skip navigation
University of Illinois | Home | Help Desk | Status | CIO | Site Map |
CITES logo
skip navigation

SNMP configuration recommendations

CITES > network > advanced > snmp

 

The CITES networking groups have spent some time studying the current usage of SNMP on campus by both network support people and others.

We recommend that SNMP manageable networking equipment be configured according to the following guidelines:

  1. Set the Read-Only SNMP community name to "netmon" or something other than "public," and configure your administrative information.

  2. Remove any Read-Write SNMP community names.

More details follow.

Read-Only SNMP Community Name

Definition :
A read-only "password" that lets people gather statistics from your SNMP device, but not change the configuration.

Recommendation :
Set the SNMP read-only community name to "netmon" or a value other than "public" and configure your administrative information (equipment contact, name, and location)

Explanation :
Many people monitor devices that use "public" as the read-only community name. While there is little secret data that they can gather this way, they are adding to the load on your devices by asking for this data. We suggest that you either use "netmon," which is the UIUCnet semi-public name, or pick your own departmental read-only name.

If you pick your own departmental community name, please send mail to net-trouble@uiuc.edu and tell us the name you have chosen. CITES needs this information to monitor your hubs for problems, to allow LAN Maintenance to help you when you have problems, and also to mail you the daily repeater statistics. If you choose not to tell CITES your read-only name, we can not perform any of the previously mentioned services for you.

Configuring the administrative information helps CITES locate malfunctioning equipment when we are troubleshooting problems. This would allow us to tell you exactly what device to check for problems, instead of saying "one of your hubs."

Read-Write SNMP community name

Definition :
A read-write "password" that lets people remotely configure your SNMP devices, such as turning ports on or off and enabling features of the hub.

Recommendation :
Remove any SNMP read-write community names (if they exist).

Explanation :
The read-write password is sent in clear-text from the management station to the hub to configure something on the hub. This means that the community name can be sniffed by anyone with the correct software on your network and they can then change anything on your repeater equipment remotely. Network administrators sometimes use this instead of going to the equipment and configuring it via the serial port.

Even if you currently use a management package such as Asanté View to change settings on your equipment, we suggest that you weigh the convenience against the security risk on your network. In general, for looking at devices, gathering statistics, and finding problems, the read-only name is used, not the read-write. If you are using a network management package that does not work this way, please feel free to ask the CITES Network Design Office for help in setting it as securely as possible.

For more information about SNMP and CITES services using SNMP:

The UIUCnet Reports page has information on how to interpret the daily router reports you can get via email. It also has information about Network Management in general, and links to related pages.

There have also been serious security issues related to unrestricted use of the SNMP protocol. The University response has been to restrict SNMP connections at the firewall at the edge of the campus network. See the CITES news item about the UIUC response to the SNMP vulnerability for more information.

What to tell to CITES and how to submit it

After you have set up your devices, please send email to net-trouble@uiuc.edu to let us know how you have your equipment configured. Please include the following information:

  • Your name
  • The name of the building where the equipment is located
  • The IP address of each piece of equipment
  • The brand and model of each piece of equipment
  • The Read-Only community name of each piece of equipment

Other notes regarding SNMP devices

If you renumber your subnet to get more IP addresses, be sure and renumber your hubs.

Configure all of your SNMP devices. Even if no one is monitoring the device, the data gathered will be available in the device to help troubleshoot a problem.

If you change the SNMP community name or IP address of your device, please notify the Operations Center (net-trouble@uiuc.edu) about the changes.

Originally written 15 November 1995 by Debbie Fligor
Ported to the CITES website and updated 26 November 2002 by CITES Documentation
 

 

  Services by Category   Services by Audience
* Calendaring * New to Campus?
* Classroom Technologies * Students
* Computer Facilities * Faculty & Staff
* Computing Accounts * Instructors
* Educational Technologies * Techsupport Providers
* Email  
* Networking & Remote Access   Other Help
* Passwords * Training
* Security * Computing & Networking 101
* Services For Departments * Contacts
* Software * Glossary
* Telecommunications    
* Complete List of Services    

 

CITES welcomes comments about our services and comments about our web site.
Return to the top of this page.
Last modified August 23, 2006