|Finding ID||Version||Rule ID||IA Controls||Severity|
|If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of any router components, the router must activate a system alert message, send an alarm, or shut down. By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the device. This can be facilitated by the router sending SNMP traps to the SNMP manager that can then have the necessary action taken by automatic or operator intervention.|
|Cisco IOS XE Router NDM Security Technical Implementation Guide||2019-12-20|
|Check Text ( C-95203r1_chk )|
| Verify that the router is configured to send traps to the SNMP manager. The SNMP configuration should contain commands similar to the example below. |
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps eigrp
snmp-server enable traps cpu threshold
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server host x.x.x.x version 3 auth xxxxx
Note: The above is a subset of all the possible traps that can be enabled. Selective traps can be enabled as required.
If the router is not configured to send traps to the SNMP manager, this is a finding.
|Fix Text (F-102043r1_fix)|
| Configure the router to send SNMP traps to the SNMP manager. |
R4(config)#snmp-server enable traps
R4(config)#snmp-server host x.x.x.x version 3 auth xxxxx
The above command will enable all possible traps and is not necessary—selective set of traps can be enabled as required.