You want to limit which MIB variables can be remotely accessed with SNMP.
You can use the following commands to restrict SNMP access to portions of the MIB tree. This example shows the legacy configuration method:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255 Router(config)#access-list 99 deny any log Router(config)#snmp-server view ORAVIEW mib-2 included Router(config)#snmp-server view ORAVIEW at excluded Router(config)#snmp-server view ORAVIEW cisco included Router(config)#snmp-server community ORARO view ORAVIEW ro 99 Router(config)#snmp-server view RESTRICTED lsystem.55 included Router(config)#snmp-server community ORARW view RESTRICTED rw 99 Router(config)#end Router#
Cisco also has a new method for restricting MIB access, which uses the snmp-server group command:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view ORAVIEW mib-2 included Router(config)#snmp-server view ORAVIEW at excluded Router(config)#snmp-server view ORAVIEW cisco included Router(config)#snmp-server group TEST v1 read ORAVIEW Router(config)#snmp-server user ORARO TEST v1 Router(config)#snmp-server view RESTRICTED lsystem.55 included Router(config)#snmp-server group TEST2 v1 write RESTRICTED Router(config)#snmp-server user ORARW TEST2 v1 Router(config)#end Router#
By default, enabling SNMP services on your router allows SNMP servers to access the entire SNMP MIB tree. However, you might want to limit which MIB variables can be remotely retrieved or changed, usually for security reasons. We strongly recommend that you limit SNMP write access to only those MIB objects that you absolutely need to change remotely. Remember that it is very easy for a malicious user to cause serious network problems by modifying MIB variables that control the router's configuration.
You can assign an SNMP MIB view to an individual community string or share a view among several community strings (including both read-only and read-write access strings). Assigning a MIB view to a read-only community string restricts which MIB variables can be displayed. Similarly, assigning an SNMP MIB view to a read-write community string restricts which MIB variables you can view or alter.
A MIB view can restrict access to a single MIB object, it can allow access to all but one MIB object, or anything in between. For instance, in both examples we created a view named RESTRICTED to the read-write community string ORARW. This view restricts access to a single MIB entry, lsystem.55, which is the MIB object that triggers the router to send its configuration file to a TFTP server (for nightly configuration backups). The router will prevent any other access to the MIB tree.
We also created an SNMP view named ORAVIEW which is less restrictive. In this case, we want to allow access to the MIB-2 variables but prevent access to the ARP table (AT) tree, which we can do by using the exclude keyword. At the same time, we allow access to the entire Cisco proprietary MIB tree by including the cisco MIB.
To illustrate the functionality of SNMP MIB views, here's an SNMP walk of a router's default MIB tree:
Freebsd% snmpwalk -v1 -c ORARO Router
system.sysDescr.0 = Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JK9O3S-M), Version 12.2(7a), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 21-Feb-02 03:48 by pwade
system.sysObjectID.0 = OID: enterprises.9.1.209
system.sysUpTime.0 = Timeticks: (26809590) 3 days, 2:28:15.90
system.sysContact.0 = Ian Brown 416-555-2943
system.sysName.0 = Router.oreilly.com
system.sysLocation.0 = 999 Queen St. W., Toronto, Ont.
system.sysServices.0 = 78
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
interfaces.ifNumber.0 = 10
interfaces.ifTable.ifEntry.ifIndex.1 = 1
interfaces.ifTable.ifEntry.ifIndex.2 = 2
interfaces.ifTable.ifEntry.ifIndex.3 = 3
interfaces.ifTable.ifEntry.ifIndex.4 = 4
interfaces.ifTable.ifEntry.ifIndex.5 = 5
interfaces.ifTable.ifEntry.ifIndex.6 = 6
interfaces.ifTable.ifEntry.ifIndex.7 = 7
interfaces.ifTable.ifEntry.ifIndex.8 = 8
interfaces.ifTable.ifEntry.ifIndex.9 = 9
<8000+ lines Removed>
End of MIB
Freebsd%
Walking the full MIB tree of a Cisco router can take a great deal of time. This router's MIB tree consisted of more than 8000 entries. However, if we implement a simple SNMP MIB view, the result is quite different:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TEST system.5 included Router(config)#snmp-server community COOKBOOK view TEST ro Router(config)#end Router#
In this example, the router restricts access to a single MIB entry, sysName (system.5). Now when we attempt to walk the entire MIB tree again, the router sends only this single variable:
Freebsd% snmpwalk -v1 -c COOKBOOK Router
system.sysName.0 = Router.oreilly.com
End of MIB
Freebsd%
Note that the router displays a single entry, sysName, and reports that it has reached the "End of MIB," effectively preventing more than 8000 MIB objects from being accessed via this particular community string.
You can use the show snmp group EXEC command to see which views are assigned to which community string:
Router>show snmp group
groupname: ORARO security model:v1
readview :v1default writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active
groupname: COOKBOOK security model:v1
readview :TEST writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active
Router>
In this example, the community string ORARO has the default SNMP view, v1default. This means the entire MIB tree is accessible.
To see which MIB entries are assigned to which SNMP MIB view, use the following (hidden) command:
Router#show snmp view ORAVIEW mib-2 - included nonvolatile active ORAVIEW at - excluded nonvolatile active ORAVIEW cisco - included nonvolatile active v1default internet - included volatile active v1default internet.6.3.15 - excluded volatile active v1default internet.6.3.16 - excluded volatile active v1default internet.6.3.18 - excluded volatile active RESTRICTED cisco - included nonvolatile active RESTRICTED lsystem.55 - included nonvolatile active Router#
Table 17-2Table 17-2 lists a number of valid MIB trees that the router will accept within an SNMP view. Keep in mind that this is not an exhaustive list and that the router will also accept OIDs in their numerical format.
|
Keyword |
Description |
|---|---|
|
internet |
Entire MIB tree |
|
mib-2 |
Entire MIB-II tree |
|
system |
System branch of the MIB-II tree |
|
interfaces |
Interface branch of the MIB-II tree |
|
at |
ARP table branch of the MIB-II tree |
|
ip |
IP routing table branch of the MIB-II tree |
|
icmp |
ICMP statistics branch of the MIB-II tree |
|
tcp |
TCP statistics branch of the MIB-II tree |
|
udp |
UDP statistics branch of the MIB-II tree |
|
transmission |
Transmission statistics of the MIB-II tree |
|
snmp |
SNMP statistics branch of the MIB-II tree |
|
ospf |
OSPF MIB |
|
bgp |
BGP MIB |
|
rmon |
RMON MIB |
|
cisco |
Cisco's enterprise MIB tree |
|
x25 |
X.25 MIB |
|
ifEntry |
Interface statistics MIB objects |
|
lsystem |
Cisco's system MIB |
 |
|
|
| Top |