On Thu, 6 Dec 2012 23:37:58 +0100 "Mattias Torsfred" Mattias.Torsfred@funnit.no wrote:
Hi, I have setup a NAV 3.12.2 and started to add Cisco L2 and L3 equipment into the seed database. I use an other software to monitor the devices as well. When it comes to Cisco routers (not Cisco L3 switches) I get many SNMP Traps "Too many SNMP authentication failures . Check for hacking attempt on x.x.x.x" and "SNMP incorrect community name...".
I am aware of the issue/design of NAV when it comes to VLAN browsing and that this might be the case.
I assume you're referring to the FAQ entry for SNMP-3-AUTHFAIL messages. I see the FAQ entry is a bit outdated, but the issue seems unavoidable, as Cisco devices will sometimes report VLANs as active, but not provide a BRIDGE-MIB instance for it, causing an "invalid" community to be generated.
Is there any configuration I can set on Cisco routers or in NAV to prevent this kind of behavior?
First of all, you said you're getting these errors from a Cisco router. Is this registered as a GW category device in your NAV?
You can try a couple of SNMP queries to see if the device reports any VLANs that NAV might try to use:
snmpwalk -v2c -c <community> <ip-address> .1.3.6.1.4.1.9.9.46.1.3.1.1.2 # vtpVlanState
and
snmpwalk -v2c -c <community> <ip-address> .1.3.6.1.2.1.47.1.2.1.1.2 # entLogicalDescr snmpwalk -v2c -c <community> <ip-address> .1.3.6.1.2.1.47.1.2.1.1.3 # entLogicalType snmpwalk -v2c -c <community> <ip-address> .1.3.6.1.2.1.47.1.2.1.1.4 # entLogicalCommunity
I need to have the traps in case there actual is an SNMP brute force attempt.
You do of course limit which IP addresses/ranges are allowed to send SNMP queries to your switches and routers in the first place, right?