Is there a way to provide RO SNMP access for a customer to a single interface on a device, an ASA in this case?

_________________
Find networking-forum.com on Facebook, LinkedIn, Twitter, Google+,or subscribe to the site's RSS feeds.

I've never heard of such an ACL. It's more typical to give the customer a single view to that interface on your NMS.

Maybe using views...

http://www.cisco.com/en/US/docs/ios/net ... #wp1014124

You'd have to sort out all the OIDs you want to allow though. It's not as simple as allowing an interface. Once you've defined the OIDs in the view then you can restrict it with 'snmp-server community COMMUNITY view VIEW ro' command like you would with just a straight up community.

Oh, and it likely goes without saying, but you'd for sure want ifindex persistence if you're doing this.

_________________
blog.brokennetwork.ca

You may be able to setup an SNMP view that's restricted to the OIDs for that interface and tie it to a community string for the customer. Can't say I've ever tried to go that granular with SNMP views though.

edit: Doh! Too slow.

From http://www.cisco.com/en/US/docs/securit ... _snmp.html :

_________________
Find networking-forum.com on Facebook, LinkedIn, Twitter, Google+,or subscribe to the site's RSS feeds.

I did not know about the view-based ACL's, which sound pretty neat. Also, didn't know about the ASA limitations either! Thanks, good stuff.