Cisco 500 series Administration Manual page 443

Configuring SNMP
SNMP Versions and Workflow
NOTE
Cisco 500 Series Stackable Managed Switch Administration Guide
SNMPv1 and v2
To control access to the system, a list of community entries is defined. Each
community entry consists of a community string and its access privilege. The
system responds only to SNMP messages specifying the community which has
the correct permissions and correct operation.
SNMP agents maintain a list of variables that are used to manage the switch.
These variables are defined in the Management Information Base (MIB).
Due to the security vulnerabilities of other versions, it is recommended to use
SNMPv3.
SNMPv3
In addition to the functionality provided by SNMPv1 and v2, SNMPv3 applies
access control and new trap mechanisms to SNMPv1 and SNMPv2 PDUs.
SNMPv3 also defines a User Security Model (USM) that includes:
• Authentication—Provides data integrity and data origin authentication.
• Privacy—Protects against disclosure message content. Cipher Block-
Chaining (CBC-DES) is used for encryption. Either authentication alone can
be enabled on an SNMP message, or both authentication and privacy can
be enabled on an SNMP message. However, privacy cannot be enabled
without authentication.
• Timeliness—Protects against message delay or playback attacks. The
SNMP agent compares the incoming message time stamp to the message
arrival time.
• Key Management—Defines key generation, key updates, and key use. The
switch supports SNMP notification filters based on Object IDs (OID). OIDs
are used by the system to manage device features.
SNMP Workflow
For security reasons, SNMP is disabled by default. Before you can
NOTE
manage the switch via SNMP, you must turn on SNMP on the
UDP Services
The following is the recommended series of actions for configuring SNMP:
.
page
26
Security >TCP/
443