Details
SNMP is disabled by default in ArubaOS-CX. This protocol is used to monitor switches and routers from a central management server such as AirWave or IMC. The commonly used SNMP versions 1 and 2c use community names for read and write access, much like passwords are used for authentication. These community names are sent across the wire as cleartext. If a malicious user were to capture these community names, they could pull configuration parameters and monitoring data from the switch.
SNMP version 3 was developed to overcome this weakness by using asymmetric cryptography, similar to that used by SSH, to encrypt SNMP traffic over the wire.
Solution
Follow these steps to create an SNMPv3 user, and assign SNMP functionality to the mgmt VRF instance:
switch(config)# snmpv3 user myUser auth sha auth-pass plaintext myAuthPswrd priv des priv-pass plaintext myPrivPswrd
switch(config)# snmp-server vrf mgmt
In addition to enabling SNMPv3, the default SNMPv1/v2c community name public should be replaced with a nonstandard community name:
switch(config)# snmp-server community ReadOnlyCommunity
This community name can instead be used if SNMPv3 cannot be used due to functional limitations within theenvironment, but SNMP is still required for device monitoring.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system ArubaOS.