How to access router security information using SNMP

Discussion in 'Cisco' started by pankaj.ankam, Dec 2, 2004.

  1. pankaj.ankam

    pankaj.ankam Guest

    Does any one knows how to access router security information using
    SNMP. I just need to display the informationso read-only will do.
    Is there any specific MIB that I need to look at?
    Can some one point me out to the security MIBs?

    Thanks,
     
    pankaj.ankam, Dec 2, 2004
    #1
    1. Advertisements

  2. :Does any one knows how to access router security information using
    :SNMP. I just need to display the informationso read-only will do.
    :Is there any specific MIB that I need to look at?
    :Can some one point me out to the security MIBs?

    I already answered this question for you a week ago.

    http://groups.google.ca/groups?selm=co8aad$83k$

    In particular, quoting myself:

    You can find out
    more about which MIBs that Cisco supports by looking at

    http://www.cisco.com/go/mib

    I think you will find that the contents of ACLs are seldom accessible
    through MIBs.


    If I need to be blunter: THE INFORMATION USUALLY ISN'T ACCESSIBLE.
    Give up on this approach, it won't get you anywhere.

    The closest you can get with SNMP is this:

    On some Cisco devices with some software versions, there are SNMP
    values you can set to trigger a tftp of the running or saved
    configuration to a location of your choice. tftp being the way it is,
    the destination file would -usually- have to already exist and be
    world writable [or at least writable by the userid that the tftp
    daemon is running as.] You could then parse the configuration file to
    extract the information you are looking for.
     
    Walter Roberson, Dec 2, 2004
    #2
    1. Advertisements

  3. pankaj.ankam

    pankaj.ankam Guest

    Thanks for the reply Walter.

    So SNMP is not of much use.

    Is there any other better way to read the security information from the
    router (ofcourse other than the config file)?
     
    pankaj.ankam, Dec 2, 2004
    #3
  4. pankaj.ankam

    pankaj.ankam Guest

     
    pankaj.ankam, Dec 2, 2004
    #4
  5. :So SNMP is not of much use.

    :Is there any other better way to read the security information from the
    :router (ofcourse other than the config file)?

    No.

    Cisco offers software such as the Security Device Manager (SDM)
    which are GUI tools to examine device configurations and alter them
    in a more friendly manner. Some of those software tools go in
    via http and load down the configuration and parse it; some of them
    go in via a different port and use undocumented protocols... to
    load down the configuration and parse it.

    SDM and related products may break if an older version is used with a
    newer software release... because the newer software release adds
    commands that the older software doesn't know how to parse.

    There is no magic hidden interface on Cisco devices that (for example)
    can be used to extract the configuration information in a self-
    describing XML format such that if one could parse the XML then one
    would be able parse the configurations indefinitely into the future.

    You have to either parse the text representation of the current
    confguration, or you have to parse the HTML representation of the
    current confguration. Either approach is very fragile, in the sense
    of breaking the next time a small command variation is given or
    the next time that a new device is introduced that one doesn't know
    what commands are applicable for.
     
    Walter Roberson, Dec 2, 2004
    #5
  6. pankaj.ankam

    Erik Freitag Guest

    Could you satisfy my curiousity and say specifically what security
    information you are looking for?
     
    Erik Freitag, Dec 2, 2004
    #6
  7. pankaj.ankam

    Pankaj Ankam Guest

    I am looing for getting the access-lists for each interface, enabled services, etc.
     
    Pankaj Ankam, Dec 3, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.