CiscoView limited acces via SNMPv3

Unanswered Question
Nov 11th, 2008
User Badges:
  • Bronze, 100 points or more

I have a unique challange whereby users need to change VLAN assignment to ports via CiscoView. It easy to use , and the users don't have to be highly skilled. The problem is that they can inadvertently change the speed or worse: shut the port.


MY question is: Is it possible to limit their access through CiscoView via enahanced SNMPv3 configurations. I cannot see that ACS integration can cater for this since it has only a read and read-write option.

Many Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Tue, 11/11/2008 - 06:50
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Unfortunately, this is not possible. Even with SNMPv3 configured on the device, only one set of SNMP credentials can be used from DCR. Therefore, if a user has "change" access to CV, they will be able to make all changes allowed by the configured DCR credential.


That said, if you wanted to limit this SNMP credential on the device side (i.e. limit it for all users) that would certainly be possible. You wouldn't even need to use SNMPv3. You could apply an SNMP view to the read-write credential on the device limiting it to branches of the MIB required by your help desk users. Of course, this would handicap other parts of LMS for all users. See http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml#setupsnmp for more on SNMP views.

David Stanford Tue, 11/11/2008 - 06:53
User Badges:
  • Cisco Employee,

If you limit the access to certain MIB objects via snmp v3, it will impact CiscoView as a whole and any user who logs in with their specific permissions.


The only thing you can do is integrate with ACS and allow access at both the application and device level.

Joe Clarke Tue, 11/11/2008 - 06:59
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This is where using SNMPv1/v2c would be better. You could limit only the read-write community string, so the read-only would still work completely. The handicapping of which I was speaking would occur for apps like IPM, RME, and Campus unless the view was made broad enough. I suppose, if all you're worried about is limiting whether or not one can change the port state and speed, you could cut out ifOperStatus and the device's port speed SET object (e.g. portAdminSpeed).

pvanvuuren Wed, 11/12/2008 - 02:35
User Badges:
  • Bronze, 100 points or more

Thanks guys for the feedback, I will have to look further into this. I might actually have to force them to use telnet instead of CiscoView. With telnet I can then at least control thier priviledge through the "command authorization sets" within ACS. Thanks again.

csco11049253 Sun, 12/14/2008 - 23:15
User Badges:

Hi,


I was searching for snmp3 info and found your comments on this forum which were extremley helpful..


Further if you can recommed any reading material (apart from Cisco online config guides) to get a good understanding of SNMPV2/SNMPV3 it would be appreciable.


Thanks & Regards,

CM

Joe Clarke Mon, 12/15/2008 - 09:35
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

One of the references we use internally is "SNMP, SNMPv2, SNMPv3, and RMON 1 and 2" by Stallings (ISBN-13 978-0201485349).

Actions

This Discussion