Re: CatOS / IOS SNMP write comunity restriction config retrival

cisco.xenpak1 · ‎04-22-2010

Hello,

how is it possible to RESTRICT the SNMP READ compunity in a way, that using SNMP it will be NOT possible to retrive the configuration file or parts of the configuration of the switch.

In my case, there will be a network scan. I have to make sure, that the scanning party is not able to get the running-config or startup-config, nor has any way to get the from the switch using SNMP.

I need a restriction for IOS and for CATOS on the SNMP RO (read only) compunity.

I have read already about SNMP View, maybe there is a bigger difference to the switches that are using CATOS.

Thanks in advance for the answers.

yjdabear · ‎04-22-2010

If the scanning is authorized, can't you designate them a source addr to scan from that do not have snmp write/read access to your devices, assuming currently snmp access is already restricted with ACL(s) and only open to select hosts/subnets?

But going with your choice, I suppose you could configure snmp view(s) to stop snmp write access to the following OIDs:

OLD-CISCO-SYS-MIB

.1.3.6.1.4.1.9.2.1.55

CISCO-STACK-MIB

.1.3.6.1.4.1.9.5.1.5.1

.1.3.6.1.4.1.9.5.1.5.2
.1.3.6.1.4.1.9.5.1.5.3
.1.3.6.1.4.1.9.5.1.5.4

CISCO-CONFIG-COPY-MIB

.1.3.6.1.4.1.9.9.96.1.1.1.1.2
.1.3.6.1.4.1.9.9.96.1.1.1.1.3
.1.3.6.1.4.1.9.9.96.1.1.1.1.4

.1.3.6.1.4.1.9.9.96.1.1.1.1.5

.1.3.6.1.4.1.9.9.96.1.1.1.1.6

.1.3.6.1.4.1.9.9.96.1.1.1.1.14