IOS SNMP config behavior questions

Unanswered Question
May 8th, 2007

Does every relatively recent (v12+)IOS support multiple snmp read/readwrite community strings, or does it depend on the specific version? Given the following device config, the device credentials in DCR are read1 and readwrite1, what could cause LMS to report read1 is ok, but readwrite1 is invalid on the device?

snmp-server community read1 RO 22

snmp-server community readwrite1 RW 33

snmp-server community read2 RO 22

snmp-server community readwrite2 RW 33

If the current running config displays as follows, would a "no access-list 33 remark * IPs allowed for read-write SNMP *" followed by "access-list 33 remark * IPs allowed for read-write SNMP *" put the remark in front of all the ACLs numbered 33?

access-list 33 permit 12.21.1.7

access-list 33 permit 12.21.1.3

access-list 33 remark * IPs allowed for read-write SNMP *

access-list 33 permit 12.21.1.1

access-list 33 permit 12.21.1.2

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Tue, 05/08/2007 - 16:52

All IOS versions support multiple community strings. Assuming the problem is a timeout for the read-write community string, my thought would be the ACL 33. I assume that one of those addresses is your LMS server?

If you enter the command "no access-list 33 remark * IPs allowed for read-write SNMP *", that will remove the entire ACL 33. You will have to add back in all of the lines in the desired order after that. If you only entered, "access-list 33 remark * IPs allowed for read-write SNMP *" after the "no" command, then ACL 33 would only consist of the remark line.

A sniffer trace of the Device Credential Verification test would help determine if the problem is something other than the ACL.

yjdabear Tue, 05/08/2007 - 18:33

It just occurred to me that particular device was discovered and added to DCR by Campus Manager. Upon a more careful look, I find CM 4.x Device Discovery isn't aware of the SNMP RW string, in contrast to CM 3.3 (IIRC). That explains my original issue, that's easily fixed by updating the device credential. Look forward to the default device credentials in LMS 3.0.

Joe Clarke Tue, 05/08/2007 - 21:14

Correct, CM 4.0 does not pass a read-write credential into DCR (unless, of course, you use SNMPv3). The reason for this was that it was impossible to verify the read-write community string when using multiple community strings. It really doesn't work in 3.3, either in that MCS only applies to the read-only string.

As you noted, default credentials in LMS 3.0 will allow for this as well as other credentials like [telnet/SSH] username and password.

Martin Ermel Wed, 05/09/2007 - 00:28

what is the problem with verifying RW CS in discovery - is it the problem to get a result in an acceptable timeline (especially in big environments) or are there other (logical) problems?

Actions

This Discussion