Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
snmp community strings 1
- Thread starter fenstrat
- Start date
- Thread starter
- #3
- Thread starter
- #4
-
1
- #5
Hi,
First thing you should do is remove both public and private. Come up with your own strings using:
snmp-server community <string> <option> <acl>
Use it all for best security. The option refers to the type of access for someone using this string. You can have RO for read only and RW for read write. ACL is optional, this specifies an access-list of hosts allowed to communicate to your router using snmp. If you're not on the ACL and you nmap the snmp port you won't see it open.
Sample conf:
!
snmp-server community jkfrdfjs RO 6
!
access-list 6 permit host 172.1.1.10
!
BR,
-Stephen
First thing you should do is remove both public and private. Come up with your own strings using:
snmp-server community <string> <option> <acl>
Use it all for best security. The option refers to the type of access for someone using this string. You can have RO for read only and RW for read write. ACL is optional, this specifies an access-list of hosts allowed to communicate to your router using snmp. If you're not on the ACL and you nmap the snmp port you won't see it open.
Sample conf:
!
snmp-server community jkfrdfjs RO 6
!
access-list 6 permit host 172.1.1.10
!
BR,
-Stephen
Urgentemente
IS-IT--Management
Fenstrat, when you say you "figured out the snmp-server community string command"
would you mind posting here what exactly you did.
I'm currently trying to setup mrtg to monitor/graph the traffic for a couple of 2501's I inherited as part of this position. However when I do 'show snmp' it gives '%SNMP agent not enabled'.
I also have a 2503 which has been configured by another IT dept and we have it as a spare at the moment, so I'm trying to use it as a guinea pig to avoid disrupting the live link.
snmp appears to be enabled on it as show snmp gives me the block of stats, but snmpwalk (or mrtg etc) fails to get any info from it. I do however see the number of errors rise when I try.
"12 Bad SNMP version errors
459 Unknown community name
"
the community name keeps rising when I try public/private etc.
I assume that means the previous configurer has changed the community names? As I have the enable password , could someone let me know what command it is to view the community names.
Sorry for the newbie questions, but almost 0% knowledge of Cisco kit apart from the basics of viewing interface stats etc.
many thanks,
would you mind posting here what exactly you did.
I'm currently trying to setup mrtg to monitor/graph the traffic for a couple of 2501's I inherited as part of this position. However when I do 'show snmp' it gives '%SNMP agent not enabled'.
I also have a 2503 which has been configured by another IT dept and we have it as a spare at the moment, so I'm trying to use it as a guinea pig to avoid disrupting the live link.
snmp appears to be enabled on it as show snmp gives me the block of stats, but snmpwalk (or mrtg etc) fails to get any info from it. I do however see the number of errors rise when I try.
"12 Bad SNMP version errors
459 Unknown community name
"
the community name keeps rising when I try public/private etc.
I assume that means the previous configurer has changed the community names? As I have the enable password , could someone let me know what command it is to view the community names.
Sorry for the newbie questions, but almost 0% knowledge of Cisco kit apart from the basics of viewing interface stats etc.
many thanks,
The %SNMP agnet not enabled means SNMP has not been configured at all. By default it is unconfigured for security reasons. You can create your own communities by using this command set below.
I used SNMPWALTEST as a word for my new community. I then used the question mark to show what other options were available. Notice it lets you use an ACL as well as the RO,RW options. You would then need to use the SNMPWALTEST on MRTG as the community string in order for it to read the router. (That is if you used that as a community name.) Like nohair described you can use the access-lists as well to limit access to the snmp community. For MRTG all you need is Read Only (RO).
Gateway(config)#snmp community SNMPWALTEST ?
<1-99> Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
ro Read-only access with this community string
rw Read-write access with this community string
view Restrict this community to a named MIB view
I used SNMPWALTEST as a word for my new community. I then used the question mark to show what other options were available. Notice it lets you use an ACL as well as the RO,RW options. You would then need to use the SNMPWALTEST on MRTG as the community string in order for it to read the router. (That is if you used that as a community name.) Like nohair described you can use the access-lists as well to limit access to the snmp community. For MRTG all you need is Read Only (RO).
Gateway(config)#snmp community SNMPWALTEST ?
<1-99> Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
ro Read-only access with this community string
rw Read-write access with this community string
view Restrict this community to a named MIB view
Urgentemente
IS-IT--Management
Managed to find the community strings for the 'spare' router (forgot the check the show config output , oops),
but even on that one, if I try the 'snmp community' command(s) at the enabled prompt, it says unknown command.
I notice on your post above that it has (config) after the router name, is there a certain mode you have to be in ? (i.e config mode..)
If that's the case, is there a way to just change the SNMP settings without affecting all the others, as I REALLY don't want to knock a live router off the network (it links our two main UK sites together).
thanks for the info so far tho.
but even on that one, if I try the 'snmp community' command(s) at the enabled prompt, it says unknown command.
I notice on your post above that it has (config) after the router name, is there a certain mode you have to be in ? (i.e config mode..)
If that's the case, is there a way to just change the SNMP settings without affecting all the others, as I REALLY don't want to knock a live router off the network (it links our two main UK sites together).
thanks for the info so far tho.
Urgentemente
IS-IT--Management
Great, thanks, I got into config mode, and (just as a test) changed the snmp-server location to something else, but 'show config' still shows the original details, from the bits I've seen I'm guessing this is to do with having one 'live/running' config, and one in memory? What's the correct sequence to make changes active? (and again, will it knock the router off at any point - e.g does it cause/need a reboot?)
thanks for the quick replies so far, haven't been able to persuade my boss to pay for a Cisco course yet :-(, so learning by fiddling.
thanks for the quick replies so far, haven't been able to persuade my boss to pay for a Cisco course yet :-(, so learning by fiddling.
Urgentemente
IS-IT--Management
I think I've just seen the answer in another thread...
'write mem' ?
'write mem' ?
- Status
Similar threads
- Locked
- Question