I have a few questions around SNMP.
[ IOS 3600 Software (C3640-IO3-M), Version 12.2(7b) ]
Altho we manage our own routers, our ISP monitors our Frame Relay lines in case they go down after hours.
They used a utility called 'Whats Up' for the monitoring, but have since moved on and now monitor our lines using SNMP.
Subsequently, they have asked me to configure all sorts of SNMP parameters on our routers. I understand that SNMP is intrinsically unsafe, but I'm sure there are ways of making it "safer".
This is what I've had to configure so far:
#snmp-server community public RO
#snmp-server trap-source Loopback0
#snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
#snmp-server enable traps config
#snmp-server enable traps bgp
#snmp-server enable traps frame-relay
#snmp-server host x.x.x.x public tty frame-relay isdn x25 hsrp config entit y envmon ds0-busyoutds1-loopback bgp ipmulticast msdp rsvp rtr syslog snmp
#snmp-server host x.x.x.x public snmp
#snmp-server enable traps frame-relay subif
#interface loopback 0 ip address x.x.x.x 255.255.255.255
#snmp-server trap-source Loopback0
I've also created an access-list for them that looks like this:
#Extended IP access list ISP
permit ip x.x.x.x 0.0.0.7 any
permit ip x.x.x.x 0.0.0.3 any
My questions are:
1> What can they see in light of the above config?
2> If I rename the public community string to, lets say, ispcheck, will that basically "hide" the SNMP traps unless you know what the community string is? What I'm asking is, if you don't know what the community string is, can you still somehow get the traps?
3> What can I do to make absolutely sure that they only receive traps like link up or link down? Is there a way to disable traps that carry info about the network?
I'm not lazy or trying to find quick fixes. I'm willing to read and absorb everything that anyone can throw at me. So, apart from replies to my questions, if you have links to Cisco or other sites that can assist me, I'll be grateful.
Thanks guys
[ IOS 3600 Software (C3640-IO3-M), Version 12.2(7b) ]
Altho we manage our own routers, our ISP monitors our Frame Relay lines in case they go down after hours.
They used a utility called 'Whats Up' for the monitoring, but have since moved on and now monitor our lines using SNMP.
Subsequently, they have asked me to configure all sorts of SNMP parameters on our routers. I understand that SNMP is intrinsically unsafe, but I'm sure there are ways of making it "safer".
This is what I've had to configure so far:
#snmp-server community public RO
#snmp-server trap-source Loopback0
#snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
#snmp-server enable traps config
#snmp-server enable traps bgp
#snmp-server enable traps frame-relay
#snmp-server host x.x.x.x public tty frame-relay isdn x25 hsrp config entit y envmon ds0-busyoutds1-loopback bgp ipmulticast msdp rsvp rtr syslog snmp
#snmp-server host x.x.x.x public snmp
#snmp-server enable traps frame-relay subif
#interface loopback 0 ip address x.x.x.x 255.255.255.255
#snmp-server trap-source Loopback0
I've also created an access-list for them that looks like this:
#Extended IP access list ISP
permit ip x.x.x.x 0.0.0.7 any
permit ip x.x.x.x 0.0.0.3 any
My questions are:
1> What can they see in light of the above config?
2> If I rename the public community string to, lets say, ispcheck, will that basically "hide" the SNMP traps unless you know what the community string is? What I'm asking is, if you don't know what the community string is, can you still somehow get the traps?
3> What can I do to make absolutely sure that they only receive traps like link up or link down? Is there a way to disable traps that carry info about the network?
I'm not lazy or trying to find quick fixes. I'm willing to read and absorb everything that anyone can throw at me. So, apart from replies to my questions, if you have links to Cisco or other sites that can assist me, I'll be grateful.
Thanks guys
