Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2297
Views
5
Helpful
3
Replies

Info on SNMP management

David Lee
Level 1
Level 1

‎12-11-2014 08:19 AM

I'd like to learn about SNMP.  My ISP is requiring me to have snmp strings.  I don't know a lot about SNMP so I am hoping that someone can tell me what they can see and do using the settings below.  My ISP wants to poll my router to determine any issues with the circuit, but that's all I want them to see.  I don't want them to be able to make changes, see when I am making changes, or see anything other than if the circuit is up or down.  The interface that I connect to my ISP is the trap interface of Gi0/1. For access list 51, the community strings, and hosts I have change the info to generic information. Also, what is the difference below from using snmp-server community Z1 view BLOCK rather than  snmp-server host 1.2.3.4   Z2?  Can the view BLOCK only see the MIBs it has listed?  Can the snmp-server host 1.2.3.4 Z2 see the BLOCK MIBs and the enable traps? 

 

snmp-server view BLOCK iso included
snmp-server view BLOCK ipAddrEntry.*.*.*.*.* excluded
snmp-server view BLOCK ipAddrEntry.*.152.176.*.* included
snmp-server view BLOCK ipNetToMediaEntry.*.*.*.*.*.* excluded
snmp-server view BLOCK ipNetToMediaEntry.*.*.152.176.*.* included
snmp-server view BLOCK atEntry.*.*.*.*.*.*.* excluded
snmp-server view BLOCK atEntry.*.*.*.152.176.*.* included
snmp-server community  Z1  view BLOCK RO 51
snmp-server ifindex persist
snmp-server trap-source GigabitEthernet0/1
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host 1.2.3.4   Z2
snmp-server host 1.2.3.4   Z2
tacacs-server host 10.5.5.1 timeout 5
tacacs-server host 10.5.5.2 timeout 5
tacacs-server directed-request
tacacs-server key 7 ***********
access-list 51 permit 1.2.3.4 0.0.0.63
access-list 51 permit 1.2.3.4 0.0.0.63

 

 

Thank You,

 

David

 

Labels:
0 Helpful
3 Replies 3

Vinod Arya
Cisco Employee
Cisco Employee

‎12-11-2014 10:43 AM

There is two kind of access via SNMP :

Road-Only : Allows to gather information via SNMP

Read-Write : Allows set operations to make changes on device via SNMP

If you don't want to allow your ISP to make any changes to device don't configure device for SNMP RW strings and even if you configure, don't share it with them.

For your questions :

what is the difference below from using snmp-server community Z1 view BLOCK rather than  snmp-server host 1.2.3.4  Z2?

I would answer this as what is SNMP View :

Like show commands get details from the device, SNMP uses MIB's to show similar data via polling the device. To restrict the access to the MIBs, to have controlled access we create SNMP View

After creating SNMP View you need to associate it to the community for its restrictions to be effective. So you configure it like :

snmp-server community comm_name view view_name RO|RW.

Here your View name is BLOCK. 

As per this view you need to remove first line snmp-server view BLOCK iso included. This command includes all access to device.

If you remove this, everything else you have configured as included/excluded will be effective.

Can the view BLOCK only see the MIBs it has listed?  

Yes. If you remove iso and configure only mibs which you want to include, device will allow only those MIBS which are included.

Can the snmp-server host 1.2.3.4 Z2 see the BLOCK MIBs and the enable traps?

The Host command is not used to poll. It is used to send any SNMP Traps to the defined host server. If you need to restrict who can poll the device, configure the ACL accordingly.

Hope this helps.

-Thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **
0 Helpful

David Lee
Level 1
Level 1
In response to Vinod Arya

‎12-12-2014 07:42 AM

Vinod,

 

Thank you for the information.  I have taken the snmp-server view BLOCK iso included line out of the config and now my ISP is giving us an alert that our router is down and the SNMP agent is not responding. 

 

David

0 Helpful

Vinod Arya
Cisco Employee
Cisco Employee
In response to David Lee

‎12-12-2014 09:45 AM

Because you were very concerned about what your ISP may be able to poll, i advised you to check with them on  what specifically they poll and you can include those specific MIBs/OIDs.

As you removed ISO, access to polling is restricted to only this Objects :

snmp-server view BLOCK ipAddrEntry.*.152.176.*.* included
snmp-server view BLOCK ipNetToMediaEntry.*.*.152.176.*.* included
snmp-server view BLOCK atEntry.*.*.*.152.176.*.* included

So, probably they are monitoring MIB-2 for snmp reachability to decide if the device is up/down, which may not be responding now.

If you confirm from them, what OID is used to check device is up, you can add it to include list.

You need to decide on what level of access you want to grant for ISP to check/poll limited information, your device can be configured accordingly.

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

-Thanks Vinod **Rating Encourages contributors, and its really free. **
Customers Also Viewed These Support Documents