Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

setting up snmp community string

We have a 3rd party vendor doing a discovery process on our network

They obv. need snmp to get info about certain switches and routers.

However we have no standard..

I noticed in one router the follownig config

snmp-server engineID local xxxxxxxxxx

snmp-server community xxxx RO 11

snmp-server community xxxxx RO 4

snmp-server community xxxxx RO 25

snmp-server community string RO

snmp-server enable traps snmp

1st question

what is this stament doing?

snmp-server community string RO

I see no community string phrase configured

also..i notice some have access list associated with them..

if i configured a new string..would they be prevented from discovery?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: setting up snmp community string

Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.

5 REPLIES
Cisco Employee

Re: setting up snmp community string

This line declares an SNMP community string called "string" for both SNMPv1 and SNMPv2c communication. This string is allowed read-only access to the entire MIB tree from any host.

You can configure as many strings as you'd like. Those with access-lists attached are limited to being used by the hosts that match the ACLs. Those without ACLs can be used from any host.

It's a good idea to remove community strings you do not need, and to restrict those you do need to only certain hosts which are known NMSes.

New Member

Re: setting up snmp community string

I dont know how i missed "string"..I guess my eyes played tricks on me.

so for the sake of my task..I could

configure a new community string for them

to use..and have no issues with access list

that have been configured on other strings?

Cisco Employee

Re: setting up snmp community string

Yes, but the more strings you have, the more potential you have to be compromised. If you do create a new string, consider adding an ACL to it to limit the hosts that can use it to the one(s) running this 3rd party tool.

New Member

Re: setting up snmp community string

thx!

Re: setting up snmp community string

For that matter, consider using an snmp view to limit what they can see/do. Our WAN provider needed a community string with RW to use their tool, we said OK but we limited them to their stated source IP address (with an ACL) and certain parts of the MIB (with a view).

Check here as a start: http://www.cisco.com/en/US/customer/docs/ios/11_3/configfun/configuration/guide/fcmonitr.html#wp10426

HTH

Paul

144
Views
0
Helpful
5
Replies