Limiting MIB Access

Problem

You want to limit which MIB variables can be remotely accessed with SNMP.

Solution

You can use the following commands to restrict SNMP access to portions of the MIB tree. This example shows the legacy configuration method:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255 Router(config)#access-list 99 deny any log Router(config)#snmp-server view ORAVIEW mib-2 included Router(config)#snmp-server view ORAVIEW at excluded Router(config)#snmp-server view ORAVIEW cisco included Router(config)#snmp-server community ORARO view ORAVIEW ro 99 Router(config)#snmp-server view RESTRICTED lsystem.55 included Router(config)#snmp-server community ORARW view RESTRICTED rw 99 Router(config)#end Router#

Cisco also has a new method for restricting MIB access, which uses the snmp-server group command:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view ORAVIEW mib-2 included Router(config)#snmp-server view ORAVIEW at excluded Router(config)#snmp-server view ORAVIEW cisco included Router(config)#snmp-server group TEST v1 read ORAVIEW Router(config)#snmp-server user ORARO TEST v1 Router(config)#snmp-server view RESTRICTED lsystem.55 included Router(config)#snmp-server group TEST2 v1 write RESTRICTED Router(config)#snmp-server user ORARW TEST2 v1 Router(config)#end Router#

 

Discussion

By default, enabling SNMP services on your router allows SNMP servers to access the entire SNMP MIB tree. However, sometimes you want to limit which MIB variables can be remotely retrieved or changed, usually for security reasons. We strongly recommend that you limit SNMP write access to only those MIB objects that you absolutely need to change remotely. Remember that it is very easy for a malicious user to cause serious network problems by modifying MIB variables that control the router's configuration.

You can assign an SNMP MIB view to an individual community string or share a view among several community strings including both read-only and read-write access strings. Assigning a MIB view to a read-only community string restricts which MIB variables can be displayed. Similarly, assigning an SNMP MIB view to a read-write community string restricts which MIB variables you can view or alter.

A MIB view can restrict access to a single MIB object; it can allow access to all but one MIB object, or anything in between. For instance, in both examples, we created a view named RESTRICTED to the read-write community string ORARW. This view restricts access to a single MIB entry, lsystem.55, which is the MIB object that triggers the router to send its configuration file to a TFTP server (for nightly configuration backups). The router will prevent any other access to the MIB tree.

We also create an SNMP view named ORAVIEW, which is less restrictive. In this case, we want to allow access to the MIB-2 variables, but prevent access to the ARP table (AT) tree, which we can do using the exclude keyword. We also allow access to the entire Cisco proprietary MIB tree by including the cisco MIB.

To illustrate the functionality of SNMP MIB views, we can first run an SNMP walk of a router's default MIB tree:

Freebsd% snmpwalk v1 -c ORARO Router system.sysDescr.0 = Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK9O3S-M), Version 12.2(7a), RELEASE SOFTWARE (fc2) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Thu 21-Feb-02 03:48 by pwade system.sysObjectID.0 = OID: enterprises.9.1.209 system.sysUpTime.0 = Timeticks: (26809590) 3 days, 2:28:15.90 system.sysContact.0 = Ian Brown 416-555-2943 system.sysName.0 = Router.oreilly.com system.sysLocation.0 = 999 Queen St. W., Toronto, Ont. system.sysServices.0 = 78 system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00 interfaces.ifNumber.0 = 10 interfaces.ifTable.ifEntry.ifIndex.1 = 1 interfaces.ifTable.ifEntry.ifIndex.2 = 2 interfaces.ifTable.ifEntry.ifIndex.3 = 3 interfaces.ifTable.ifEntry.ifIndex.4 = 4 interfaces.ifTable.ifEntry.ifIndex.5 = 5 interfaces.ifTable.ifEntry.ifIndex.6 = 6 interfaces.ifTable.ifEntry.ifIndex.7 = 7 interfaces.ifTable.ifEntry.ifIndex.8 = 8 interfaces.ifTable.ifEntry.ifIndex.9 = 9 <8000+ lines Removed> End of MIB Freebsd%

Walking the full MIB Tree of a Cisco router can take a great deal of time. This router's MIB Tree consisted of more than 8,000 entries. However, if we implement a simple SNMP MIB view, the result is quite different:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TEST system.5 included Router(config)#snmp-server community COOKBOOK view TEST ro Router(config)#end Router#

In this example, the router restricts access to a single MIB entry, sysName (system.5). Now when we attempt to walk the entire MIB Tree again, the router sends only this single variable:

Freebsd% snmpwalk v1 -c COOKBOOK Router system.sysName.0 = Router.oreilly.com End of MIB Freebsd%

Notice that the router displays a single entry, sysName, and reports that it has reached the "End of MIB," effectively preventing more than 8,000 MIB objects from being accessed via this particular community string.

You can use the show snmp group EXEC command to see which views are assigned to which community string:

Router>show snmp group groupname: ORARO security model:v1 readview :v1default writeview: notifyview: row status: active groupname: COOKBOOK security model:v1 readview :TEST writeview: notifyview: row status: active Router>

In this example, the community string ORARO has the default SNMP view, v1default. This means the entire MIB tree is accessible.

To see which MIB entries are assigned to which SNMP MIB view, use the following (hidden) command:

Router#show snmp view ORAVIEW mib-2 - included nonvolatile active ORAVIEW at - excluded nonvolatile active ORAVIEW cisco - included nonvolatile active v1default internet - included volatile active v1default internet.6.3.15 - excluded volatile active v1default internet.6.3.16 - excluded volatile active v1default internet.6.3.18 - excluded volatile active RESTRICTED cisco - included nonvolatile active RESTRICTED lsystem.55 - included nonvolatile active Router#

Table 17-3 lists a number of valid MIB trees that the router will accept within a SNMP view. Keep in mind that this is not an exhaustive list, and that the router will also accept OIDs in their numerical format.

Table 17-3. Valid OID-trees for use with SNMP views

Keyword Description
internet Entire MIB tree
mib-2 Entire MIB-II tree
system System branch of the MIB-II tree
interfaces Interface branch of the MIB-II tree
at ARP table branch of the MIB-II tree
ip IP routing table branch of the MIB-II tree
icmp ICMP statistics branch of the MIB-II tree
tcp TCP statistics branch of the MIB-II tree
udp UDP statistics branch of the MIB-II tree
transmission Transmission statistics of the MIB-II tree
snmp SNMP statistics branch of the MIB-II tree
ospf OSPF MIB
bgp BGP MIB
rmon RMON MIB
cisco Cisco's enterprise MIB tree
x25 X.25 MIB
ifEntry Interface statistics of MIB objects
lsystem Cisco's system MIB

 

See Also

Recipe 17.1; Recipe 17.2

Категории