Leaflet
109
OL-11615-01
SNMP versions 1 and 2c are weak in security. In these earlier versions of SNMP, access to MIB objects
is primarily controlled by the use of community strings, but neither version provides authentication or
encryption. Without authentication it is possible for unauthorized users to execute SNMP transactions,
and even masquerade legitimate users. In addition, the lack of encryption facilitates the interception of
SNMP messages, potentially leading to the disclosure of community strings and other sensitive
information. SNMP version 3 deals with these issues by incorporating security features such as
authentication, identity, and access control.
SNMPv3 supports multiple authentication options including username, Message Digest 5 (MD5), and
Secure Hash Algorithm (SHA) authentication. This version also provides privacy with DES encryption,
and authorization and access controls based on views. For these enhanced security functions, SNMPv3
should be preferred over SNMPv1 and SNMPv2c wherever it is supported.
In cases where SNMPv3 is not available, security can be improved by taking the following basic security
measures:
• Change any default or standard community strings such as private or public.
• Define non-trivial community strings.
• Set SNMP to send a trap on community-name authentication failures.
• Define ACLs to control from which hosts or networks management messages will be accepted.
For more information about SNMP, refer to the following URL:
http://www.cisco.com/en/US/tech/tk648/tk362/tk605/tsd_technology_support_sub-protocol
_home.html
Other Security Services
This document is focused on security techniques and features destined to protect the switches from direct
attacks. Catalyst 6500 and 4500 Series switches implement other security services that do not provide
infrastructure protection, but that still help secure a network:
TCP Intercept
TCP Intercept is a security feature available on Catalyst 6500 Series switches running Cisco IOS
software, and that protect servers from TCP SYN-flooding attacks, which are a type of denial-of-service
attack.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/secure.htm#wp1038471
Private VLANs
Private VLANs (PVLANs) is an available feature on Catalyst 6500 and 4500 Series switches running
Catalyst OS and Cisco IOS software. PVLANs provide Layer 2 isolation between ports within the same
PVLAN. There are three types of PVLAN ports:
• Promiscuous—A promiscuous port can communicate with all interfaces, including the isolated and
community ports within a PVLAN.
• Isolated—An isolated port has complete Layer 2 separation from the other ports within the same
PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except
traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.