I have a unique challange whereby users need to change VLAN assignment to ports via CiscoView. It easy to use , and the users don't have to be highly skilled. The problem is that they can inadvertently change the speed or worse: shut the port.
MY question is: Is it possible to limit their access through CiscoView via enahanced SNMPv3 configurations. I cannot see that ACS integration can cater for this since it has only a read and read-write option.
Unfortunately, this is not possible. Even with SNMPv3 configured on the device, only one set of SNMP credentials can be used from DCR. Therefore, if a user has "change" access to CV, they will be able to make all changes allowed by the configured DCR credential.
That said, if you wanted to limit this SNMP credential on the device side (i.e. limit it for all users) that would certainly be possible. You wouldn't even need to use SNMPv3. You could apply an SNMP view to the read-write credential on the device limiting it to branches of the MIB required by your help desk users. Of course, this would handicap other parts of LMS for all users. See http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml#setupsnmp for more on SNMP views.
This is where using SNMPv1/v2c would be better. You could limit only the read-write community string, so the read-only would still work completely. The handicapping of which I was speaking would occur for apps like IPM, RME, and Campus unless the view was made broad enough. I suppose, if all you're worried about is limiting whether or not one can change the port state and speed, you could cut out ifOperStatus and the device's port speed SET object (e.g. portAdminSpeed).
Thanks guys for the feedback, I will have to look further into this. I might actually have to force them to use telnet instead of CiscoView. With telnet I can then at least control thier priviledge through the "command authorization sets" within ACS. Thanks again.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...