Solved: best practice for snmp-server views?

david.fernandes · ‎10-09-2009

As a best practice when creating an snmp-server view, should these views be excluded?

snmp-server view cutdown snmpUsmMIB excluded

snmp-server view cutdown snmpVacmMIB excluded

snmp-server view cutdown snmpCommunityMIB excluded

Joe Clarke · ‎10-09-2009

No, it's not included automatically. You would need to include these branches in your custom view.

Joe Clarke · ‎10-09-2009

Absolutely. With these branches included, one could learn the SNMP credentials of the device. The default v1default view is defined as:

v1default iso - included permanent active

v1default internet.6.3.15 - excluded permanent active

v1default internet.6.3.16 - excluded permanent active

v1default internet.6.3.18 - excluded permanent active

v1default ciscoMgmt.394 - excluded permanent active

v1default ciscoMgmt.395 - excluded permanent active

v1default ciscoMgmt.399 - excluded permanent active

v1default ciscoMgmt.400 - excluded permanent active

Which essentially excludes all of the branches which could result in security compromise.

david.fernandes · ‎10-09-2009

Thanks. Is the v1default view included automatically when I create a new view, or do I need to add these in?

Joe Clarke · ‎10-09-2009

No, it's not included automatically. You would need to include these branches in your custom view.