Re: SNMP Read Only

mmali · ‎01-08-2005

Hi,

What are the feature of SNMP Read Only community string.

Is it possible to read the router configuration if you have read only community string.

Regards

M

sachinraja · ‎01-08-2005

Hi M,

Read only strings can view the device configuration and fetch it on your PC. you cannot change or do anything else with the configuration. you can configure this by the following command on ur router:

snmp-server community abcxyz RO

any snmp-enabled device can access the router and use the RO community string.

hope this helps... all the best.. rate replies if found useful..

mmali · ‎01-08-2005

Hi,

Is there a Cisco Document explaining this.

Regards

M

sachinraja · ‎01-08-2005

Hi,

below document explains snmp.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a008030c762.html

all the best.. rate replies if found useful

RB6502 · ‎06-10-2022

If I view/download a switch config using the RO community string, does it redact sensitive information, like passwords, the RW community string, etc.?

Joseph W. Doherty · ‎06-10-2022

"If I view/download a switch config using the RO community string, does it redact sensitive information, like passwords, the RW community string, etc.?"

Good question. It's been a long, long time since I pulled a config, from a device, using a SNMP (RO or RW). I recall (???) it sends the config text same as it would if you did a show config.

RB6502 · ‎06-13-2022

Thanks! If that's the case, then since the v1 community strings are shown as plaintext yes the RW string would be visible. That seems kinda broken, though.

Joseph W. Doherty · ‎06-13-2022

It's been so long, I don't recall actual behavior, but SNMP strings might be encrypted if "service password-encryption" is enabled.

RB6502 · ‎06-13-2022

In my case, "service password-encryption" is enabled, but if I do a show run the community strings are shown in cleartext.

Georg Pauwen · ‎06-11-2022

Hello,

the only way I know of to get a sanitized config is to use 'show tech', which of course gets you a whole lot more information than you want or need.

That said, you could filter the output of 'sh run' with keywords that are excluded, e.g.:

show run | exclude password|snmp

jaregalado · ‎01-10-2005

Hi,

Read-only SNMP communities are very useful for the simple fact that you can restrict your NMS operations personnel from commiting costly mistakes.

Suppose someone accidentally clicks the shutdown option on that nice colorful HP OpenView screen and there it goes your E3 interface carring your angry customers' traffic.

With a read-only community string you can still use your monitoring software but changes in your routers/switches configurations are not allowed. You need to make changes with the Cisco IOS CLI in that case.

Right now I'm evaluating some NMS software and because no one is exempt from making some mistakes once in a blue moon I prefer to use read-only mode while performing our tests. This is what I use:

!-- allowed NMS station

access-list 11 permit 10.1.2.3

!-- community string

snmp-server community ReAdOnLy RO 11

Regards.

Joseph W. Doherty · ‎06-10-2022

"Is it possible to read the router configuration if you have read only community string."

I recall (?), by default, you have access to everything the device supports through SNMP access except for updating/changing. I.e. believe you can download the router config.