01-09-2008 11:44 AM
We have a 3rd party vendor doing a discovery process on our network
They obv. need snmp to get info about certain switches and routers.
However we have no standard..
I noticed in one router the follownig config
snmp-server engineID local xxxxxxxxxx
snmp-server community xxxx RO 11
snmp-server community xxxxx RO 4
snmp-server community xxxxx RO 25
snmp-server community string RO
snmp-server enable traps snmp
1st question
what is this stament doing?
snmp-server community string RO
I see no community string phrase configured
also..i notice some have access list associated with them..
if i configured a new string..would they be prevented from discovery?
Solved! Go to Solution.
01-09-2008 12:17 PM
Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.
01-09-2008 12:01 PM
This line declares an SNMP community string called "string" for both SNMPv1 and SNMPv2c communication. This string is allowed read-only access to the entire MIB tree from any host.
You can configure as many strings as you'd like. Those with access-lists attached are limited to being used by the hosts that match the ACLs. Those without ACLs can be used from any host.
It's a good idea to remove community strings you do not need, and to restrict those you do need to only certain hosts which are known NMSes.
01-09-2008 12:14 PM
I dont know how i missed "string"..I guess my eyes played tricks on me.
so for the sake of my task..I could
configure a new community string for them
to use..and have no issues with access list
that have been configured on other strings?
01-09-2008 12:17 PM
Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.
01-09-2008 12:20 PM
thx!
01-10-2008 04:26 PM
For that matter, consider using an snmp view to limit what they can see/do. Our WAN provider needed a community string with RW to use their tool, we said OK but we limited them to their stated source IP address (with an ACL) and certain parts of the MIB (with a view).
Check here as a start: http://www.cisco.com/en/US/customer/docs/ios/11_3/configfun/configuration/guide/fcmonitr.html#wp10426
HTH
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: