentication (password is\r\nuser3passwd) and noPrivacy (no encryption) to this user.\r\n5. Define a user, userfour , that belongs to the group groupfour and apply Authentication (password is\r\nuser4passwd) and Privacy (des56 encryption) to this user.\r\n6. Define a group, groupone , by means of User Security Model (USM) V3 and enable read access on the\r\nv1default view (the default).\r\n7. Define a group, grouptwo , by means of USM V3 and enable read access on the view myview .\r\n8. Define a group, groupthree , by means of USM V3, and enable read access on the v1default view (the\r\ndefault), by means of  authentication .\r\n9. Define a group, groupfour , by means of USM V3, and enable read access on the v1default view (the\r\ndefault), by means of  Authentication and Privacy .\r\n10. Define a view, myview , that provides read access on the MIB-II and denies read access on the private\r\nCisco MIB.\r\nThe show running output gives additional lines for the group public, due to the fact that there is a\r\ncommunity string Read-Only public that has been defined.\r\nThe show running output does not show the userthree.\r\nExample:\r\nsnmp-server engineID local 111100000000000000000000\r\nsnmp-server user userone groupone v3\r\nsnmp-server user usertwo grouptwo v3\r\nsnmp-server user userthree groupthree v3 auth md5 user3passwd\r\nsnmp-server user userfour groupfour v3 auth md5 user4passwd priv des56\r\n user4priv\r\nsnmp-server group groupone v3 noauth\r\nsnmp-server group grouptwo v3 noauth read myview\r\nsnmp-server group groupthree v3 auth\r\nsnmp-server group groupfour v3 priv\r\nsnmp-server view myview mib-2 included\r\nsnmp-server view myview cisco excluded\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 5 of 9\n\nsnmp-server community public RO\r\nThis is the command and output for the MIB-II System group with user userone:\r\nNMSPrompt 94 % snmpwalk -v3 -n \"\" -u userone -l noAuthNoPriv clumsy system\r\nModule SNMPV2-TC not found\r\nsystem.sysDescr.0 = Cisco Internetwork Operating System Software\r\nCisco IOS (TM) 4500 Software (C4500-IS-M), Version 12.0(3)T,RELEASE SOFTWARE (fc1)\r\nCopyright (c) 1986-1999 by cisco Systems, Inc.\r\nCompiled Tue 23-Feb-99 03:59 by ccai\r\nsystem.sysObjectID.0 = OID: enterprises.9.1.14\r\nsystem.sysUpTime.0 = Timeticks: (28208096) 3 days, 6:21:20.96\r\nsystem.sysContact.0 =\r\nsystem.sysName.0 = clumsy.cisco.com\r\nsystem.sysLocation.0 =\r\nsystem.sysServices.0 = 78\r\nsystem.sysORLastChange.0 = Timeticks: (0) 0:00:00.00\r\nNMSPrompt 95 %\r\nThis is the command and output for the MIB-II System group with user usertwo:\r\nNMSPrompt 95 % snmpwalk -v3 -n \"\" -u usertwo -l noAuthNoPriv clumsy system\r\nModule SNMPV2-TC not found\r\nsystem.sysDescr.0 = Cisco Internetwork Operating System Software\r\nCisco IOS (TM) 4500 Software (C4500-IS-M), Version 12.0(3)T,RELEASE SOFTWARE (fc1)\r\nCopyright (c) 1986-1999 by cisco Systems, Inc.\r\nCompiled Tue 23-Feb-99 03:59 by ccai\r\nsystem.sysObjectID.0 = OID: enterprises.9.1.14\r\nsystem.sysUpTime.0 = Timeticks: (28214761) 3 days, 6:22:27.61\r\nsystem.sysContact.0 =\r\nsystem.sysName.0 = clumsy.cisco.com\r\nsystem.sysLocation.0 =\r\nsystem.sysServices.0 = 78\r\nsystem.sysORLastChange.0 = Timeticks: (0) 0:00:00.00\r\nThis is the command and output for the Cisco Local System group with user userone:\r\nNMSPrompt 98 % snmpwalk -v3 -n \"\" -u userone -l noAuthNoPriv clumsy .1.3.6.1.4.1.9.2.1\r\nModule SNMPV2-TC not found\r\nenterprises.9.2.1.1.0 = \"..System Bootstrap, Version 5.2(7b) [mkamson 7b],\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 6 of 9\n\nRELEASE SOFTWARE (fc1)..Copyright (c) 1995 by cisco Systems,\r\nInc...\"\r\nenterprises.9.2.1.2.0 = \"reload\"\r\nenterprises.9.2.1.3.0 = \"clumsy\"\r\nenterprises.9.2.1.4.0 = \"cisco.com\"\r\nThis is the command and output that shows you cannot get the Cisco Local System group with user usertwo:\r\nNMSPrompt 99 % snmpwalk -v3 -n \"\" -u usertwo -l noAuthNoPriv clumsy .1.3.6.1.4.1.9.2.1\r\nModule SNMPV2-TC not found\r\nenterprises.9.2.1 = No more variables left in this MIB View\r\nNMSPrompt 100 %\r\nThis command and the output result is for a customized tcpdump (patch for SNMP version 3 support and\r\naddendum of printf):\r\nNMSPrompt 102 % snmpget -v3 -n \"\" -u userone -l noAuthNoPriv clumsy system.sysName.0\r\nModule SNMPV2-TC not found\r\nsystem.sysName.0 = clumsy.cisco.com\r\nSetup ACL on Interfaces\r\nThe ACL feature provides security measures that prevent attacks such as IP spoofing. The ACL can be applied on\r\nincoming or outgoing interfaces on routers.\r\nOn platforms that do not have the option to use receive ACLs (rACLs), it is possible to permit User Datagram\r\nProtocol (UDP) traffic to the router from trusted IP addresses with interface ACLs.