Restricting users to only view parts of the SNMP tree – Cisco

It’s well known that you can give your customer read-only access to the SNMP tree, but are you sure you want to give them that much information? Even though they can’t change anything, they are able to extract the full configuration, the full routing table and much much more.

As a test I set up SNMP read-only access to a Cisco box I have and ran a full snmpwalk on it. I extracted over 8Mb worth of text data, including full routing tables; ARP tables; OSPF tables etc…

Not only that, but while I was running the walk my device CPU was sitting pretty high:

Router#sh proc cpu sorted
CPU utilization for five seconds: 33%/3%; one minute: 76%; five minutes: 54%
PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
210      121148      106996       1132 15.11% 44.65% 25.56%   0 SNMP ENGINE
107       70240      213991        328  7.35% 12.99% 11.51%   0 IP SNMP

Walking the entire SNMP tree also took almost 5 minutes.

So do you really want your customer to know that much? And secondly do you really want your customers monitoring system polling your devices for everything while your device sits with high CPU all the time?

I was testing with a few views this morning and came up with the following:

snmp-server view RESTRICT iso included
snmp-server view RESTRICT at.* excluded
snmp-server view RESTRICT ip.* excluded
snmp-server view RESTRICT ospf.* excluded
snmp-server community [community] view RESTRICT RO [acl]

When I polled using this community it took less than 5 seconds and gave me pretty much all the information I would want to give the customer. Be sure to restrict the protocol you’re actually using. I have restricted OSPF above.

Out of interest, an snmpwalk on my edge BGP router gives me a text file of 0.5GB!