SNMP write access

Unanswered Question
May 29th, 2008
User Badges:

Hi,

I would like to know what can be performed through SNMP to a router or a switch using SNMP write access. Will there be any possible risk behind granting SNMP write access to the network device?



Thank you so much.

Joseph

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Joe Clarke Thu, 05/29/2008 - 20:26
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Allowing SNMP read-write access gives one complete control over the device. Using SNMP, one can replace the entire configuration of the device.


If you enable SNMP read-write access be sure to limit who can use the SNMP read-write community string by using ACLs. If possible, use SNMPv3 to further secure the credentials with hashing.

josephn Thu, 05/29/2008 - 20:53
User Badges:

Hi,

Thanks for the info. We need to allow SNMP write access for the Service Provider as we going to move into MPLS. This SNMP write access is required on the CE routers. For your information, the CE is managed by my company as this is the unmanaged services we had requested from the provider.


We have a security policy which doesn't allow anybody to access our network devices using SNMP especially for write access. For reporting purposes, we only grant read-only access.


As we're moving towards MPLS, this becomes mandatory as the provider is requesting for write access on the routers' managed by my company.


Please advise.



regards,

Joseph



Joe Clarke Thu, 05/29/2008 - 21:09
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Find out if the provider can use SNMPv3. If so, configure that along with ACLs to limit access to just the providers IPs. If they must use v1/v2c, configure a tough-to-guess community string with the same ACLs. See http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#fortify for more details.

josephn Thu, 05/29/2008 - 23:41
User Badges:

Hi,

Thank you so much for the explanation.



Have a nice day!.


Cheers.

Joseph

telekompro Wed, 05/28/2014 - 08:31
User Badges:

Hi,

I know this post is quite old.

We also have unmanaged CE and our Service Provider is requesting us writte acess for performance reporting pusposes (IP SLA) in a MPLS environment.

Do you know why Service Provider is requesting for read_writte access? They cannot run SNMP/obtain information only with read access?

 

thanks a lot for your response

Vinod Arya Thu, 05/29/2014 - 01:57
User Badges:
  • Cisco Employee,

Ideally you should start a new thread and you can always point/refer to old posts via links.

I am not sure why you SP is asking for a RW access. IP SLA does requires a SNMP RW access to configure via SNMP, but I am not sure why you SP wants to configure IP SLA on your device.

To check IP SLA, they should ideally configure it on their devices as source and have your devices as destination. For your devices to be more responsive, they can ask you to configure your device as IP SLA Responder, which is a kind of normal. 

You should ask and check more details on what specifically they want to do by asking SNMP RW access to your devices.

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

telekompro Fri, 05/30/2014 - 02:44
User Badges:

Hi,

Thank you for your answer,

Actually we signed SLA performance indicators from CE to CE. They say they need CE writte access to be able to use SNMP for monitoring. If this is not enough information for you to respond, please let me know and I will  try to request for more detailed information.

 

Best Regards

Vinod Arya Fri, 05/30/2014 - 03:08
User Badges:
  • Cisco Employee,

If you mean you have CE routers on two sites and in between your SP has PE, you have signed to know the performance indicators on IP SLA between one site CE to another?

If yes, than following are the options :

1. You or your network administrator configures IP SLA on your CE and your SP can collect statistics using SNMP RO access.

2. You can provide restricted access to only one of the CE by creating SNMP ACL effectively associated to SNMP Community strings (on SNMP v2) OR Passwords (on SNMP v3).

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

Actions

This Discussion