cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1393
Views
27
Helpful
10
Replies

removing read-write / read-write-all

getwithrob
Level 3
Level 3

The customer has a large number of Catalyst switches running CatOS that are configured with a read, a read-write and a read-write-all community string. We're starting discussions to remove all except the read string.

I'm trying to get an idea on what things might break if the read-write and read-write-all strings are removed. Do these Catalyst switches rely on these strings to do certain things with other modules or to perform certain functions?

thanks for any input

1 Accepted Solution

Accepted Solutions

Looks like it was introduced in 7.4(1)

set ip permit 10.10.10.10 snmp has been in CatOS for as long as I can remember

View solution in original post

10 Replies 10

David Stanford
Cisco Employee
Cisco Employee

If you removed the read-write and read-write-all strings on the devices you will remove the ability to do snmpsets.

Sometimes sets are used to copy a new config from an NMS to a switch or old config the other way. (CiscoWorks can use telnet though for CatOS config backup)

If you keep the read string you will still be able to poll objects and monitor the device, you just won't be able to perform snmpsets on writeable objects.

Thanks for the input.

Is there anything else you can think of? I heard mention that Catalyst swithes with NAM modules installed needed these strings for something. I'm trying to understand what that something might be so I will know for sure if they're needed or not.

yes, if you have a NAM then write access would come in handy.

Other times you might use it would include copying a new image or doing a reload via snmp

y-korolevski
Level 1
Level 1

Read-write-all is needed for reloading of the CatOS.

You can drop it w/o serious damage to functionality. Run a reload command via NetConfig if required.

Read-write is needed for uploading/downloading software images. If you would drop this one, you would not be able to update RME with existing images and will not be able to update devices with new images.

I suggest creating strict access lists for the SNMP agent on these switches instead of removing the community. An additional option is to configure SNMPv3 and let CW communicate securily with the switches.

HTH,

Yigal

http://www.nms-guru.com

If you do attempt to use netconfig to reload the device as an adhoc command make sure to use the syntax like:

reload

It is an interactive command so it expects return carriages.

Can Access Lists be configured and applied on Catalysts switches running CatOS?

I just tested this on 7.4, and you may apply access-lists on community strings:

set snmp access-list 111 10.10.10.10

set snmp community-ext nhabib read-only access 111

You may also use the set ip permit command. For example:

set ip permit 10.10.10.10 snmp

Is this perhaps a new feature that was recently introduced for CatOS?

If so, what version was this introduced in?

Looks like it was introduced in 7.4(1)

set ip permit 10.10.10.10 snmp has been in CatOS for as long as I can remember

I will mention this as an option to removing the read-write and read-write-all strings.

Thanks for the input.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: