SNMP Baselining LMS3

simon.bell · ‎05-22-2008

I'm trying to build a baseline job to ensure the correct snmp community strings are set, but it doesn't seem to work. I'm using:

+ snmp-server community [#!string#] RO

+ snmp-server community [#!string2#] RW 1

The correct strings are in the config but the job shows the devices out of compliance. If i change the "+" to a "-" then they become compliant... I don't understand the problem.

Thanks in advance.

Joe Clarke · ‎05-22-2008

These expressions say that in order to be compliant the configuration must have a line:

snmp-server community

That is not followed with "string" then ends with RO. For example, the following would match:

snmp-server community public RO

That would be a compliant line. Typically, when doing negative matching (i.e. [#! ... #]) you use '-' to denote "anything else should NOT be in the config".

simon.bell · ‎05-22-2008

Ok, thanks that makes sense. So if I wanted to ensure that the only RO and RW strings where stringRO and stringRW would the statement look like this:

+ snmp-server community [#stringRO#] RO

- snmp-server community [#!.*#] RO

+ snmp-server community [#stringRW#] RW 1

- snmp-server community [#!.*#] RW [#.*#]

Or is there a better way to confirm only the RO and RW strings are there and no others?

Thanks again

Joe Clarke · ‎05-22-2008

Not exactly. You need to understand how basline matching works. Each line in the template is compared to each line in the config -- line by line. So, you want:

+ snmp-server community stringRO RO

+ snmp-server community stringRW RW 1

- snmp-server community [#!(stringRO|stringRW)#] [#RO|RW#]

You don't need to worry about the trailing ACL number. If the community doesn't match, it's non-compliant anyway.