08-01-2014 08:14 AM
I have some 2621 routers that I want to be able to restrict SNMP access so that a 3rd. party can only discover the device, not be able to read my configuration. I know that I can setup a RO server host, but that would still give them access to download my configuration, is there a way to restrict this?
Thanks in advance.
Solved! Go to Solution.
08-01-2014 10:14 AM
If you want other's not to be able to download your configuration you can block access to the MIB which shows configuration.
You can do so by creating SNMP View. The SNMP view can block the user with only access to limited Management Information Base (MIB). By default, there is no SNMP view entry exists.
CISCO-CONFIG-COPY-MIB is used to access configuration details.
Following is the command to configure SNMP View :
#snmp-server view <view_name> (exclude | include) --> to create snmp view
#snmp-server community <string> view <view_name> ro|rw
For more details, please check :
snmp-server view command reference
Securing Simple Network Management Protocol
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
08-01-2014 10:09 AM
Hi ,
If you have given RO community in the NMS server ,yes they should be able to look at the config or may be able to download it ,however they will not be able to push the config to the device via NMS.
Via SNMP ,you can't restrict ,however if your tool have some access policy to RESTRICT the users then only it is possible like a "Guest user".
Or If your NMS can be integarted with ACS\ TACACS then it is possible via AAA ..
hope the above information will help.
Thanks-
Afroz
**Ratings Encourages Contributors ***
08-01-2014 10:14 AM
If you want other's not to be able to download your configuration you can block access to the MIB which shows configuration.
You can do so by creating SNMP View. The SNMP view can block the user with only access to limited Management Information Base (MIB). By default, there is no SNMP view entry exists.
CISCO-CONFIG-COPY-MIB is used to access configuration details.
Following is the command to configure SNMP View :
#snmp-server view <view_name> (exclude | include) --> to create snmp view
#snmp-server community <string> view <view_name> ro|rw
For more details, please check :
snmp-server view command reference
Securing Simple Network Management Protocol
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
08-05-2014 11:53 AM
To use SNMP view, do I need to copy CISCO-CONFIG-COPY-MIB to my router?
When I tried to create an SNMP view, I am still seeing all of the system information on the router when I have someone do an snmpwalk for it.
snmp-server view test system included |
snmp-server view test system.7 excluded |
snmp-server community test RO |
snmp-server host x.x.x.x test |
08-06-2014 11:17 PM
No it is not required. You cannot copy any MIBs to Routers/Switches (IOS) as all MIBs are packaged along with them.
You have to exclude the config-copy-mib properly and you doesnt seems to have associated your view to community string properly. Use the following modification to your test :
snmp-server view test system included
snmp-server view test ConfigCopyMIB excluded
snmp-server community test view test RO
snmp-server host x.x.x.x test
Please check and try this.
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide