Recently I was doing Cisco netManager testing and familiarization, the NMS needs snmp to discover devices and hence as usual I configured snmp with my lab equipments, however little did I know the configuration I did was unnecessary and would hog the devices’ cpu process utilization.
My original configuration was:
snmp-server enable trap
snmp-server community public ro
The problem with these two lines of configuration is that I allow the snmp receiver such as a NMS to get everything out from the devices using snmp polling, this will lead to some security issues such as getting the snmp credential and make use of snmp polling to hog the entire network to snail speed.
There are three OIDs that have the potential of revealing your snmp credentials:
18.104.22.168.6.3.15 (snmpUsmMIB), short cut is internet.6.3.15
22.214.171.124.6.3.16 (snmpVacmMIB), short cut is internet.6.3.16
126.96.36.199.6.3.18 (snmpCommunityMIB), short cut is internet.6.3.18
Other MIBs that are not needed and will potentially hog your networks:
188.8.131.52.184.108.40.206 – ipRouteTable (IP route table), short cut IP.21
220.127.116.11.18.104.22.168 – ipNetToMediaTable (IPv4 ARP table), short cut is IP.22. This is replaced by 22.214.171.124.126.96.36.199
188.8.131.52.2.1.3 – atTable, short cut is at, this is the ARP table.
Configure access-list for your snmp trap receiver
ip access-list standard netmanager
permit 10.10.10.0 0.0.0.255
It is a good practice to limit the number of intended snmp servers when you use snmp-server community <password> <ro | rw> command. Once you defined the community, the snmp-server is enabled, and by default the snmp trap receiver such as a NMS can poll everything out from the device using snmp. Hence defining snmp view is also a recommended practice by Cisco. Refer this for Cisco recommended snmp view.
Start SNMP-server by defining a community string
If you are using snmp version 1 or version 2c you will use community string which is in clear text, the newer recommended way is to implement version 3.
snmp-server community public RO netmanager
Define snmp view to include the wanted and exclude the unwanted
snmp-server view filter iso included
snmp-server view filter at excluded
snmp-server view filter internet.6.3.15 excluded
snmp-server view filter internet.6.3.16 excluded
snmp-server view filter internet.6.3.18 excluded
snmp-server view filter ip.21 excluded
snmp-server view filter ip.22 excluded
You have to include iso as this is the root for every snmp mibs.