Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SNMP Community String Public

I have configured all switches and routing modules with new community strings. however if i do an snmp walk, the interface vlan addresses come up as public. how do i remove the default community strings from the vlan interfaces

  • Other Network Infrastructure Subjects
5 REPLIES
Blue

Re: SNMP Community String Public

What does not snmpwalk output show?. What type of switches/code is this?

New Member

Re: SNMP Community String Public

Thank you for your reply,

I have used a network monitoring tool called SNMP sweep by Solarwinds. I added the network addresses to cover the VLAN, and the VLAN Interfaces and HSRP address can back as public.

The switch is a 6509 with MSFC. I have configure SNMP Community strings on the switch and MSFC, and removed any public or private comm strings.

Purple

Re: SNMP Community String Public

If have a 5500 with RSM or 6509 with msfc then you will have to change them on the layer 3 side also not just on the layer 2 side . for more info we need the switch models and info .

New Member

Re: SNMP Community String Public

The model is a 6509. I have configured snmp at both layer 3 and layer 2. I have used a tool called solarwinds. It picked up the VLAN Interface addresses as cisco default community strings public, which i would like to remove

New Member

Re: SNMP Community String Public

Uh... Let's clear up a few things first:

1. If you're polling using Solarwinds, there are only a few things you can hit:

- The sc0 interface on the switch.

- The defined interfaces on the rtr (incl loop).

So if you're getting a response from Solarwinds indicating that something is responding to SNMP (with a string of public) on the "VLAN" interface - you're talking something defined on the router.

2. Therefore, this whole "layer 2" and "layer 3" thing is kind of a red herring. Let's talk router.

3. Just configuring a "new" SNMP string with the appropriate command, like this:

snmp-server community IBMRAWKS ro

or whatever only ADDS to the strings already defined. It doesn't REPLACE what already exists. You must clear the previous SNMP string using the "no" command - standard IOS. Like this:

no snmp-server community public ro

And BTW: From one IBM'er to another, ITCS guidelines dictate that you're supposed to secure the equipment from screens using an ACL. Like this:

snmp-server community LOUANDSAM ro 10

with

access-list 10 permit 1.1.1.1

access-list 10 permit 2.2.2.2

etc.

4. You should also screen your switches using IP Permit lists (I do for both SNMP and telnet). [Easy to do on Cat 5000 and Cat 6000's using CatOS.]

5. Don't forget to save your config.

6. I've been working on a "hardened" IOS for both internal and external routers, switches, etc. Since you're doing Solarwinds sweeps, perhaps we can touch base and exchange information? If you have a Sametime id - can you drop a note with it? Be nice to share information.

943
Views
0
Helpful
5
Replies