Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

on topic - cisco snmp

From: lee.e.rian () census gov
Date: Fri, 6 Jun 2003 10:32:24 -0400
If you follow Cisco's suggested work-around for SNMP causes high CPU
utilization you might be exposing the write community string.

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml
has the following instructions:

   To avoid performance issues, force the router to prematurely end queries
   for the route table from the network management system server. Configure
   the router to respond with a complete message as soon as it receives the
   start of a request for the route table, as follows:
   snmp-server view cutdown internet included
   snmp-server view cutdown ipRouteTable excluded
   snmp-server view cutdown ipNetToMediaTable excluded
   snmp-server view cutdown at excluded
   snmp-server community public view cutdown RO
   snmp-server community private view cutdown RW

The problem is that the View-based Access Control MIB is now included in
the read-only view:
snmpwalk -c public -v 2c c800 vacmAccessWriteViewName
.iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."public"."".1.noAuthNoPriv
 =
.iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."public"."".2.noAuthNoPriv
 =
.iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."private"."".1.noAuthNoPriv
 = cutdown
.iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."private"."".2.noAuthNoPriv
 = cutdown

Fix is to remove the Vacm MIB from the view by adding
snmp-server view cutdown internet.6.3.16 excluded

c800#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
c800(config)#snmp-server view cutdown internet.6.3.16 excluded
c800(config)#end
c800#

snmpwalk -c public -v 2c c800 vacmAccessWriteViewName
.iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName
 = No more variables left in this MIB View


Lee



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: