Lindsay Hill network control, visibility, management

SNMP Community Strings - Don't Use '@'

A quick reminder - do not use the symbol ‘@’ in SNMPv1/2 community strings. I came across this again this week - it causes issues with monitoring some equipment, and should be avoided.

Let’s just ignore the massive SNMPv1/v2c security issues for a second. Since people see the community string as a password, it’s common to use a random collection of letters, numbers and characters. For some reason, people seem to end up using ‘@’ in their community strings. But look at this in the Cisco documentation:

The @ symbol is used as a delimiter between the community string and the context in which it is used. For example, specific VLAN information in BRIDGE-MIB may be polled using [email protected]_ID (for example, [email protected]) where 100 is the VLAN number. Avoid using the @ symbol as part of the SNMP community string when configuring this command.

Cisco has more information about Community String Indexing:

Some standard MIBs assume that a particular SNMP entity contains only one instance of the MIB. Thus, the standard MIB does not have any index that allows you to directly access an instance of the MIB. In these cases, a community string indexing is provided to access each instance of the standard MIB. The syntax is [community string]@[instance number].

If you use ‘@’ in your community strings, you might find that the switch gets confused about what you’re trying to poll. You won’t be able to get data for any VLAN other than 1, and you’ll probably find that you get SNMP authentication failure traps from your managed devices.

Do yourself a favour and use a different character. Maybe ‘?’ for bonus marks in struggling to work out how to enter that via the IOS CLI?

Share this: