Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting SNMP access with views

Dear all,

I need to allow SNMP access on some devices I manage to an HP Open View Server. I would like enable only a RO community and I would like to restrict access only to the strictly necessary MIBs to let Open View work. I was thinking about using something like:

access-list 95 permit 192.168.12.98

access-list 95 deny any

…..

snmp-server view hpopenview system included

snmp-server community xyertjjsska view hpopenview RO 95

Now the question...

Anybody knows which MIB tree I should include in the view beside system to let HP Open View work? (minimum requirements for HP Open View)

Thanks

2 REPLIES
Cisco Employee

Re: Restricting SNMP access with views

Well, it kind of depends on the version of OV NNM and what features are turned on - sorry I can't be more explicit. You're on the right track with system, but I'll bet if you have discovery configured that it's going to go after some objects in the routing table (ip tree).

Might I suggest this - if this is on a Solaris box, use the built-in 'snoop' command and restrict it to monitoring the traffic to/from a specific device. Discover that device then review the capture to see what all your version of OV NNM is going after.

Solaris command would be 'snoop -o /tmp/output.cap OVserverIP DeviceIP'

Ctrl-C to stop the capture after you've got enough.

On a Windows platform you'll need to add a packet capture tool, like Ethereal.

Blue

Re: Restricting SNMP access with views

That approach can be kind of a pain too. Imagine doing a new capture and re-scrubbing, if/when HPOV NNM SPIs (smart plug-ins) are installed, such as the IP Multicast SPI, that will surely go after additional MIB objects.

268
Views
0
Helpful
2
Replies