Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
5
Helpful
6
Replies

CiscoView limited acces via SNMPv3

pvanvuuren
Level 3
Level 3

‎11-11-2008 02:26 AM

I have a unique challange whereby users need to change VLAN assignment to ports via CiscoView. It easy to use , and the users don't have to be highly skilled. The problem is that they can inadvertently change the speed or worse: shut the port.

MY question is: Is it possible to limit their access through CiscoView via enahanced SNMPv3 configurations. I cannot see that ACS integration can cater for this since it has only a read and read-write option.

Many Thanks

Labels:
0 Helpful
6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

‎11-11-2008 06:50 AM

Unfortunately, this is not possible. Even with SNMPv3 configured on the device, only one set of SNMP credentials can be used from DCR. Therefore, if a user has "change" access to CV, they will be able to make all changes allowed by the configured DCR credential.

That said, if you wanted to limit this SNMP credential on the device side (i.e. limit it for all users) that would certainly be possible. You wouldn't even need to use SNMPv3. You could apply an SNMP view to the read-write credential on the device limiting it to branches of the MIB required by your help desk users. Of course, this would handicap other parts of LMS for all users. See http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml#setupsnmp for more on SNMP views.

David Stanford
Cisco Employee
Cisco Employee

‎11-11-2008 06:53 AM

If you limit the access to certain MIB objects via snmp v3, it will impact CiscoView as a whole and any user who logs in with their specific permissions.

The only thing you can do is integrate with ACS and allow access at both the application and device level.

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to David Stanford

‎11-11-2008 06:59 AM

This is where using SNMPv1/v2c would be better. You could limit only the read-write community string, so the read-only would still work completely. The handicapping of which I was speaking would occur for apps like IPM, RME, and Campus unless the view was made broad enough. I suppose, if all you're worried about is limiting whether or not one can change the port state and speed, you could cut out ifOperStatus and the device's port speed SET object (e.g. portAdminSpeed).

0 Helpful

pvanvuuren
Level 3
Level 3
In response to Joe Clarke

‎11-12-2008 02:35 AM

Thanks guys for the feedback, I will have to look further into this. I might actually have to force them to use telnet instead of CiscoView. With telnet I can then at least control thier priviledge through the "command authorization sets" within ACS. Thanks again.

0 Helpful

csco11049253
Level 1
Level 1
In response to Joe Clarke

‎12-14-2008 11:15 PM

Hi,

I was searching for snmp3 info and found your comments on this forum which were extremley helpful..

Further if you can recommed any reading material (apart from Cisco online config guides) to get a good understanding of SNMPV2/SNMPV3 it would be appreciable.

Thanks & Regards,

CM

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to csco11049253

‎12-15-2008 09:35 AM

One of the references we use internally is "SNMP, SNMPv2, SNMPv3, and RMON 1 and 2" by Stallings (ISBN-13 978-0201485349).

0 Helpful
Customers Also Viewed These Support Documents