Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
15
Helpful
4
Replies

Restict SNMP to discovery only

Go to solution
bw3481
Level 1
Level 1

‎08-01-2014 08:14 AM

I have some 2621 routers that I want to be able to restrict SNMP access so that a 3rd. party can only discover the device, not be able to read my configuration.  I know that I can setup a RO server host, but that would still give them access to download my configuration, is there a way to restrict this?

 

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee

‎08-01-2014 10:14 AM

If you want other's not to be able to download your configuration you can block access to the MIB which shows configuration.

You can do so by creating SNMP View. The SNMP view can block the user with only access to limited Management Information Base (MIB). By default, there is no SNMP view entry exists.

CISCO-CONFIG-COPY-MIB is used to access configuration details.

Following is the command to configure SNMP View :

#snmp-server view <view_name> (exclude | include)  --> to create snmp view

#snmp-server community <string> view <view_namero|rw

For more details, please check :

snmp-server view command reference

Securing Simple Network Management Protocol

Cisco-CONFIG-COPY-MIB

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

 
-Thanks Vinod **Rating Encourages contributors, and its really free. **

View solution in original post

4 Replies 4

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee

‎08-01-2014 10:09 AM

Hi ,

 

If you have given RO community in the NMS server ,yes they should be able to look at the config or may be able to download it  ,however they will not be able to push the config to the device via NMS.

 

Via SNMP ,you can't restrict ,however if your tool have some access policy to RESTRICT the users then only it is possible  like a "Guest user".

Or If your NMS can be integarted with ACS\ TACACS then it is possible via AAA ..

 

hope the above information will help.

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee

‎08-01-2014 10:14 AM

If you want other's not to be able to download your configuration you can block access to the MIB which shows configuration.

You can do so by creating SNMP View. The SNMP view can block the user with only access to limited Management Information Base (MIB). By default, there is no SNMP view entry exists.

CISCO-CONFIG-COPY-MIB is used to access configuration details.

Following is the command to configure SNMP View :

#snmp-server view <view_name> (exclude | include)  --> to create snmp view

#snmp-server community <string> view <view_namero|rw

For more details, please check :

snmp-server view command reference

Securing Simple Network Management Protocol

Cisco-CONFIG-COPY-MIB

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

 
-Thanks Vinod **Rating Encourages contributors, and its really free. **

Go to solution
bw3481
Level 1
Level 1
In response to Vinod Arya

‎08-05-2014 11:53 AM

To use SNMP view, do I need to copy CISCO-CONFIG-COPY-MIB to my router?

When I tried to create an SNMP view, I am still seeing all of the system information on the router when I have someone do an snmpwalk for it.

 

snmp-server view test system included
snmp-server view test system.7 excluded
snmp-server community test RO
snmp-server host x.x.x.x test
0 Helpful

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee
In response to bw3481

‎08-06-2014 11:17 PM

No it is not required. You cannot copy any MIBs to Routers/Switches (IOS) as all MIBs are packaged along with them.

You have to exclude the config-copy-mib properly and you doesnt seems to have associated your view to community string properly. Use the following modification to your test :


snmp-server view test system included
snmp-server view test ConfigCopyMIB excluded
snmp-server community test view test RO
snmp-server host x.x.x.x test

Please check and try this.

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

 

-Thanks Vinod **Rating Encourages contributors, and its really free. **
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents