cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
961
Views
5
Helpful
4
Replies

IOS SNMP config behavior questions

yjdabear
VIP Alumni
VIP Alumni

Does every relatively recent (v12+)IOS support multiple snmp read/readwrite community strings, or does it depend on the specific version? Given the following device config, the device credentials in DCR are read1 and readwrite1, what could cause LMS to report read1 is ok, but readwrite1 is invalid on the device?

snmp-server community read1 RO 22

snmp-server community readwrite1 RW 33

snmp-server community read2 RO 22

snmp-server community readwrite2 RW 33

If the current running config displays as follows, would a "no access-list 33 remark * IPs allowed for read-write SNMP *" followed by "access-list 33 remark * IPs allowed for read-write SNMP *" put the remark in front of all the ACLs numbered 33?

access-list 33 permit 12.21.1.7

access-list 33 permit 12.21.1.3

access-list 33 remark * IPs allowed for read-write SNMP *

access-list 33 permit 12.21.1.1

access-list 33 permit 12.21.1.2

4 Replies 4

Joe Clarke
Cisco Employee
Cisco Employee

All IOS versions support multiple community strings. Assuming the problem is a timeout for the read-write community string, my thought would be the ACL 33. I assume that one of those addresses is your LMS server?

If you enter the command "no access-list 33 remark * IPs allowed for read-write SNMP *", that will remove the entire ACL 33. You will have to add back in all of the lines in the desired order after that. If you only entered, "access-list 33 remark * IPs allowed for read-write SNMP *" after the "no" command, then ACL 33 would only consist of the remark line.

A sniffer trace of the Device Credential Verification test would help determine if the problem is something other than the ACL.

It just occurred to me that particular device was discovered and added to DCR by Campus Manager. Upon a more careful look, I find CM 4.x Device Discovery isn't aware of the SNMP RW string, in contrast to CM 3.3 (IIRC). That explains my original issue, that's easily fixed by updating the device credential. Look forward to the default device credentials in LMS 3.0.

Correct, CM 4.0 does not pass a read-write credential into DCR (unless, of course, you use SNMPv3). The reason for this was that it was impossible to verify the read-write community string when using multiple community strings. It really doesn't work in 3.3, either in that MCS only applies to the read-only string.

As you noted, default credentials in LMS 3.0 will allow for this as well as other credentials like [telnet/SSH] username and password.

what is the problem with verifying RW CS in discovery - is it the problem to get a result in an acceptable timeline (especially in big environments) or are there other (logical) problems?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: