setting up snmp community string

Answered Question
Jan 9th, 2008
User Badges:

We have a 3rd party vendor doing a discovery process on our network

They obv. need snmp to get info about certain switches and routers.


However we have no standard..


I noticed in one router the follownig config


snmp-server engineID local xxxxxxxxxx


snmp-server community xxxx RO 11


snmp-server community xxxxx RO 4


snmp-server community xxxxx RO 25


snmp-server community string RO


snmp-server enable traps snmp



1st question

what is this stament doing?

snmp-server community string RO


I see no community string phrase configured


also..i notice some have access list associated with them..


if i configured a new string..would they be prevented from discovery?



Correct Answer by Joe Clarke about 9 years 2 months ago

Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Wed, 01/09/2008 - 12:01
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This line declares an SNMP community string called "string" for both SNMPv1 and SNMPv2c communication. This string is allowed read-only access to the entire MIB tree from any host.


You can configure as many strings as you'd like. Those with access-lists attached are limited to being used by the hosts that match the ACLs. Those without ACLs can be used from any host.


It's a good idea to remove community strings you do not need, and to restrict those you do need to only certain hosts which are known NMSes.

brooklynheight Wed, 01/09/2008 - 12:14
User Badges:

I dont know how i missed "string"..I guess my eyes played tricks on me.


so for the sake of my task..I could

configure a new community string for them

to use..and have no issues with access list

that have been configured on other strings?

Correct Answer
Joe Clarke Wed, 01/09/2008 - 12:17
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.

PAUL TRIVINO Thu, 01/10/2008 - 16:26
User Badges:
  • Bronze, 100 points or more

For that matter, consider using an snmp view to limit what they can see/do. Our WAN provider needed a community string with RW to use their tool, we said OK but we limited them to their stated source IP address (with an ACL) and certain parts of the MIB (with a view).


Check here as a start: http://www.cisco.com/en/US/customer/docs/ios/11_3/configfun/configuration/guide/fcmonitr.html#wp10426


HTH


Paul


Actions

This Discussion