Cisco Works, SNMP, MIBs.
User avatar
Steve
Site Admin
Posts:
10617
Joined:
Mon Dec 06, 2004 6:46 pm
Certs:
CCNA

RO SNMP to a single interface

Thu May 17, 2012 12:13 pm

Is there a way to provide RO SNMP access for a customer to a single interface on a device, an ASA in this case?

User avatar
mlan
Ultimate Member
Posts:
792
Joined:
Thu Nov 17, 2011 6:09 pm

Re: RO SNMP to a single interface

Thu May 17, 2012 12:21 pm

I've never heard of such an ACL. It's more typical to give the customer a single view to that interface on your NMS.

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: RO SNMP to a single interface

Thu May 17, 2012 12:25 pm

Maybe using views...

http://www.cisco.com/en/US/docs/ios/net ... #wp1014124

You'd have to sort out all the OIDs you want to allow though. It's not as simple as allowing an interface. Once you've defined the OIDs in the view then you can restrict it with 'snmp-server community COMMUNITY view VIEW ro' command like you would with just a straight up community.

Oh, and it likely goes without saying, but you'd for sure want ifindex persistence if you're doing this. :)

Snuffleupagus
Member
Posts:
131
Joined:
Thu Feb 12, 2009 5:23 pm

Re: RO SNMP to a single interface

Thu May 17, 2012 12:27 pm

You may be able to setup an SNMP view that's restricted to the OIDs for that interface and tie it to a community string for the customer. Can't say I've ever tried to go that granular with SNMP views though.

edit: Doh! Too slow.
http://blog.switchedbits.net/

User avatar
Steve
Site Admin
Posts:
10617
Joined:
Mon Dec 06, 2004 6:46 pm
Certs:
CCNA

Re: RO SNMP to a single interface

Thu May 17, 2012 1:57 pm

From http://www.cisco.com/en/US/docs/securit ... _snmp.html :

Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software

The SNMP Version 3 implementation in the ASA and ASASM differs from the SNMP Version 3 implementation in the Cisco IOS software in the following ways:
[content removed]
-No support exists for view-based access control, which results in unrestricted MIB browsing.


:wall:

User avatar
mlan
Ultimate Member
Posts:
792
Joined:
Thu Nov 17, 2011 6:09 pm

Re: RO SNMP to a single interface

Thu May 17, 2012 4:10 pm

I did not know about the view-based ACL's, which sound pretty neat. Also, didn't know about the ASA limitations either! Thanks, good stuff.

'

Return to Cisco Network Management

Who is online

Users browsing this forum: No registered users and 9 guests