Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SNMP Baselining LMS3

I'm trying to build a baseline job to ensure the correct snmp community strings are set, but it doesn't seem to work. I'm using:

+ snmp-server community [#!string#] RO

+ snmp-server community [#!string2#] RW 1

The correct strings are in the config but the job shows the devices out of compliance. If i change the "+" to a "-" then they become compliant... I don't understand the problem.

Thanks in advance.

Cisco Employee

Re: SNMP Baselining LMS3

These expressions say that in order to be compliant the configuration must have a line:

snmp-server community

That is not followed with "string" then ends with RO. For example, the following would match:

snmp-server community public RO

That would be a compliant line. Typically, when doing negative matching (i.e. [#! ... #]) you use '-' to denote "anything else should NOT be in the config".

New Member

Re: SNMP Baselining LMS3

Ok, thanks that makes sense. So if I wanted to ensure that the only RO and RW strings where stringRO and stringRW would the statement look like this:

+ snmp-server community [#stringRO#] RO

- snmp-server community [#!.*#] RO

+ snmp-server community [#stringRW#] RW 1

- snmp-server community [#!.*#] RW [#.*#]

Or is there a better way to confirm only the RO and RW strings are there and no others?

Thanks again

Cisco Employee

Re: SNMP Baselining LMS3

Not exactly. You need to understand how basline matching works. Each line in the template is compared to each line in the config -- line by line. So, you want:

+ snmp-server community stringRO RO

+ snmp-server community stringRW RW 1

- snmp-server community [#!(stringRO|stringRW)#] [#RO|RW#]

You don't need to worry about the trailing ACL number. If the community doesn't match, it's non-compliant anyway.