×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Excluding MIB II OIDs using snmp-server view - how to lock down the router

Unanswered Question
Sep 20th, 2005
User Badges:

We are managing the following routers for the customer (Soho 96, 97, 836, 837, 1721, 1841) IOS 12.3(8)T,


we are allowing the customer to poll the router for MIB II information, however there are a number of MIBs that we don't want the customer to view, ie TCP Connections, IP Routing Table, IOS and Flash Versions, Dynamic Routing, Community Strings etc.


neither do we want them to see any troubleshooting information, but will allow interface statistics etc.


I am looking for a definitive list of OIDs in the MIB II which lock down all the MIBs that shouldn't be allowed.


How do I go about configuring this, do I allow everything and disallow the MIBs or just allow the MIBs I want them to have - would the second option disallow everything else because they had not been allowed or are they allowed by default.


I have thought about the snmp community string and acl for the customer management stations.


I am having difficulty with deciding the configuration for -


snmp-server view 'name' 'OIDname' included/excluded


Can anyone also tell me if I exclude a parent MIB OID, will it exclude all child MIBs in the same group unless I explicitly allow the individual child MIB.


thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
innerspaceservices Thu, 09/22/2005 - 00:00
User Badges:

I found what I was looking for and it is at this link.


http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1


also the configuration to lock down the router to only view statistics and not any routing information is as follows (do not include the keywords internet or mibII):


snmp-server view customerro ip included

snmp-server view customerro interfaces included

snmp-server view customerro icmp included

snmp-server view customerro tcp included

snmp-server view customerro udp included

snmp-server view customerro snmp included

snmp-server view customerro ip.1 excluded

snmp-server view customerro ip.20 excluded

snmp-server view customerro ip.21 excluded

snmp-server view customerro ip.22 excluded

snmp-server view customerro ip.24 excluded

snmp-server view customerro tcp.13 excluded

snmp-server view customerro tcp.19 excluded

snmp-server view customerro tcp.20 excluded

snmp-server view customerro udp.5 excluded

snmp-server community customerstring view customerro RO 21

access-list 21 permit 192.168.1.1


Actions

This Discussion