[c-nsp] Giving customers access to your gear.

Jon Lewis jlewis at lewis.org
Wed Jun 4 00:48:41 EDT 2008 

On Tue, 3 Jun 2008, Richey wrote:

> I've got a customer with a T1.  They have been bought out by a large hotel
> chain.  They are pretty much demanding that they have SNMP full read access
> to our router that is at their location as well as a copy of the config for
> the router.   This is not their router, it is ours and we fully manage our

As long as you don't give them the clear text version of the enable 
secret, they can't do any damage, so what's the concern?  Having been on 
the customer end of this sort of arrangement long ago, I can understand 
their concern.  They may want SNMP access for traffic/health graphing, and 
a copy of the config simply for auditing purposes to satisfy themselves 
that the config is "secure" enough.

I'm sure _you_ wouldn't do this, but if you (as the ISP) were to make 
changes to your customer routes and break their internet connection, and 
then have all of your noc staff go fishing for the day, if they customer 
had enable, they could possibly fix their router...depending on how/where 
you broke things.  I've been there...didn't have access, couldn't fix it, 
and was not amused.

If they want access bad enough, since they do have physical access, they 
could just reboot, change the config-register, and have a copy of the 
config.

> router and hand them  Ethernet.     This seems a little odd that they want
> access to our gear, and I am not too keen on giving them access unless they
> are willing to accept some responsibility.   They don't want to accept any
> responsibility for the access they would have to this box.     They say that
> Verizion and AT&T don't have any problems giving them this kind of access to
> their gear.

If you give them enable, the rule is "you break it, you pay us to fix it". 
I also highly recommend rancid, so when they do break it or monkey with it 
in any way, you get notification, and can easily see and back out their 
changes.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the cisco-nsp mailing list