Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
7
Replies

WSLE - Device discovery without SNMP

admin_2
Level 3
Level 3

‎02-17-2004 03:14 PM - edited ‎07-04-2021 09:22 AM

Due to security issues, both the CDP and SNMP protocols are disabled. I am unable to discover a device when I enter it in manually via just the IP.

The run log shows:

Seed value entered: 10.50.33.254

Seed value entered: 10.50.33.253

Seed value entered: 10.50.33.252

Hop count defined: 1

CDP Discovery started at 2004-02-17 22:43:50.761 (UTC)

10.50.33.252 is SNMP unreachable, unable to read CDP cache.

10.50.33.253 is SNMP unreachable, unable to read CDP cache.

10.50.33.254 is SNMP unreachable, unable to read CDP cache.

Number of devices (re)discovered: 0

CDP Discovery completed at 2004-02-17 22:44:50.81 (UTC)

Is there a way to discover it without using SNMP?

Labels:
0 Helpful
7 Replies 7

rmushtaq
Level 8
Level 8

‎02-17-2004 03:55 PM

Discovery can work without CDP enabled but it will not work if SNMP is also disabled. There is no way to do discovery with SNMP being disabled on the devices.

0 Helpful

minie
Level 4
Level 4

‎02-17-2004 05:53 PM

The best you can do is to import APs from csv file or CW. However, say you have all APs in inventory, you still can not do anything on it.

It will not generate faults when they break, you can not upgrade firmware, and periodical reports won't run. Because they all rely on snmp.

0 Helpful

Not applicable
In response to minie

‎02-20-2004 10:17 AM

Thanks for your help.

Has anyone else used WLSE with alot (400+) AP's over a large area, such as the US, and found security issues using SNMPv3?

The WAN admin refuses to enable SNMP because of security issues he thinks are there, but he want me to manage them all somehow. Is he being too paranoid with SNMP?

0 Helpful

minie
Level 4
Level 4
In response to

‎02-20-2004 11:57 AM

Yes, I think he is. It's true that snmp community is in clear text meaning who ever sniffer the wire can get the read-only and read-write strings. And with RW string, one can manupilate AP's configs. However, there's also a thing called access-list that can be configured on devices to prevent unauthorized access.

It's also a fact that snmp v3 is more secure because the username is encrypted. However, v3 is never be mass deployed because of it's complexity.

Based on experience, most customers are comfortable to enable snmp in their network. After all, with mass network devices deployed, snmp is the only way for managing them.

0 Helpful

asafayan
Level 4
Level 4
In response to minie

‎02-24-2004 06:58 PM

Minie, can you give an example of how you would ACLs to lock down 1230 APs running IOS to just the specific IP address of the WLSE?

0 Helpful

rmushtaq
Level 8
Level 8
In response to asafayan

‎02-24-2004 09:10 PM

access-list 1 permit 1.1.1.1

snmp-server community string1 ro 1

In this example the trusted management station is configured with an IP address of 1.1.1.1. Apply an access list to all of the read-only and read-write community strings configured on the device.

0 Helpful

minie
Level 4
Level 4
In response to rmushtaq

‎02-25-2004 07:12 AM

Rizwan is correct. You configure an ACL, and apply the ACL to the snmp community string which will restrict who can poll the AP using the community. Or you can apply the ACL to the FE interface, just like other IOS devices.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card