The customer has a large number of Catalyst switches running CatOS that are configured with a read, a read-write and a read-write-all community string. We're starting discussions to remove all except the read string.
I'm trying to get an idea on what things might break if the read-write and read-write-all strings are removed. Do these Catalyst switches rely on these strings to do certain things with other modules or to perform certain functions?
thanks for any input
Solved! Go to Solution.
If you removed the read-write and read-write-all strings on the devices you will remove the ability to do snmpsets.
Sometimes sets are used to copy a new config from an NMS to a switch or old config the other way. (CiscoWorks can use telnet though for CatOS config backup)
If you keep the read string you will still be able to poll objects and monitor the device, you just won't be able to perform snmpsets on writeable objects.
Thanks for the input.
Is there anything else you can think of? I heard mention that Catalyst swithes with NAM modules installed needed these strings for something. I'm trying to understand what that something might be so I will know for sure if they're needed or not.
yes, if you have a NAM then write access would come in handy.
Other times you might use it would include copying a new image or doing a reload via snmp
Read-write-all is needed for reloading of the CatOS.
You can drop it w/o serious damage to functionality. Run a reload command via NetConfig if required.
Read-write is needed for uploading/downloading software images. If you would drop this one, you would not be able to update RME with existing images and will not be able to update devices with new images.
I suggest creating strict access lists for the SNMP agent on these switches instead of removing the community. An additional option is to configure SNMPv3 and let CW communicate securily with the switches.
If you do attempt to use netconfig to reload the device as an adhoc command make sure to use the syntax like:
It is an interactive command so it expects return carriages.
I just tested this on 7.4, and you may apply access-lists on community strings:
set snmp access-list 111 10.10.10.10
set snmp community-ext nhabib read-only access 111
You may also use the set ip permit command. For example:
set ip permit 10.10.10.10 snmp