cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8393
Views
0
Helpful
11
Replies

SNMP Read Only

mmali
Level 1
Level 1

Hi,

What are the feature of SNMP Read Only community string.

Is it possible to read the router configuration if you have read only community string.

Regards

M

11 Replies 11

sachinraja
Level 9
Level 9

Hi M,

Read only strings can view the device configuration and fetch it on your PC. you cannot change or do anything else with the configuration. you can configure this by the following command on ur router:

snmp-server community abcxyz RO

any snmp-enabled device can access the router and use the RO community string.

hope this helps... all the best.. rate replies if found useful..

Hi,

Is there a Cisco Document explaining this.

Regards

M

Hi,

below document explains snmp.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a008030c762.html

all the best.. rate replies if found useful

If I view/download a switch config using the RO community string, does it redact sensitive information, like passwords, the RW community string, etc.?

"If I view/download a switch config using the RO community string, does it redact sensitive information, like passwords, the RW community string, etc.?"

Good question.  It's been a long, long time since I pulled a config, from a device, using a SNMP (RO or RW).  I recall (???) it sends the config text same as it would if you did a show config.

Thanks! If that's the case, then since the v1 community strings are shown as plaintext yes the RW string would be visible. That seems kinda broken, though.

It's been so long, I don't recall actual behavior, but SNMP strings might be encrypted if "service password-encryption" is enabled.

In my case, "service password-encryption" is enabled, but if I do a show run the community strings are shown in cleartext.

Hello,

 

the only way I know of to get a sanitized config is to use 'show tech', which of course gets you a whole lot more information than you want or need.

 

That said, you could filter the output of 'sh run' with keywords that are excluded, e.g.:

 

show run | exclude password|snmp

jaregalado
Level 1
Level 1

Hi,

Read-only SNMP communities are very useful for the simple fact that you can restrict your NMS operations personnel from commiting costly mistakes.

Suppose someone accidentally clicks the shutdown option on that nice colorful HP OpenView screen and there it goes your E3 interface carring your angry customers' traffic.

With a read-only community string you can still use your monitoring software but changes in your routers/switches configurations are not allowed. You need to make changes with the Cisco IOS CLI in that case.

Right now I'm evaluating some NMS software and because no one is exempt from making some mistakes once in a blue moon I prefer to use read-only mode while performing our tests. This is what I use:

!-- allowed NMS station

access-list 11 permit 10.1.2.3

!-- community string

snmp-server community ReAdOnLy RO 11

Regards.

Joseph W. Doherty
Hall of Fame
Hall of Fame

"Is it possible to read the router configuration if you have read only community string."

I recall (?), by default, you have access to everything the device supports through SNMP access except for updating/changing.  I.e. believe you can download the router config.

Review Cisco Networking for a $25 gift card