SNMP: Prevent your devices from high CPU utilization by using snmp view

Recently I was doing Cisco netManager testing and familiarization, the NMS needs snmp to discover devices and hence as usual I configured snmp with my lab equipments, however little did I know the configuration I did was unnecessary and would hog the devices’ cpu process utilization.

My original configuration was:

snmp-server enable trap

snmp-server community public ro

The problem with these two lines of configuration is that I allow the snmp receiver such as a NMS to get everything out from the devices using snmp polling, this will lead to some security issues such as getting the snmp credential and make use of snmp polling to hog the entire network to snail speed.

There are three OIDs that have the potential of revealing your snmp credentials:

1.3.6.1.6.3.15 (snmpUsmMIB), short cut is internet.6.3.15
1.3.6.1.6.3.16 (snmpVacmMIB), short cut is internet.6.3.16
1.3.6.1.6.3.18 (snmpCommunityMIB), short cut is internet.6.3.18

Other MIBs that are not needed and will potentially hog your networks:

1.3.6.1.2.1.4.21 – ipRouteTable (IP route table), short cut IP.21

1.3.6.1.2.1.4.22ipNetToMediaTable (IPv4 ARP table), short cut is IP.22. This is replaced by 1.3.6.1.2.1.4.35

1.3.6.1.2.1.3 – atTable, short cut is at, this is the ARP table.

Configure access-list for your snmp trap receiver

ip access-list standard netmanager
permit 10.10.10.0 0.0.0.255

It is a good practice to limit the number of intended snmp servers when you use snmp-server community <password> <ro | rw> command. Once you defined the community, the snmp-server is enabled, and by default the snmp trap receiver such as a NMS can poll everything out from the device using snmp. Hence defining snmp view is also a recommended practice by Cisco. Refer this for Cisco recommended snmp view.

Start SNMP-server by defining a community string

If you are using snmp version 1 or version 2c you will use community string which is in clear text, the newer recommended way is to implement version 3.

snmp-server community public RO netmanager

Define snmp view to include the wanted and exclude the unwanted

snmp-server view filter iso included
snmp-server view filter at excluded
snmp-server view filter internet.6.3.15 excluded
snmp-server view filter internet.6.3.16 excluded
snmp-server view filter internet.6.3.18 excluded
snmp-server view filter ip.21 excluded
snmp-server view filter ip.22 excluded

You have to include iso as this is the root for every snmp mibs.

Advertisements
This entry was posted in Network Maintenance and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s