setting up snmp community string

Answered Question
Jan 9th, 2008

We have a 3rd party vendor doing a discovery process on our network

They obv. need snmp to get info about certain switches and routers.

However we have no standard..

I noticed in one router the follownig config

snmp-server engineID local xxxxxxxxxx

snmp-server community xxxx RO 11

snmp-server community xxxxx RO 4

snmp-server community xxxxx RO 25

snmp-server community string RO

snmp-server enable traps snmp

1st question

what is this stament doing?

snmp-server community string RO

I see no community string phrase configured

also..i notice some have access list associated with them..

if i configured a new string..would they be prevented from discovery?

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 8 years 11 months ago

Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Wed, 01/09/2008 - 12:01

This line declares an SNMP community string called "string" for both SNMPv1 and SNMPv2c communication. This string is allowed read-only access to the entire MIB tree from any host.

You can configure as many strings as you'd like. Those with access-lists attached are limited to being used by the hosts that match the ACLs. Those without ACLs can be used from any host.

It's a good idea to remove community strings you do not need, and to restrict those you do need to only certain hosts which are known NMSes.

brooklynheight Wed, 01/09/2008 - 12:14

I dont know how i missed "string"..I guess my eyes played tricks on me.

so for the sake of my task..I could

configure a new community string for them

to use..and have no issues with access list

that have been configured on other strings?

Correct Answer
Joe Clarke Wed, 01/09/2008 - 12:17

Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.

PAUL TRIVINO Thu, 01/10/2008 - 16:26

For that matter, consider using an snmp view to limit what they can see/do. Our WAN provider needed a community string with RW to use their tool, we said OK but we limited them to their stated source IP address (with an ACL) and certain parts of the MIB (with a view).

Check here as a start: http://www.cisco.com/en/US/customer/docs/ios/11_3/configfun/configuration/guide/fcmonitr.html#wp10426

HTH

Paul

Actions

This Discussion