Table of Contents
Advertisement
NOTE: As an alternative to the SNMP community strings, you can secure Web management access using local
user accounts or ACLs. See "Setting Up Local User Accounts" on page 3-12 or "Using an ACL to Restrict Web
Management Access" on page 3-4.
Encryption of SNMP Community Strings
The software automatically encrypts SNMP community strings. Users with read-only access or who do not have
access to management functions in the CLI cannot display the strings. For users with read-write access, the
strings are encrypted in the CLI but are shown in the clear in the Web management interface.
Encryption is enabled by default. You can disable encryption for individual strings or trap receivers if desired. See
the next section for information about encryption.
Adding an SNMP Community String
To add a community string, use either of the following methods. When you add a community string, you can
specify whether the string is encrypted or clear. By default, the string is encrypted.
USING THE CLI
To add an encrypted community string, enter commands such as the following:
BigIron(config)# snmp-server community private rw
BigIron(config)# write memory
Syntax: snmp-server community [0 | 1] <string> ro | rw
The <string> parameter specifies the community string name. The string can be up to 32 characters long.
The ro | rw parameter specifies whether the string is read-only (ro) or read-write (rw).
The 0 | 1 parameter affects encryption for display of the string in the running-config and the startup-config file.
Encryption is enabled by default. When encryption is enabled, the community string is encrypted in the CLI
regardless of the access level you are using. In the Web management interface, the community string is
encrypted at the read-only access level but is visible at the read-write access level.
The encryption option can be omitted (the default) or can be one of the following.
•
0 – Disables encryption for the community string you specify with the command. The community string is
shown as clear text in the running-config and the startup-config file. Use this option of you do not want
display of the community string to be encrypted.
•
1 – Assumes that the community string you enter is the encrypted form, and decrypts the value before using
it.
NOTE: If you want the software to assume that the value you enter is the clear-text form, and to encrypt display
of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default
behavior.
If you specify encryption option 1, the software assumes that you are entering the encrypted form of the
community string. In this case, the software decrypts the community string you enter before using the value for
authentication. If you accidentally enter option 1 followed by the clear-text version of the community string,
authentication will fail because the value used by the software will not match the value you intended to use.
The command in the example above adds the read-write SNMP community string "private". When you save the
new community string to the startup-config file (using the write memory command), the software adds the
following command to the file:
snmp-server community 1 <encrypted-string> rw
To add an non-encrypted community string, you must explicitly specify that you do not want the software to
encrypt the string. Here is an example:
BigIron(config)# snmp-server community 0 private rw
December 2000
Securing Access to Management Functions
3 - 15
- Quick Links:
- Configuring Ip Addresses
Hide quick links:
Advertisement
Chapters
Table of Contents
