On Tue, 3 Jun 2008, Richey wrote:
I've got a customer with a T1. They have been bought out by a large hotel chain. They are pretty much demanding that they have SNMP full read access to our router that is at their location as well as a copy of the config for the router. This is not their router, it is ours and we fully manage our
As long as you don't give them the clear text version of the enable secret, they can't do any damage, so what's the concern? Having been on the customer end of this sort of arrangement long ago, I can understand their concern. They may want SNMP access for traffic/health graphing, and a copy of the config simply for auditing purposes to satisfy themselves that the config is "secure" enough.
I'm sure _you_ wouldn't do this, but if you (as the ISP) were to make changes to your customer routes and break their internet connection, and then have all of your noc staff go fishing for the day, if they customer had enable, they could possibly fix their router...depending on how/where you broke things. I've been there...didn't have access, couldn't fix it, and was not amused.
If they want access bad enough, since they do have physical access, they could just reboot, change the config-register, and have a copy of the config.
router and hand them Ethernet. This seems a little odd that they want access to our gear, and I am not too keen on giving them access unless they are willing to accept some responsibility. They don't want to accept any responsibility for the access they would have to this box. They say that Verizion and AT&T don't have any problems giving them this kind of access to their gear.
If you give them enable, the rule is "you break it, you pay us to fix it". I also highly recommend rancid, so when they do break it or monkey with it in any way, you get notification, and can easily see and back out their changes.
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/