\r\nThe next extended access list can be adapted to your network. This example assumes that the router has IP\r\naddresses 192.168.10.1 and 172.16.1.1 configured on its interfaces, that all SNMP access is to be restricted to a\r\nmanagement station with the IP address of 10.1.1.1, and that the management station need only communicate with\r\nIP address 192.168.10.1:\r\naccess-list 101 permit udp host 10.1.1.1 host 192.168.10.1\r\nThe  access-list   must then be applied to all interfaces with these configuration commands:\r\ninterface ethernet 0/0\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 7 of 9\n\nip access-group 101 in\r\nAll devices that communicate directly with the router on UDP ports need to be specifically listed in the previous\r\naccess list. Cisco IOS software uses ports in the range 49152 to 65535 as the source port for outbound sessions\r\nsuch as Domain Name System (DNS) queries.\r\nFor devices that have many IP addresses configured, or many hosts that need to communicate with the router, this\r\nis not always a scalable solution.\r\nrACLs\r\nFor distributed platforms, rACLs can be an option that starts in Cisco IOS Software Release 12.0(21)S2 for the\r\nCisco 12000 Series Gigabit Switch Router (GSR) and Release 12.0(24)S for the Cisco 7500 Series. The receive\r\naccess lists protect the device from harmful traffic before the traffic can impact the route processor. Receive path\r\nACLs also are considered a network security best practice, and must be considered as a long-term addition to good\r\nnetwork security, as well as a workaround for this specific vulnerability. The CPU load is distributed to the line\r\ncard processors and helps mitigate load on the main route processor. The white paper entitled GSR: Receive\r\nAccess Control Lists helps to identify legitimate traffic. Use that white paper to understand how to send legitimate\r\ntraffic to your device and also deny all unwanted packets..\r\nInfrastructure ACLs\r\nAlthough it is often difficult to block traffic that transits your network, it is possible to identify traffic that must\r\nnever be allowed to target your infrastructure devices and block that traffic at the border of your network.\r\nInfrastructure ACLs (iACLs) are considered a network security best practice and must be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white\r\npaper, Protecting Your Core: Infrastructure Protection Access Control Lists ,presents guidelines and recommended\r\ndeployment techniques for iACLs..\r\nCisco Catalyst LAN Switch Security Feature\r\nThe IP Permit List feature restricts inbound Telnet and SNMP access to the switch from unauthorized source IP\r\naddresses. Syslog messages and SNMP traps are supported to notify a management system when a violation or\r\nunauthorized access occurs.\r\nA combination of the Cisco IOS software security features can be used to manage routers and Cisco Catalyst\r\nswitches. A security policy needs to be established that limits the number of management stations that can access\r\nthe switches and routers.\r\nFor more information on how to increase security on IP networks, refer to Increasing Security on IP Networks .\r\nHow to Check SNMP Errors\r\nConfigure the SNMP community ACLs with the log keyword. Monitor syslog for failed attempts, as show\r\nbelow.\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 8 of 9\n\naccess-list 10 deny any log\r\nsnmp-server community public RO 10\r\nWhen someone tries to access the router with the community public, you see a syslog   similar to this:\r\n%SEC-6-IPACCESSLOGS: list 10 denied 172.16.1.15packet\r\nThis output means that access-list 10 has denied five SNMP packets from the host 172.16.1.1.\r\nPeriodically check SNMP for errors with the show snmp command, as shown here:\r\nrouter#show snmp Chassis: 21350479 17005 SNMP packets input\r\n37 Bad SNMP version errors**\r\n15420 Unknown community name**\r\n0 Illegal operation for community name supplied\r\n1548 Encoding errors**\r\n0 Number of requested variables\r\n0 Number of altered variables\r\n0 Get-request PDUs\r\n0 Get-next PDUs\r\n0 Set-request PDUs 0 SNMP packets output\r\n0 Too big errors (Maximum packet size 1500)\r\n0 No such name errors\r\n0 Bad values errors\r\n0 General errors\r\n0 Response PDUs\r\n0 Trap PDUs\r\nWatch the counters marked ** for unexpected increases in error rates that can indicate attempted exploitation of\r\nthese vulnerabilities. To report any security issue, refer to Cisco Product Security Incident Response.\r\nRelated Information\r\nCisco Security Advisories SNMP Vulnerabilities\r\nCisco Technical Support \u0026 Downloads\r\nSource: https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nhttps://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html"
	],
	"report_names": [
		"20370-snmpsecurity-20370.html"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434580,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/56dd77fdc39b14a5ab7380709bb4d154ac875195.pdf",
		"text": "https://archive.orkl.eu/56dd77fdc39b14a5ab7380709bb4d154ac875195.txt",
		"img": "https://archive.orkl.eu/56dd77fdc39b14a5ab7380709bb4d154ac875195.jpg"
	}
}