Setting access community information
271
SmartWare Software Configuration Guide
25 • SNMP configuration
Community strings also provide a weak form of access control in earlier versions of SNMP version 1 and 2.
SNMP version 3 provides much improved access control using strong authentication and should be preferred
over SNMP version 1 and 2 wherever it is supported. If a community string is defined, then it must be pro-
vided in any basic SNMP query if the requested operation is to be permitted by the device. Community strings
usually allow read-only or read-write access to the entire device. In some cases, a given community string will
be limited to one group of read-only or read-write objects described in an individual MIB.
In the absence of additional configuration options to constrain access, knowledge of the single community
string for the device is all that is required to gain access to all objects, both read-only and read-write, and to
modify any read-write objects.
Note
Security problems can be caused by unauthorized individuals possessing
knowledge of read-only community strings so they gain read access to confi-
dential information stored on an affected device. Worse can happen if they
gain access to read-write community strings that allow unauthorized remote
configuration of affected devices, possibly without the system administrators
being aware that changes are being made, resulting in a failure of integrity
and a possible failure of device availability. To prevent these situations, define
community strings that only allow read-only access to the MIB objects
should be the default.
By default SNMP uses the default communities
public
and
private
. You probably do not want to use those, as
they are the first things an intruder will look for. Choosing community names is like choosing a password. Do
not use easily guessed ones; do not use commonly known words, mix letters and other characters, and so on. If
you do not intend to allow anyone to use SNMP write commands on your system, then you probably only
need one community name.
This procedure describes how to define your own SNMP community
Mode:
Configure
Use the
no
command option to remove a SNMP community setting.
Example:
Setting access community information
In the following example the SNMP communities for the default community public with read-only access and
the undisclosed community Not4evEryOne with read/write access are defined. Only these valid communities
have access to the information from the SNMP agent.
node(cfg)#snmp community public ro
node(cfg)#snmp community Not4evEryOne rw
Note
If no community is set on your SmartNode accessing any of the MIB objects
is not possible!
Step
Command
Purpose
1
node
(cfg)#snmp community
name
{ ro | rw }
Configures the SNMP community name with read-only
or read/write access