Limiting MIB Access

Problem

You want to limit which MIB variables can be remotely accessed with SNMP.

Solution

You can use the following commands to restrict SNMP access to portions of the MIB tree. This example shows the legacy configuration method:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 deny any log
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded 
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server community ORARO view ORAVIEW ro 99
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server community ORARW view RESTRICTED rw 99
Router(config)#end
Router#

Cisco also has a new method for restricting MIB access, which uses the snmp-server group command:

Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server group TEST v1 read ORAVIEW 
Router(config)#snmp-server user ORARO TEST v1 
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server group TEST2 v1 write RESTRICTED
Router(config)#snmp-server user ORARW TEST2 v1 
Router(config)#end 
Router#

 

Discussion

By default, enabling SNMP services on your router allows SNMP servers to access the entire SNMP MIB tree. However, sometimes you want to limit which MIB variables can be remotely retrieved or changed, usually for security reasons. We strongly recommend that you limit SNMP write access to only those MIB objects that you absolutely need to change remotely. Remember that it is very easy for a malicious user to cause serious network problems by modifying MIB variables that control the router's configuration.

You can assign an SNMP MIB view to an individual community string or share a view among several community strings including both read-only and read-write access strings. Assigning a MIB view to a read-only community string restricts which MIB variables can be displayed. Similarly, assigning an SNMP MIB view to a read-write community string restricts which MIB variables you can view or alter.

A MIB view can restrict access to a single MIB object; it can allow access to all but one MIB object, or anything in between. For instance, in both examples, we created a view named RESTRICTED to the read-write community string ORARW. This view restricts access to a single MIB entry, lsystem.55, which is the MIB object that triggers the router to send its configuration file to a TFTP server (for nightly configuration backups). The router will prevent any other access to the MIB tree.

We also create an SNMP view named ORAVIEW, which is less restrictive. In this case, we want to allow access to the MIB-2 variables, but prevent access to the ARP table (AT) tree, which we can do using the exclude keyword. We also allow access to the entire Cisco proprietary MIB tree by including the cisco MIB.

To illustrate the functionality of SNMP MIB views, we can first run an SNMP walk of a router's default MIB tree:

Freebsd% snmpwalk v1 -c ORARO Router
system.sysDescr.0 = Cisco Internetwork Operating System Software 
IOS (tm) C2600 Software (C2600-JK9O3S-M), Version 12.2(7a), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 21-Feb-02 03:48 by pwade
system.sysObjectID.0 = OID: enterprises.9.1.209
system.sysUpTime.0 = Timeticks: (26809590) 3 days, 2:28:15.90
system.sysContact.0 = Ian Brown 416-555-2943
system.sysName.0 = Router.oreilly.com
system.sysLocation.0 = 999 Queen St. W., Toronto, Ont.
system.sysServices.0 = 78
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
interfaces.ifNumber.0 = 10
interfaces.ifTable.ifEntry.ifIndex.1 = 1
interfaces.ifTable.ifEntry.ifIndex.2 = 2
interfaces.ifTable.ifEntry.ifIndex.3 = 3
interfaces.ifTable.ifEntry.ifIndex.4 = 4
interfaces.ifTable.ifEntry.ifIndex.5 = 5
interfaces.ifTable.ifEntry.ifIndex.6 = 6
interfaces.ifTable.ifEntry.ifIndex.7 = 7
interfaces.ifTable.ifEntry.ifIndex.8 = 8
interfaces.ifTable.ifEntry.ifIndex.9 = 9
<8000+ lines Removed>
End of MIB
Freebsd%

Walking the full MIB Tree of a Cisco router can take a great deal of time. This router's MIB Tree consisted of more than 8,000 entries. However, if we implement a simple SNMP MIB view, the result is quite different:

Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TEST system.5 included
Router(config)#snmp-server community COOKBOOK view TEST ro
Router(config)#end
Router#

In this example, the router restricts access to a single MIB entry, sysName (system.5). Now when we attempt to walk the entire MIB Tree again, the router sends only this single variable:

Freebsd% snmpwalk v1 -c COOKBOOK Router 
system.sysName.0 = Router.oreilly.com
End of MIB
Freebsd%

Notice that the router displays a single entry, sysName, and reports that it has reached the "End of MIB," effectively preventing more than 8,000 MIB objects from being accessed via this particular community string.

You can use the show snmp group EXEC command to see which views are assigned to which community string:

Router>show snmp group
groupname: ORARO security model:v1 
readview :v1default writeview:  
notifyview: 
row status: active

groupname: COOKBOOK security model:v1 
readview :TEST writeview:  
notifyview: 
row status: active
 
Router>

In this example, the community string ORARO has the default SNMP view, v1default. This means the entire MIB tree is accessible.

To see which MIB entries are assigned to which SNMP MIB view, use the following (hidden) command:

Router#show snmp view 
ORAVIEW mib-2 - included nonvolatile active
ORAVIEW at - excluded nonvolatile active
ORAVIEW cisco - included nonvolatile active
v1default internet - included volatile active
v1default internet.6.3.15 - excluded volatile active
v1default internet.6.3.16 - excluded volatile active
v1default internet.6.3.18 - excluded volatile active
RESTRICTED cisco - included nonvolatile active
RESTRICTED lsystem.55 - included nonvolatile active
Router#

Table 17-3 lists a number of valid MIB trees that the router will accept within a SNMP view. Keep in mind that this is not an exhaustive list, and that the router will also accept OIDs in their numerical format.

Table 17-3. Valid OID-trees for use with SNMP views

Keyword Description
internet Entire MIB tree
mib-2 Entire MIB-II tree
system System branch of the MIB-II tree
interfaces Interface branch of the MIB-II tree
at ARP table branch of the MIB-II tree
ip IP routing table branch of the MIB-II tree
icmp ICMP statistics branch of the MIB-II tree
tcp TCP statistics branch of the MIB-II tree
udp UDP statistics branch of the MIB-II tree
transmission Transmission statistics of the MIB-II tree
snmp SNMP statistics branch of the MIB-II tree
ospf OSPF MIB
bgp BGP MIB
rmon RMON MIB
cisco Cisco's enterprise MIB tree
x25 X.25 MIB
ifEntry Interface statistics of MIB objects
lsystem Cisco's system MIB

 

See Also

Recipe 17.1; Recipe 17.2





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net