removing read-write / read-write-all

Answered Question
May 5th, 2006
User Badges:

The customer has a large number of Catalyst switches running CatOS that are configured with a read, a read-write and a read-write-all community string. We're starting discussions to remove all except the read string.


I'm trying to get an idea on what things might break if the read-write and read-write-all strings are removed. Do these Catalyst switches rely on these strings to do certain things with other modules or to perform certain functions?


thanks for any input


Correct Answer by nhabib about 11 years 3 months ago

Looks like it was introduced in 7.4(1)


set ip permit 10.10.10.10 snmp has been in CatOS for as long as I can remember

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (7 ratings)
Loading.
David Stanford Fri, 05/05/2006 - 16:13
User Badges:
  • Cisco Employee,

If you removed the read-write and read-write-all strings on the devices you will remove the ability to do snmpsets.


Sometimes sets are used to copy a new config from an NMS to a switch or old config the other way. (CiscoWorks can use telnet though for CatOS config backup)


If you keep the read string you will still be able to poll objects and monitor the device, you just won't be able to perform snmpsets on writeable objects.

getwithrob Fri, 05/05/2006 - 16:26
User Badges:

Thanks for the input.

Is there anything else you can think of? I heard mention that Catalyst swithes with NAM modules installed needed these strings for something. I'm trying to understand what that something might be so I will know for sure if they're needed or not.

David Stanford Fri, 05/05/2006 - 18:12
User Badges:
  • Cisco Employee,

yes, if you have a NAM then write access would come in handy.


Other times you might use it would include copying a new image or doing a reload via snmp

y-korolevski Fri, 05/05/2006 - 23:53
User Badges:

Read-write-all is needed for reloading of the CatOS.

You can drop it w/o serious damage to functionality. Run a reload command via NetConfig if required.


Read-write is needed for uploading/downloading software images. If you would drop this one, you would not be able to update RME with existing images and will not be able to update devices with new images.


I suggest creating strict access lists for the SNMP agent on these switches instead of removing the community. An additional option is to configure SNMPv3 and let CW communicate securily with the switches.


HTH,


Yigal


http://www.nms-guru.com


David Stanford Sat, 05/06/2006 - 04:46
User Badges:
  • Cisco Employee,

If you do attempt to use netconfig to reload the device as an adhoc command make sure to use the syntax like:


reload


It is an interactive command so it expects return carriages.

getwithrob Sat, 05/06/2006 - 06:51
User Badges:

Can Access Lists be configured and applied on Catalysts switches running CatOS?

nhabib Sat, 05/06/2006 - 07:07
User Badges:
  • Red, 2250 points or more

I just tested this on 7.4, and you may apply access-lists on community strings:

set snmp access-list 111 10.10.10.10

set snmp community-ext nhabib read-only access 111


You may also use the set ip permit command. For example:

set ip permit 10.10.10.10 snmp

getwithrob Sat, 05/06/2006 - 11:52
User Badges:

Is this perhaps a new feature that was recently introduced for CatOS?


If so, what version was this introduced in?



Correct Answer
nhabib Sat, 05/06/2006 - 12:34
User Badges:
  • Red, 2250 points or more

Looks like it was introduced in 7.4(1)


set ip permit 10.10.10.10 snmp has been in CatOS for as long as I can remember

getwithrob Sat, 05/06/2006 - 12:43
User Badges:

I will mention this as an option to removing the read-write and read-write-all strings.


Thanks for the input.

Actions

This Discussion