Limiting MIB Access
Problem
You want to limit which MIB variables can be remotely accessed with SNMP.
Solution
You can use the following commands to restrict SNMP access to portions of the MIB tree. This example shows the legacy configuration method:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 deny any log
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server community ORARO view ORAVIEW ro 99
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server community ORARW view RESTRICTED rw 99
Router(config)#end
Router#
Cisco also has a new method for restricting MIB access, which uses the snmp-server group command:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server group TEST v1 read ORAVIEW
Router(config)#snmp-server user ORARO TEST v1
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server group TEST2 v1 write RESTRICTED
Router(config)#snmp-server user ORARW TEST2 v1
Router(config)#end
Router#
Discussion
By default, enabling SNMP services on your router allows SNMP servers to access the entire SNMP MIB tree. However, sometimes you want to limit which MIB variables can be remotely retrieved or changed, usually for security reasons. We strongly recommend that you limit SNMP write access to only those MIB objects that you absolutely need to change remotely. Remember that it is very easy for a malicious user to cause serious network problems by modifying MIB variables that control the router's configuration.
You can assign an SNMP MIB view to an individual community string or share a view among several community strings including both read-only and read-write access strings. Assigning a MIB view to a read-only community string restricts which MIB variables can be displayed. Similarly, assigning an SNMP MIB view to a read-write community string restricts which MIB variables you can view or alter.
A MIB view can restrict access to a single MIB object; it can allow access to all but one MIB object, or anything in between. For instance, in both examples, we created a view named RESTRICTED to the read-write community string ORARW. This view restricts access to a single MIB entry, lsystem.55, which is the MIB object that triggers the router to send its configuration file to a TFTP server (for nightly configuration backups). The router will prevent any other access to the MIB tree.
We also create an SNMP view named ORAVIEW, which is less restrictive. In this case, we want to allow access to the MIB-2 variables, but prevent access to the ARP table (AT) tree, which we can do using the exclude keyword. We also allow access to the entire Cisco proprietary MIB tree by including the cisco MIB.
To illustrate the functionality of SNMP MIB views, we can first run an SNMP walk of a router's default MIB tree:
Freebsd% snmpwalk v1 -c ORARO Router
system.sysDescr.0 = Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JK9O3S-M), Version 12.2(7a), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 21-Feb-02 03:48 by pwade
system.sysObjectID.0 = OID: enterprises.9.1.209
system.sysUpTime.0 = Timeticks: (26809590) 3 days, 2:28:15.90
system.sysContact.0 = Ian Brown 416-555-2943
system.sysName.0 = Router.oreilly.com
system.sysLocation.0 = 999 Queen St. W., Toronto, Ont.
system.sysServices.0 = 78
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
interfaces.ifNumber.0 = 10
interfaces.ifTable.ifEntry.ifIndex.1 = 1
interfaces.ifTable.ifEntry.ifIndex.2 = 2
interfaces.ifTable.ifEntry.ifIndex.3 = 3
interfaces.ifTable.ifEntry.ifIndex.4 = 4
interfaces.ifTable.ifEntry.ifIndex.5 = 5
interfaces.ifTable.ifEntry.ifIndex.6 = 6
interfaces.ifTable.ifEntry.ifIndex.7 = 7
interfaces.ifTable.ifEntry.ifIndex.8 = 8
interfaces.ifTable.ifEntry.ifIndex.9 = 9
<8000+>
End of MIB
Freebsd%
Walking the full MIB Tree of a Cisco router can take a great deal of time. This router's MIB Tree consisted of more than 8,000 entries. However, if we implement a simple SNMP MIB view, the result is quite different:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TEST system.5 included
Router(config)#snmp-server community COOKBOOK view TEST ro
Router(config)#end
Router#
In this example, the router restricts access to a single MIB entry, sysName (system.5). Now when we attempt to walk the entire MIB Tree again, the router sends only this single variable:
Freebsd% snmpwalk v1 -c COOKBOOK Router
system.sysName.0 = Router.oreilly.com
End of MIB
Freebsd%
Notice that the router displays a single entry, sysName, and reports that it has reached the "End of MIB," effectively preventing more than 8,000 MIB objects from being accessed via this particular community string.
You can use the show snmp group EXEC command to see which views are assigned to which community string:
Router>show snmp group
groupname: ORARO security model:v1
readview :v1default writeview:
notifyview:
row status: active
groupname: COOKBOOK security model:v1
readview :TEST writeview:
notifyview:
row status: active
Router>
In this example, the community string ORARO has the default SNMP view, v1default. This means the entire MIB tree is accessible.
To see which MIB entries are assigned to which SNMP MIB view, use the following (hidden) command:
Router#show snmp view
ORAVIEW mib-2 - included nonvolatile active
ORAVIEW at - excluded nonvolatile active
ORAVIEW cisco - included nonvolatile active
v1default internet - included volatile active
v1default internet.6.3.15 - excluded volatile active
v1default internet.6.3.16 - excluded volatile active
v1default internet.6.3.18 - excluded volatile active
RESTRICTED cisco - included nonvolatile active
RESTRICTED lsystem.55 - included nonvolatile active
Router#
Table 17-3 lists a number of valid MIB trees that the router will accept within a SNMP view. Keep in mind that this is not an exhaustive list, and that the router will also accept OIDs in their numerical format.
| Keyword | Description |
|---|---|
| internet | Entire MIB tree |
| mib-2 | Entire MIB-II tree |
| system | System branch of the MIB-II tree |
| interfaces | Interface branch of the MIB-II tree |
| at | ARP table branch of the MIB-II tree |
| ip | IP routing table branch of the MIB-II tree |
| icmp | ICMP statistics branch of the MIB-II tree |
| tcp | TCP statistics branch of the MIB-II tree |
| udp | UDP statistics branch of the MIB-II tree |
| transmission | Transmission statistics of the MIB-II tree |
| snmp | SNMP statistics branch of the MIB-II tree |
| ospf | OSPF MIB |
| bgp | BGP MIB |
| rmon | RMON MIB |
| cisco | Cisco's enterprise MIB tree |
| x25 | X.25 MIB |
| ifEntry | Interface statistics of MIB objects |
| lsystem | Cisco's system MIB |