It’s well known that you can give your customer read-only access to the SNMP tree, but are you sure you want to give them that much information? Even though they can’t change anything, they are able to extract the full configuration, the full routing table and much much more.
As a test I set up SNMP read-only access to a Cisco box I have and ran a full snmpwalk on it. I extracted over 8Mb worth of text data, including full routing tables; ARP tables; OSPF tables etc…
Not only that, but while I was running the walk my device CPU was sitting pretty high:
Router#sh proc cpu sorted CPU utilization for five seconds: 33%/3%; one minute: 76%; five minutes: 54% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 210 121148 106996 1132 15.11% 44.65% 25.56% 0 SNMP ENGINE 107 70240 213991 328 7.35% 12.99% 11.51% 0 IP SNMP
Walking the entire SNMP tree also took almost 5 minutes.
So do you really want your customer to know that much? And secondly do you really want your customers monitoring system polling your devices for everything while your device sits with high CPU all the time?
I was testing with a few views this morning and came up with the following:
snmp-server view RESTRICT iso included snmp-server view RESTRICT at.* excluded snmp-server view RESTRICT ip.* excluded snmp-server view RESTRICT ospf.* excluded snmp-server community [community] view RESTRICT RO [acl]
When I polled using this community it took less than 5 seconds and gave me pretty much all the information I would want to give the customer. Be sure to restrict the protocol you’re actually using. I have restricted OSPF above.
Out of interest, an snmpwalk on my edge BGP router gives me a text file of 0.5GB!
Comments