cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1037
Views
0
Helpful
5
Replies

setting up snmp community string

brooklynheight
Level 1
Level 1

We have a 3rd party vendor doing a discovery process on our network

They obv. need snmp to get info about certain switches and routers.

However we have no standard..

I noticed in one router the follownig config

snmp-server engineID local xxxxxxxxxx

snmp-server community xxxx RO 11

snmp-server community xxxxx RO 4

snmp-server community xxxxx RO 25

snmp-server community string RO

snmp-server enable traps snmp

1st question

what is this stament doing?

snmp-server community string RO

I see no community string phrase configured

also..i notice some have access list associated with them..

if i configured a new string..would they be prevented from discovery?

1 Accepted Solution

Accepted Solutions

Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.

View solution in original post

5 Replies 5

Joe Clarke
Cisco Employee
Cisco Employee

This line declares an SNMP community string called "string" for both SNMPv1 and SNMPv2c communication. This string is allowed read-only access to the entire MIB tree from any host.

You can configure as many strings as you'd like. Those with access-lists attached are limited to being used by the hosts that match the ACLs. Those without ACLs can be used from any host.

It's a good idea to remove community strings you do not need, and to restrict those you do need to only certain hosts which are known NMSes.

I dont know how i missed "string"..I guess my eyes played tricks on me.

so for the sake of my task..I could

configure a new community string for them

to use..and have no issues with access list

that have been configured on other strings?

Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.

thx!

For that matter, consider using an snmp view to limit what they can see/do. Our WAN provider needed a community string with RW to use their tool, we said OK but we limited them to their stated source IP address (with an ACL) and certain parts of the MIB (with a view).

Check here as a start: http://www.cisco.com/en/US/customer/docs/ios/11_3/configfun/configuration/guide/fcmonitr.html#wp10426

HTH

Paul

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: