Previous section   Next section

Recipe 17.7 Limiting MIB Access

17.7.1 Problem

You want to limit which MIB variables can be remotely accessed with SNMP.

17.7.2 Solution

You can use the following commands to restrict SNMP access to portions of the MIB tree. This example shows the legacy configuration method:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 deny any log
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded 
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server community ORARO view ORAVIEW ro 99
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server community ORARW view RESTRICTED rw 99
Router(config)#end
Router#

Cisco also has a new method for restricting MIB access, which uses the snmp-server group command:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded   
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server group TEST v1 read ORAVIEW 
Router(config)#snmp-server user ORARO TEST v1    
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server group TEST2 v1 write RESTRICTED
Router(config)#snmp-server user ORARW TEST2 v1     
Router(config)#end                                    
Router#

17.7.3 Discussion

By default, enabling SNMP services on your router allows SNMP servers to access the entire SNMP MIB tree. However, you might want to limit which MIB variables can be remotely retrieved or changed, usually for security reasons. We strongly recommend that you limit SNMP write access to only those MIB objects that you absolutely need to change remotely. Remember that it is very easy for a malicious user to cause serious network problems by modifying MIB variables that control the router's configuration.

You can assign an SNMP MIB view to an individual community string or share a view among several community strings (including both read-only and read-write access strings). Assigning a MIB view to a read-only community string restricts which MIB variables can be displayed. Similarly, assigning an SNMP MIB view to a read-write community string restricts which MIB variables you can view or alter.

A MIB view can restrict access to a single MIB object, it can allow access to all but one MIB object, or anything in between. For instance, in both examples we created a view named RESTRICTED to the read-write community string ORARW. This view restricts access to a single MIB entry, lsystem.55, which is the MIB object that triggers the router to send its configuration file to a TFTP server (for nightly configuration backups). The router will prevent any other access to the MIB tree.

We also created an SNMP view named ORAVIEW which is less restrictive. In this case, we want to allow access to the MIB-2 variables but prevent access to the ARP table (AT) tree, which we can do by using the exclude keyword. At the same time, we allow access to the entire Cisco proprietary MIB tree by including the cisco MIB.

To illustrate the functionality of SNMP MIB views, here's an SNMP walk of a router's default MIB tree:

Freebsd% snmpwalk -v1 -c ORARO Router
system.sysDescr.0 = Cisco Internetwork Operating System Software 
IOS (tm) C2600 Software (C2600-JK9O3S-M), Version 12.2(7a), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 21-Feb-02 03:48 by pwade
system.sysObjectID.0 = OID: enterprises.9.1.209
system.sysUpTime.0 = Timeticks: (26809590) 3 days, 2:28:15.90
system.sysContact.0 = Ian Brown 416-555-2943
system.sysName.0 = Router.oreilly.com
system.sysLocation.0 = 999 Queen St. W., Toronto, Ont.
system.sysServices.0 = 78
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
interfaces.ifNumber.0 = 10
interfaces.ifTable.ifEntry.ifIndex.1 = 1
interfaces.ifTable.ifEntry.ifIndex.2 = 2
interfaces.ifTable.ifEntry.ifIndex.3 = 3
interfaces.ifTable.ifEntry.ifIndex.4 = 4
interfaces.ifTable.ifEntry.ifIndex.5 = 5
interfaces.ifTable.ifEntry.ifIndex.6 = 6
interfaces.ifTable.ifEntry.ifIndex.7 = 7
interfaces.ifTable.ifEntry.ifIndex.8 = 8
interfaces.ifTable.ifEntry.ifIndex.9 = 9
<8000+ lines Removed>
End of MIB
Freebsd%

Walking the full MIB tree of a Cisco router can take a great deal of time. This router's MIB tree consisted of more than 8000 entries. However, if we implement a simple SNMP MIB view, the result is quite different:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TEST system.5 included
Router(config)#snmp-server community COOKBOOK view TEST ro
Router(config)#end
Router#

In this example, the router restricts access to a single MIB entry, sysName (system.5). Now when we attempt to walk the entire MIB tree again, the router sends only this single variable:

Freebsd% snmpwalk -v1 -c COOKBOOK Router 
system.sysName.0 = Router.oreilly.com
End of MIB
Freebsd%

Note that the router displays a single entry, sysName, and reports that it has reached the "End of MIB," effectively preventing more than 8000 MIB objects from being accessed via this particular community string.

You can use the show snmp group EXEC command to see which views are assigned to which community string:

Router>show snmp group
groupname: ORARO                        security model:v1 
readview :v1default                     writeview: <no writeview specified> 
notifyview: <no notifyview specified>
row status: active
   
groupname: COOKBOOK                     security model:v1 
readview :TEST                          writeview: <no writeview specified> 
notifyview: <no notifyview specified>
row status: active
          
Router>

In this example, the community string ORARO has the default SNMP view, v1default. This means the entire MIB tree is accessible.

To see which MIB entries are assigned to which SNMP MIB view, use the following (hidden) command:

Router#show snmp view 
ORAVIEW mib-2 - included nonvolatile active
ORAVIEW at - excluded nonvolatile active
ORAVIEW cisco - included nonvolatile active
v1default internet - included volatile active
v1default internet.6.3.15 - excluded volatile active
v1default internet.6.3.16 - excluded volatile active
v1default internet.6.3.18 - excluded volatile active
RESTRICTED cisco - included nonvolatile active
RESTRICTED lsystem.55 - included nonvolatile active
Router#

Table 17-2Table 17-2 lists a number of valid MIB trees that the router will accept within an SNMP view. Keep in mind that this is not an exhaustive list and that the router will also accept OIDs in their numerical format.

Table 17-3. Valid OID-trees for use with SNMP views

Keyword

Description

internet

Entire MIB tree

mib-2

Entire MIB-II tree

system

System branch of the MIB-II tree

interfaces

Interface branch of the MIB-II tree

at

ARP table branch of the MIB-II tree

ip

IP routing table branch of the MIB-II tree

icmp

ICMP statistics branch of the MIB-II tree

tcp

TCP statistics branch of the MIB-II tree

udp

UDP statistics branch of the MIB-II tree

transmission

Transmission statistics of the MIB-II tree

snmp

SNMP statistics branch of the MIB-II tree

ospf

OSPF MIB

bgp

BGP MIB

rmon

RMON MIB

cisco

Cisco's enterprise MIB tree

x25

X.25 MIB

ifEntry

Interface statistics MIB objects

lsystem

Cisco's system MIB

17.7.4 See Also

Recipe 17.1; Recipe 17.2


  Previous section   Next section
Top