×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Restict SNMP to discovery only

Answered Question

I have some 2621 routers that I want to be able to restrict SNMP access so that a 3rd. party can only discover the device, not be able to read my configuration.  I know that I can setup a RO server host, but that would still give them access to download my configuration, is there a way to restrict this?

 

Thanks in advance.

Correct Answer by Vinod Arya about 3 years 3 weeks ago

If you want other's not to be able to download your configuration you can block access to the MIB which shows configuration.

You can do so by creating SNMP View. The SNMP view can block the user with only access to limited Management Information Base (MIB). By default, there is no SNMP view entry exists.

CISCO-CONFIG-COPY-MIB is used to access configuration details.

Following is the command to configure SNMP View :

#snmp-server view <view_name> (exclude | include)  --> to create snmp view

#snmp-server community <string> view <view_namero|rw

For more details, please check :

snmp-server view command reference

Securing Simple Network Management Protocol

Cisco-CONFIG-COPY-MIB

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
AFROJ AHMAD Fri, 08/01/2014 - 10:09
User Badges:
  • Cisco Employee,

Hi ,

 

If you have given RO community in the NMS server ,yes they should be able to look at the config or may be able to download it  ,however they will not be able to push the config to the device via NMS.

 

Via SNMP ,you can't restrict ,however if your tool have some access policy to RESTRICT the users then only it is possible  like a "Guest user".

Or If your NMS can be integarted with ACS\ TACACS then it is possible via AAA ..

 

hope the above information will help.

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Correct Answer
Vinod Arya Fri, 08/01/2014 - 10:14
User Badges:
  • Cisco Employee,

If you want other's not to be able to download your configuration you can block access to the MIB which shows configuration.

You can do so by creating SNMP View. The SNMP view can block the user with only access to limited Management Information Base (MIB). By default, there is no SNMP view entry exists.

CISCO-CONFIG-COPY-MIB is used to access configuration details.

Following is the command to configure SNMP View :

#snmp-server view <view_name> (exclude | include)  --> to create snmp view

#snmp-server community <string> view <view_namero|rw

For more details, please check :

snmp-server view command reference

Securing Simple Network Management Protocol

Cisco-CONFIG-COPY-MIB

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

 

To use SNMP view, do I need to copy CISCO-CONFIG-COPY-MIB to my router?

When I tried to create an SNMP view, I am still seeing all of the system information on the router when I have someone do an snmpwalk for it.

 

snmp-server view test system included
snmp-server view test system.7 excluded
snmp-server community test RO
snmp-server host x.x.x.x test
Vinod Arya Wed, 08/06/2014 - 23:17
User Badges:
  • Cisco Employee,

No it is not required. You cannot copy any MIBs to Routers/Switches (IOS) as all MIBs are packaged along with them.

You have to exclude the config-copy-mib properly and you doesnt seems to have associated your view to community string properly. Use the following modification to your test :


snmp-server view test system included
snmp-server view test ConfigCopyMIB excluded
snmp-server community test view test RO
snmp-server host x.x.x.x test

Please check and try this.

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

 

Actions

This Discussion