snmpget using removed 'public' comm str returns nosuchobject instead of not responding

John Biederstedt · ‎09-30-2013

I'v seen this on 3750's and 6500's. the 3750s are running 12.2(35)SE2, and the 6500s are running 12.2(33)SXH2a. "no snmp-server community public" was issued on both, with no effect.

Here's what happens:

$ snmpget -v 2c -c public switch 1.3.6.1.2.1.1

SNMPv2-MIB::system = No Such Object available on this agent at this OID

$ snmpget -v 2c -c blahblah switch 1.3.6.1.2.1.1

$

Since 'no snmp-server community public' was issued, my expectation would be that using the public community string would get no response, rather than nosuchobject. Nexus 7k's, for example, just don't respond to the public string. Is there something else to do besides the 'no snmp-server community public'?

Jonn cos · ‎09-30-2013

Can you show the config ?

Jonn cos · ‎09-30-2013

if you want to disable snmp completely then following is the command

config term

no snmp-server

John Biederstedt · ‎09-30-2013

Can't show the config (company policy - even sanitized is probably not allowed) and can't shutdown snmp, other than that there is a readonly non-public string and a readwrite non-private string. I tried "no snmp-server community public", but that didn't affect anything.

I'm posting here because given that the public community string isn't configured, this is unexpected and undesireable behavior. Also, it fails security scans. And it seems endemic to IOS at this point, unless there is some other way to double-down remove the public string. Based on the response, it looks like the public string isn't removed, but detached from the SNMP tree.

Just trolling here to see if anyone else has had the same problem.