Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CatOS / IOS SNMP write comunity restriction config retrival

Hello,

how is it possible to RESTRICT the SNMP READ compunity in a way, that using SNMP it will be NOT possible to retrive the configuration file or parts of the configuration of the switch.

In my case, there will be a network scan. I have to make sure, that the scanning party is not able to get the running-config or startup-config, nor has any way to get the from the switch using SNMP.

I need a restriction for IOS and for CATOS on the SNMP RO (read only) compunity.

I have read already about SNMP View, maybe there is a bigger difference to the switches that are using CATOS.

Thanks in advance for the answers.

1 REPLY
Blue

Re: CatOS / IOS SNMP write comunity restriction config retrival

If the scanning is authorized, can't you designate them a source addr to scan from that do not have snmp write/read access to your devices, assuming currently snmp access is already restricted with ACL(s) and only open to select hosts/subnets?

But going with your choice, I suppose you could configure snmp view(s) to stop snmp write access to the following OIDs:

OLD-CISCO-SYS-MIB

.1.3.6.1.4.1.9.2.1.55

CISCO-STACK-MIB

.1.3.6.1.4.1.9.5.1.5.1

.1.3.6.1.4.1.9.5.1.5.2
.1.3.6.1.4.1.9.5.1.5.3
.1.3.6.1.4.1.9.5.1.5.4

CISCO-CONFIG-COPY-MIB

.1.3.6.1.4.1.9.9.96.1.1.1.1.2
.1.3.6.1.4.1.9.9.96.1.1.1.1.3
.1.3.6.1.4.1.9.9.96.1.1.1.1.4

.1.3.6.1.4.1.9.9.96.1.1.1.1.5

.1.3.6.1.4.1.9.9.96.1.1.1.1.6

.1.3.6.1.4.1.9.9.96.1.1.1.1.14

318
Views
0
Helpful
1
Replies