Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

CiscoView limited acces via SNMPv3

I have a unique challange whereby users need to change VLAN assignment to ports via CiscoView. It easy to use , and the users don't have to be highly skilled. The problem is that they can inadvertently change the speed or worse: shut the port.

MY question is: Is it possible to limit their access through CiscoView via enahanced SNMPv3 configurations. I cannot see that ACS integration can cater for this since it has only a read and read-write option.

Many Thanks

6 REPLIES
Cisco Employee

Re: CiscoView limited acces via SNMPv3

Unfortunately, this is not possible. Even with SNMPv3 configured on the device, only one set of SNMP credentials can be used from DCR. Therefore, if a user has "change" access to CV, they will be able to make all changes allowed by the configured DCR credential.

That said, if you wanted to limit this SNMP credential on the device side (i.e. limit it for all users) that would certainly be possible. You wouldn't even need to use SNMPv3. You could apply an SNMP view to the read-write credential on the device limiting it to branches of the MIB required by your help desk users. Of course, this would handicap other parts of LMS for all users. See http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml#setupsnmp for more on SNMP views.

Cisco Employee

Re: CiscoView limited acces via SNMPv3

If you limit the access to certain MIB objects via snmp v3, it will impact CiscoView as a whole and any user who logs in with their specific permissions.

The only thing you can do is integrate with ACS and allow access at both the application and device level.

Cisco Employee

Re: CiscoView limited acces via SNMPv3

This is where using SNMPv1/v2c would be better. You could limit only the read-write community string, so the read-only would still work completely. The handicapping of which I was speaking would occur for apps like IPM, RME, and Campus unless the view was made broad enough. I suppose, if all you're worried about is limiting whether or not one can change the port state and speed, you could cut out ifOperStatus and the device's port speed SET object (e.g. portAdminSpeed).

Bronze

Re: CiscoView limited acces via SNMPv3

Thanks guys for the feedback, I will have to look further into this. I might actually have to force them to use telnet instead of CiscoView. With telnet I can then at least control thier priviledge through the "command authorization sets" within ACS. Thanks again.

New Member

Re: CiscoView limited acces via SNMPv3

Hi,

I was searching for snmp3 info and found your comments on this forum which were extremley helpful..

Further if you can recommed any reading material (apart from Cisco online config guides) to get a good understanding of SNMPV2/SNMPV3 it would be appreciable.

Thanks & Regards,

CM

Cisco Employee

Re: CiscoView limited acces via SNMPv3

One of the references we use internally is "SNMP, SNMPv2, SNMPv3, and RMON 1 and 2" by Stallings (ISBN-13 978-0201485349).

303
Views
5
Helpful
6
Replies
CreatePlease login to create content