Friday, December 17, 2010

Smart filtering with SNMP v3

SNMP version 3 provides the wonderful benefits of strong authentication, privacy and tight control of what information you allow the device to reveal. With Cisco IOS 12.4T, the configuration tasks are quite simple:

First, define a "view" thusly:
snmp-server view NOC interfaces included

You can exclude specific interfaces. For example, "26" represents "Gi0/0.500" interface and you want to exclude it entirely:
snnp-server view NOC ifEntry.*.26 excluded

Note the "*" which is a wildcard to exclude all elements for ifIndex 26. This of course can be more specific to limit exactly the elements you choose to hide. Or you can very specific and only allow access to certain interfaces only.

Next, configure a SNMP group:
snmp-server group NOC v3 auth read NOC

Finally configure the user:
snmp-server user noc NOC v3 auth md5 soeasytosee

Or you can take a step further and enable privacy with DES as follows:
snmp-server user noc NOC v3 auth md4 soeasytosee priv des hidemeplease

You can test with "snmpwalk"
snmpwalk -v3 -aMD5 -Asoeasytosee -unoc -lauthNopriv host.ip.address

When privacy is enabled:
snmpwalk -v3 -unoc -aMD5 -Asoeasytosee -xDES -Xhidemeplease -lauthpriv host.ip.address

No comments:

Post a Comment