Giuseppe Larosa Fri, 02/13/2009 - 07:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Maurice,

there are two criteria that can be used:


an IP ACL that specify what source ip addresses can perform an SNMP get and have an answer.

This is simply an ACL that can be specified as a parameter in


snmp-server community community-name RO acl-number


Another possible tuning is that of allowing only some MIBs to get an answer.

This second feature is called an SNMP view and can be used since SNMP vers. 2.0


snmp-server view view-name oid-tree {included | excluded}


the logic is that of an ACL and you need to exclude what is not to be asked.

Then you need a sort of permit any include.


then this can be combined in


snmp-server community community-name RO acl-number view view-name


For simple control of source addresses is enough to use a standard ACL

like


access-list 11 permit 10.50.62.0 0.0.0.255


only hosts in 10.50.62.0/24 are allowed to perform SNMP gets to the device


Hope to help

Giuseppe



nfreeman44 Fri, 02/13/2009 - 08:05
User Badges:

I wanted to mention this is a Cisco 9513 Director and this is the following information from the security team:


snmpwalk 10.30.18.23 camphill

.iso.3.6.1.2.1.1.1.0 = "Cisco SAN-OS(tm) m9500, Software (m9500-sf2ek9-mz), Vers

ion 3.2(3), RELEASE SOFTWARE (fc2) Copyright (c) 2002-2005 by Cisco Systems, Inc

. Compiled 12/6/2007 10:00:00"

.iso.3.6.1.2.1.1.2.0 = OID: .iso.3.6.1.4.1.9.12.3.1.3.375

.iso.3.6.1.2.1.1.3.0 = Timeticks: (1836084932) 212 days, 12:14:09.32

.iso.3.6.1.2.1.1.4.0 = ""

.iso.3.6.1.2.1.1.5.0 = "penn9506-a-0"

.iso.3.6.1.2.1.1.6.0 = ""

.iso.3.6.1.2.1.1.7.0 = 70

.iso.3.6.1.2.1.1.8.0 = Timeticks: (4294885615) 497 days, 2:14:16.15

.iso.3.6.1.2.1.1.9.1.2.1 = OID: .iso.3.6.1.6.3.1

.iso.3.6.1.2.1.1.9.1.2.2 = OID: .iso.3.6.1.2.1.49

.iso.3.6.1.2.1.1.9.1.2.3 = OID: .iso.3.6.1.2.1.4

.iso.3.6.1.2.1.1.9.1.2.4 = OID: .iso.3.6.1.2.1.50

.iso.3.6.1.2.1.1.9.1.2.5 = OID: .iso.3.6.1.6.3.16.2.2.1

.iso.3.6.1.2.1.1.9.1.2.6 = OID: .iso.3.6.1.6.3.10.3.1.1

.iso.3.6.1.2.1.1.9.1.2.7 = OID: .iso.3.6.1.6.3.11.3.1.1

.iso.3.6.1.2.1.1.9.1.2.8 = OID: .iso.3.6.1.6.3.15.2.1.1

.iso.3.6.1.2.1.1.9.1.3.1 = "The MIB module for SNMPv2 entities"

.iso.3.6.1.2.1.1.9.1.3.2 = "The MIB module for managing TCP implementations"

.iso.3.6.1.2.1.1.9.1.3.3 = "The MIB module for managing IP and ICMP implementati

ons"

.iso.3.6.1.2.1.1.9.1.3.4 = "The MIB module for managing UDP implementations"

.iso.3.6.1.2.1.1.9.1.3.5 = "View-based Access Control Model for SNMP."

^C^C


Giuseppe Larosa Fri, 02/13/2009 - 08:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Maurice,


use the following as a reference


http://cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_3_x/configuration/guides/cli_3_3/snmp.html#wp1351763


the device supports also SNMP vers. 3 that is recommended.

SNMPv3 requires the creation of users allows for encryption and for usage of views.


However, if you use SNMP v2c you can use SNMP communities and the command I showed in first post can be used:


snmp-server community snmp_Community ro


http://cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_3_x/configuration/guides/cli_3_3/snmp.html#wp1428394


Hope to help

Giuseppe


Actions

This Discussion