Solved: Re: Cisco SNMP View - how does the list work

andy-cisco · ‎09-12-2024

Hi,

I've recently been tasked with allowing SNMP access to a device for identification only. No other SNMP access. I believe what I want is the 1.3.6.1.2.1.1 area, which is the system OID.

From what I can tell I should be using views to meet this request but I'm not sure about the exclusions. Do I need to specifically list all the other OID's as exclude or if my view list only has one permit after finding no matches does it drop all the SNMP request at that point?

example:

snmp-server view customer system included

Now in the view customer since there is only one include are all the others considered excluded or do I need to state ever OID with an exclude statement.

Thanks for your help,

Andy

marce1000 · ‎09-13-2024

- The configured view allows you to query all OID's that are leaf's connected to the top of the view list , you will probably not get a permission denied error when trying any other OID. Presumably more something like No Such Object available on this agent at this OID (cloaking the 'real situation') .

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎09-13-2024

- You may find this useful : https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html#toc-hId-228129250
So you need to restrict the OID tree to include the ones that are allowed for query

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

andy-cisco · ‎09-13-2024

Marce,

Thanks for your reply but its still not clear to me.

If I only have a view with one allow does that mean all other request are denied? Does the list work like and ACL where if you reach the end and your not permitted it's denied?

Thanks,

Andy

marce1000 · ‎09-13-2024

- The configured view allows you to query all OID's that are leaf's connected to the top of the view list , you will probably not get a permission denied error when trying any other OID. Presumably more something like No Such Object available on this agent at this OID (cloaking the 'real situation') .

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

andy-cisco · ‎09-13-2024

Marce,

So if I understand you correct, based on my example above, the person could query anything in the system OID, but any other OID the request would not return valid information, i.e. a deny any at the end of list.

Andy

marce1000 · ‎09-13-2024

- Basically true ; just say that trying to query any OID out of the allowed view list will return a (the) error as mentioned earlier ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '