11-11-2008 02:26 AM
I have a unique challange whereby users need to change VLAN assignment to ports via CiscoView. It easy to use , and the users don't have to be highly skilled. The problem is that they can inadvertently change the speed or worse: shut the port.
MY question is: Is it possible to limit their access through CiscoView via enahanced SNMPv3 configurations. I cannot see that ACS integration can cater for this since it has only a read and read-write option.
Many Thanks
11-11-2008 06:50 AM
Unfortunately, this is not possible. Even with SNMPv3 configured on the device, only one set of SNMP credentials can be used from DCR. Therefore, if a user has "change" access to CV, they will be able to make all changes allowed by the configured DCR credential.
That said, if you wanted to limit this SNMP credential on the device side (i.e. limit it for all users) that would certainly be possible. You wouldn't even need to use SNMPv3. You could apply an SNMP view to the read-write credential on the device limiting it to branches of the MIB required by your help desk users. Of course, this would handicap other parts of LMS for all users. See http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml#setupsnmp for more on SNMP views.
11-11-2008 06:53 AM
If you limit the access to certain MIB objects via snmp v3, it will impact CiscoView as a whole and any user who logs in with their specific permissions.
The only thing you can do is integrate with ACS and allow access at both the application and device level.
11-11-2008 06:59 AM
This is where using SNMPv1/v2c would be better. You could limit only the read-write community string, so the read-only would still work completely. The handicapping of which I was speaking would occur for apps like IPM, RME, and Campus unless the view was made broad enough. I suppose, if all you're worried about is limiting whether or not one can change the port state and speed, you could cut out ifOperStatus and the device's port speed SET object (e.g. portAdminSpeed).
11-12-2008 02:35 AM
Thanks guys for the feedback, I will have to look further into this. I might actually have to force them to use telnet instead of CiscoView. With telnet I can then at least control thier priviledge through the "command authorization sets" within ACS. Thanks again.
12-14-2008 11:15 PM
Hi,
I was searching for snmp3 info and found your comments on this forum which were extremley helpful..
Further if you can recommed any reading material (apart from Cisco online config guides) to get a good understanding of SNMPV2/SNMPV3 it would be appreciable.
Thanks & Regards,
CM
12-15-2008 09:35 AM
One of the references we use internally is "SNMP, SNMPv2, SNMPv3, and RMON 1 and 2" by Stallings (ISBN-13 978-0201485349).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide