05-05-2006 04:11 PM
The customer has a large number of Catalyst switches running CatOS that are configured with a read, a read-write and a read-write-all community string. We're starting discussions to remove all except the read string.
I'm trying to get an idea on what things might break if the read-write and read-write-all strings are removed. Do these Catalyst switches rely on these strings to do certain things with other modules or to perform certain functions?
thanks for any input
Solved! Go to Solution.
05-06-2006 12:34 PM
Looks like it was introduced in 7.4(1)
set ip permit 10.10.10.10 snmp has been in CatOS for as long as I can remember
05-05-2006 04:13 PM
If you removed the read-write and read-write-all strings on the devices you will remove the ability to do snmpsets.
Sometimes sets are used to copy a new config from an NMS to a switch or old config the other way. (CiscoWorks can use telnet though for CatOS config backup)
If you keep the read string you will still be able to poll objects and monitor the device, you just won't be able to perform snmpsets on writeable objects.
05-05-2006 04:26 PM
Thanks for the input.
Is there anything else you can think of? I heard mention that Catalyst swithes with NAM modules installed needed these strings for something. I'm trying to understand what that something might be so I will know for sure if they're needed or not.
05-05-2006 06:12 PM
yes, if you have a NAM then write access would come in handy.
Other times you might use it would include copying a new image or doing a reload via snmp
05-05-2006 11:53 PM
Read-write-all is needed for reloading of the CatOS.
You can drop it w/o serious damage to functionality. Run a reload command via NetConfig if required.
Read-write is needed for uploading/downloading software images. If you would drop this one, you would not be able to update RME with existing images and will not be able to update devices with new images.
I suggest creating strict access lists for the SNMP agent on these switches instead of removing the community. An additional option is to configure SNMPv3 and let CW communicate securily with the switches.
HTH,
Yigal
05-06-2006 04:46 AM
If you do attempt to use netconfig to reload the device as an adhoc command make sure to use the syntax like:
reload
It is an interactive command so it expects return carriages.
05-06-2006 06:51 AM
Can Access Lists be configured and applied on Catalysts switches running CatOS?
05-06-2006 07:07 AM
I just tested this on 7.4, and you may apply access-lists on community strings:
set snmp access-list 111 10.10.10.10
set snmp community-ext nhabib read-only access 111
You may also use the set ip permit command. For example:
set ip permit 10.10.10.10 snmp
05-06-2006 11:52 AM
Is this perhaps a new feature that was recently introduced for CatOS?
If so, what version was this introduced in?
05-06-2006 12:34 PM
Looks like it was introduced in 7.4(1)
set ip permit 10.10.10.10 snmp has been in CatOS for as long as I can remember
05-06-2006 12:43 PM
I will mention this as an option to removing the read-write and read-write-all strings.
Thanks for the input.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: