Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
0
Helpful
3
Replies

Stop SNMP queries

nfreeman44
Level 1
Level 1

‎02-13-2009 07:20 AM - edited ‎03-06-2019 04:01 AM

Howdy Folks,

I want to stop SNMP queries to a switch. However, I want to allow certain Monitoring machines access. Is there a ACL i can apply?

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-13-2009 07:29 AM

Hello Maurice,

there are two criteria that can be used:

an IP ACL that specify what source ip addresses can perform an SNMP get and have an answer.

This is simply an ACL that can be specified as a parameter in

snmp-server community community-name RO acl-number

Another possible tuning is that of allowing only some MIBs to get an answer.

This second feature is called an SNMP view and can be used since SNMP vers. 2.0

snmp-server view view-name oid-tree {included | excluded}

the logic is that of an ACL and you need to exclude what is not to be asked.

Then you need a sort of permit any include.

then this can be combined in

snmp-server community community-name RO acl-number view view-name

For simple control of source addresses is enough to use a standard ACL

like

access-list 11 permit 10.50.62.0 0.0.0.255

only hosts in 10.50.62.0/24 are allowed to perform SNMP gets to the device

Hope to help

Giuseppe

0 Helpful

nfreeman44
Level 1
Level 1
In response to Giuseppe Larosa

‎02-13-2009 08:05 AM

I wanted to mention this is a Cisco 9513 Director and this is the following information from the security team:

snmpwalk 10.30.18.23 camphill

.iso.3.6.1.2.1.1.1.0 = "Cisco SAN-OS(tm) m9500, Software (m9500-sf2ek9-mz), Vers

ion 3.2(3), RELEASE SOFTWARE (fc2) Copyright (c) 2002-2005 by Cisco Systems, Inc

. Compiled 12/6/2007 10:00:00"

.iso.3.6.1.2.1.1.2.0 = OID: .iso.3.6.1.4.1.9.12.3.1.3.375

.iso.3.6.1.2.1.1.3.0 = Timeticks: (1836084932) 212 days, 12:14:09.32

.iso.3.6.1.2.1.1.4.0 = ""

.iso.3.6.1.2.1.1.5.0 = "penn9506-a-0"

.iso.3.6.1.2.1.1.6.0 = ""

.iso.3.6.1.2.1.1.7.0 = 70

.iso.3.6.1.2.1.1.8.0 = Timeticks: (4294885615) 497 days, 2:14:16.15

.iso.3.6.1.2.1.1.9.1.2.1 = OID: .iso.3.6.1.6.3.1

.iso.3.6.1.2.1.1.9.1.2.2 = OID: .iso.3.6.1.2.1.49

.iso.3.6.1.2.1.1.9.1.2.3 = OID: .iso.3.6.1.2.1.4

.iso.3.6.1.2.1.1.9.1.2.4 = OID: .iso.3.6.1.2.1.50

.iso.3.6.1.2.1.1.9.1.2.5 = OID: .iso.3.6.1.6.3.16.2.2.1

.iso.3.6.1.2.1.1.9.1.2.6 = OID: .iso.3.6.1.6.3.10.3.1.1

.iso.3.6.1.2.1.1.9.1.2.7 = OID: .iso.3.6.1.6.3.11.3.1.1

.iso.3.6.1.2.1.1.9.1.2.8 = OID: .iso.3.6.1.6.3.15.2.1.1

.iso.3.6.1.2.1.1.9.1.3.1 = "The MIB module for SNMPv2 entities"

.iso.3.6.1.2.1.1.9.1.3.2 = "The MIB module for managing TCP implementations"

.iso.3.6.1.2.1.1.9.1.3.3 = "The MIB module for managing IP and ICMP implementati

ons"

.iso.3.6.1.2.1.1.9.1.3.4 = "The MIB module for managing UDP implementations"

.iso.3.6.1.2.1.1.9.1.3.5 = "View-based Access Control Model for SNMP."

^C^C

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to nfreeman44

‎02-13-2009 08:19 AM

Hello Maurice,

use the following as a reference

http://cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_3_x/configuration/guides/cli_3_3/snmp.html#wp1351763

the device supports also SNMP vers. 3 that is recommended.

SNMPv3 requires the creation of users allows for encryption and for usage of views.

However, if you use SNMP v2c you can use SNMP communities and the command I showed in first post can be used:

snmp-server community snmp_Community ro

http://cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_3_x/configuration/guides/cli_3_3/snmp.html#wp1428394

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card