19 • SNMP configuration SmartWare Software Configuration Guide224 Setting access community informationSetting access community informationSNMP uses one or more labels called community strings to delimit groups of objects (variables) that can beviewed or modified on a device. The SNMP data in such a group is organized in a tree structure called a Man-agement Information Base (MIB). A single device may have multiple MIBs connected together into one largestructure, and various community strings may provide read-only or read-write access to different, possiblyoverlapping portions of the larger data structure. An example of a read-only variable might be a counter show-ing the total number of octets sent or received through an interface. An example of a read-write variable mightbe the speed of an interface, or the hostname of a device.Community strings also provide a weak form of access control in earlier versions of SNMP version 1 and 2.SNMP version 3 provides much improved access control using strong authentication and should be preferredover SNMP version 1 and 2 wherever it is supported. If a community string is defined, then it must be pro-vided in any basic SNMP query if the requested operation is to be permitted by the device. Community stringsusually allow read-only or read-write access to the entire device. In some cases, a given community string willbe limited to one group of read-only or read-write objects described in an individual MIB.In the absence of additional configuration options to constrain access, knowledge of the single communitystring for the device is all that is required to gain access to all objects, both read-only and read-write, and tomodify any read-write objects.Note Security problems can be caused by unauthorized individuals possessingknowledge of read-only community strings so they gain read access to confi-dential information stored on an affected device. Worse can happen if theygain access to read-write community strings that allow unauthorized remoteconfiguration of affected devices, possibly without the system administratorsbeing aware that changes are being made, resulting in a failure of integrityand a possible failure of device availability. To prevent these situations, definecommunity strings that only allow read-only access to the MIB objectsshould be the default.By default SNMP uses the default communities public and private. You probably do not want to use those, asthey are the first things an intruder will look for. Choosing community names is like choosing a password. Donot use easily guessed ones; do not use commonly known words, mix letters and other characters, and so on. Ifyou do not intend to allow anyone to use SNMP write commands on your system, then you probably onlyneed one community name.This procedure describes how to define your own SNMP communityMode: ConfigureUse the no command option to remove a SNMP community setting.Example: Setting access community informationStep Command Purpose1node(cfg)#snmp communityname{ ro | rw }Configures the SNMP community name with read-onlyor read/write access
