05-29-2008 06:24 PM
Hi,
I would like to know what can be performed through SNMP to a router or a switch using SNMP write access. Will there be any possible risk behind granting SNMP write access to the network device?
Thank you so much.
Joseph
05-29-2008 08:26 PM
Allowing SNMP read-write access gives one complete control over the device. Using SNMP, one can replace the entire configuration of the device.
If you enable SNMP read-write access be sure to limit who can use the SNMP read-write community string by using ACLs. If possible, use SNMPv3 to further secure the credentials with hashing.
05-29-2008 08:53 PM
Hi,
Thanks for the info. We need to allow SNMP write access for the Service Provider as we going to move into MPLS. This SNMP write access is required on the CE routers. For your information, the CE is managed by my company as this is the unmanaged services we had requested from the provider.
We have a security policy which doesn't allow anybody to access our network devices using SNMP especially for write access. For reporting purposes, we only grant read-only access.
As we're moving towards MPLS, this becomes mandatory as the provider is requesting for write access on the routers' managed by my company.
Please advise.
regards,
Joseph
05-29-2008 09:09 PM
Find out if the provider can use SNMPv3. If so, configure that along with ACLs to limit access to just the providers IPs. If they must use v1/v2c, configure a tough-to-guess community string with the same ACLs. See http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#fortify for more details.
05-29-2008 11:41 PM
Hi,
Thank you so much for the explanation.
Have a nice day!.
Cheers.
Joseph
05-28-2014 08:31 AM
Hi,
I know this post is quite old.
We also have unmanaged CE and our Service Provider is requesting us writte acess for performance reporting pusposes (IP SLA) in a MPLS environment.
Do you know why Service Provider is requesting for read_writte access? They cannot run SNMP/obtain information only with read access?
thanks a lot for your response
05-29-2014 01:57 AM
Ideally you should start a new thread and you can always point/refer to old posts via links.
I am not sure why you SP is asking for a RW access. IP SLA does requires a SNMP RW access to configure via SNMP, but I am not sure why you SP wants to configure IP SLA on your device.
To check IP SLA, they should ideally configure it on their devices as source and have your devices as destination. For your devices to be more responsive, they can ask you to configure your device as IP SLA Responder, which is a kind of normal.
You should ask and check more details on what specifically they want to do by asking SNMP RW access to your devices.
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
05-30-2014 02:44 AM
Hi,
Thank you for your answer,
Actually we signed SLA performance indicators from CE to CE. They say they need CE writte access to be able to use SNMP for monitoring. If this is not enough information for you to respond, please let me know and I will try to request for more detailed information.
Best Regards
05-30-2014 03:08 AM
If you mean you have CE routers on two sites and in between your SP has PE, you have signed to know the performance indicators on IP SLA between one site CE to another?
If yes, than following are the options :
1. You or your network administrator configures IP SLA on your CE and your SP can collect statistics using SNMP RO access.
2. You can provide restricted access to only one of the CE by creating SNMP ACL effectively associated to SNMP Community strings (on SNMP v2) OR Passwords (on SNMP v3).
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide