Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

removing read-write / read-write-all

The customer has a large number of Catalyst switches running CatOS that are configured with a read, a read-write and a read-write-all community string. We're starting discussions to remove all except the read string.

I'm trying to get an idea on what things might break if the read-write and read-write-all strings are removed. Do these Catalyst switches rely on these strings to do certain things with other modules or to perform certain functions?

thanks for any input

1 ACCEPTED SOLUTION

Accepted Solutions
Red

Re: removing read-write / read-write-all

Looks like it was introduced in 7.4(1)

set ip permit 10.10.10.10 snmp has been in CatOS for as long as I can remember

10 REPLIES
Cisco Employee

Re: removing read-write / read-write-all

If you removed the read-write and read-write-all strings on the devices you will remove the ability to do snmpsets.

Sometimes sets are used to copy a new config from an NMS to a switch or old config the other way. (CiscoWorks can use telnet though for CatOS config backup)

If you keep the read string you will still be able to poll objects and monitor the device, you just won't be able to perform snmpsets on writeable objects.

Community Member

Re: removing read-write / read-write-all

Thanks for the input.

Is there anything else you can think of? I heard mention that Catalyst swithes with NAM modules installed needed these strings for something. I'm trying to understand what that something might be so I will know for sure if they're needed or not.

Cisco Employee

Re: removing read-write / read-write-all

yes, if you have a NAM then write access would come in handy.

Other times you might use it would include copying a new image or doing a reload via snmp

Community Member

Re: removing read-write / read-write-all

Read-write-all is needed for reloading of the CatOS.

You can drop it w/o serious damage to functionality. Run a reload command via NetConfig if required.

Read-write is needed for uploading/downloading software images. If you would drop this one, you would not be able to update RME with existing images and will not be able to update devices with new images.

I suggest creating strict access lists for the SNMP agent on these switches instead of removing the community. An additional option is to configure SNMPv3 and let CW communicate securily with the switches.

HTH,

Yigal

http://www.nms-guru.com

Cisco Employee

Re: removing read-write / read-write-all

If you do attempt to use netconfig to reload the device as an adhoc command make sure to use the syntax like:

reload

It is an interactive command so it expects return carriages.

Community Member

Re: removing read-write / read-write-all

Can Access Lists be configured and applied on Catalysts switches running CatOS?

Red

Re: removing read-write / read-write-all

I just tested this on 7.4, and you may apply access-lists on community strings:

set snmp access-list 111 10.10.10.10

set snmp community-ext nhabib read-only access 111

You may also use the set ip permit command. For example:

set ip permit 10.10.10.10 snmp

Community Member

Re: removing read-write / read-write-all

Is this perhaps a new feature that was recently introduced for CatOS?

If so, what version was this introduced in?

Red

Re: removing read-write / read-write-all

Looks like it was introduced in 7.4(1)

set ip permit 10.10.10.10 snmp has been in CatOS for as long as I can remember

Community Member

Re: removing read-write / read-write-all

I will mention this as an option to removing the read-write and read-write-all strings.

Thanks for the input.

134
Views
27
Helpful
10
Replies
CreatePlease to create content