Options

Should I remove these snmp commands?

phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
in CCNA & CCENT
I dont do any snmp monitoring on any of my network equipment, just servers. One of my routers has a barrage of snmp commands in its config and I dont think I need them. Thoughts?
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps wlan-wep
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vtp
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps voice
snmp-server enable traps dnis
· Share on FacebookShare on Twitter

Comments

  • Options
    GT-RobGT-Rob Member Posts: 1,090
    If you are not listening to traps, then yes you might as well cut them off.


    That said, if you have a server logging or monitoring traps, why not set it up for the network as well?
    http://frozenrouter.blogspot.com
    · Share on FacebookShare on Twitter
  • Options
    ColbyGColbyG Member Posts: 1,264
    Why's it in there at all?
    http://blog.alwaysthenetwork.com
    · Share on FacebookShare on Twitter
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    ColbyNA wrote: »
    Why's it in there at all?

    Before I got this job a consultant setup all the routers. I talked to him and he said that they used snmp for the initial turn-up and that the commands are no longer needed.
    · Share on FacebookShare on Twitter
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    GT-Rob wrote: »
    If you are not listening to traps, then yes you might as well cut them off.


    That said, if you have a server logging or monitoring traps, why not set it up for the network as well?


    I will shortly in the future. Ive got nagios on a vmbox.
    · Share on FacebookShare on Twitter
  • Options
    Forsaken_GAForsaken_GA Member Posts: 4,024
    If that network is publicly accessible, either remove the SNMP commands, or protect them with an access-list, as the way it looks like right now, anyone who knows the IP's could pull whatever data that's available via snmp off your gear. Not good in an age when information is power
    · Share on FacebookShare on Twitter
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Forsaken_GA wrote: »
    If that network is publicly accessible, either remove the SNMP commands, or protect them with an access-list, as the way it looks like right now, anyone who knows the IP's could pull whatever data that's available via snmp off your gear. Not good in an age when information is power

    And thats what prompted me to ask. There have been quite a few admins for this company, I dont know who knows our ip's at this point...
    · Share on FacebookShare on Twitter
  • Options
    Forsaken_GAForsaken_GA Member Posts: 4,024
    phoeneous wrote: »
    And thats what prompted me to ask. There have been quite a few admins for this company, I dont know who knows our ip's at this point...

    Shouldn't even be a consideration. From what you've posted, you have network gear running SNMP with the default community string and no access-list being applied. The fact that it's using the default community string is just as bad as the fact that there's no access list protecting it. Anyone doing a scan of your IP range could find this. I would suggest fixing that soon, especially if you're the one in charge of the network gear. It may be a prior consultants fault, but it'll most certainly be your problem.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.