Options
Should I remove these snmp commands?
phoeneous
Member Posts: 2,333 ■■■■■■■□□□
in CCNA & CCENT
I dont do any snmp monitoring on any of my network equipment, just servers. One of my routers has a barrage of snmp commands in its config and I dont think I need them. Thoughts?
snmp-server community public RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps ds1 snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps xgcp snmp-server enable traps envmon snmp-server enable traps flash insertion removal snmp-server enable traps icsudsu snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps isdn chan-not-avail snmp-server enable traps isdn ietf snmp-server enable traps ds0-busyout snmp-server enable traps ds1-loopback snmp-server enable traps disassociate snmp-server enable traps deauthenticate snmp-server enable traps authenticate-fail snmp-server enable traps dot11-qos snmp-server enable traps wlan-wep snmp-server enable traps switch-over snmp-server enable traps rogue-ap snmp-server enable traps aaa_server snmp-server enable traps atm subif snmp-server enable traps bgp snmp-server enable traps bulkstat collection transfer snmp-server enable traps memory bufferpeak snmp-server enable traps cnpd snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps dial snmp-server enable traps dsp card-status snmp-server enable traps dsp oper-state snmp-server enable traps entity snmp-server enable traps fru-ctrl snmp-server enable traps event-manager snmp-server enable traps frame-relay multilink bundle-mismatch snmp-server enable traps frame-relay snmp-server enable traps frame-relay subif snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps mpls ldp snmp-server enable traps mpls traffic-eng snmp-server enable traps mpls vpn snmp-server enable traps msdp snmp-server enable traps mvpn snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface-old snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps pppoe snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps rtr snmp-server enable traps syslog snmp-server enable traps l2tun session snmp-server enable traps vtp snmp-server enable traps ccme snmp-server enable traps srst snmp-server enable traps voice snmp-server enable traps dnis
Comments
-
OptionsGT-Rob Member Posts: 1,090If you are not listening to traps, then yes you might as well cut them off.
That said, if you have a server logging or monitoring traps, why not set it up for the network as well? -
Optionsphoeneous Member Posts: 2,333 ■■■■■■■□□□Why's it in there at all?
Before I got this job a consultant setup all the routers. I talked to him and he said that they used snmp for the initial turn-up and that the commands are no longer needed. -
Optionsphoeneous Member Posts: 2,333 ■■■■■■■□□□If you are not listening to traps, then yes you might as well cut them off.
That said, if you have a server logging or monitoring traps, why not set it up for the network as well?
I will shortly in the future. Ive got nagios on a vmbox. -
OptionsForsaken_GA Member Posts: 4,024If that network is publicly accessible, either remove the SNMP commands, or protect them with an access-list, as the way it looks like right now, anyone who knows the IP's could pull whatever data that's available via snmp off your gear. Not good in an age when information is power
-
Optionsphoeneous Member Posts: 2,333 ■■■■■■■□□□Forsaken_GA wrote: »If that network is publicly accessible, either remove the SNMP commands, or protect them with an access-list, as the way it looks like right now, anyone who knows the IP's could pull whatever data that's available via snmp off your gear. Not good in an age when information is power
And thats what prompted me to ask. There have been quite a few admins for this company, I dont know who knows our ip's at this point... -
OptionsForsaken_GA Member Posts: 4,024And thats what prompted me to ask. There have been quite a few admins for this company, I dont know who knows our ip's at this point...
Shouldn't even be a consideration. From what you've posted, you have network gear running SNMP with the default community string and no access-list being applied. The fact that it's using the default community string is just as bad as the fact that there's no access list protecting it. Anyone doing a scan of your IP range could find this. I would suggest fixing that soon, especially if you're the one in charge of the network gear. It may be a prior consultants fault, but it'll most certainly be your problem.