02-17-2004 03:14 PM - edited 07-04-2021 09:22 AM
Due to security issues, both the CDP and SNMP protocols are disabled. I am unable to discover a device when I enter it in manually via just the IP.
The run log shows:
Seed value entered: 10.50.33.254
Seed value entered: 10.50.33.253
Seed value entered: 10.50.33.252
Hop count defined: 1
CDP Discovery started at 2004-02-17 22:43:50.761 (UTC)
10.50.33.252 is SNMP unreachable, unable to read CDP cache.
10.50.33.253 is SNMP unreachable, unable to read CDP cache.
10.50.33.254 is SNMP unreachable, unable to read CDP cache.
Number of devices (re)discovered: 0
CDP Discovery completed at 2004-02-17 22:44:50.81 (UTC)
Is there a way to discover it without using SNMP?
02-17-2004 03:55 PM
Discovery can work without CDP enabled but it will not work if SNMP is also disabled. There is no way to do discovery with SNMP being disabled on the devices.
02-17-2004 05:53 PM
The best you can do is to import APs from csv file or CW. However, say you have all APs in inventory, you still can not do anything on it.
It will not generate faults when they break, you can not upgrade firmware, and periodical reports won't run. Because they all rely on snmp.
02-20-2004 10:17 AM
Thanks for your help.
Has anyone else used WLSE with alot (400+) AP's over a large area, such as the US, and found security issues using SNMPv3?
The WAN admin refuses to enable SNMP because of security issues he thinks are there, but he want me to manage them all somehow. Is he being too paranoid with SNMP?
02-20-2004 11:57 AM
Yes, I think he is. It's true that snmp community is in clear text meaning who ever sniffer the wire can get the read-only and read-write strings. And with RW string, one can manupilate AP's configs. However, there's also a thing called access-list that can be configured on devices to prevent unauthorized access.
It's also a fact that snmp v3 is more secure because the username is encrypted. However, v3 is never be mass deployed because of it's complexity.
Based on experience, most customers are comfortable to enable snmp in their network. After all, with mass network devices deployed, snmp is the only way for managing them.
02-24-2004 06:58 PM
Minie, can you give an example of how you would ACLs to lock down 1230 APs running IOS to just the specific IP address of the WLSE?
02-24-2004 09:10 PM
access-list 1 permit 1.1.1.1
snmp-server community string1 ro 1
In this example the trusted management station is configured with an IP address of 1.1.1.1. Apply an access list to all of the read-only and read-write community strings configured on the device.
02-25-2004 07:12 AM
Rizwan is correct. You configure an ACL, and apply the ACL to the snmp community string which will restrict who can poll the AP using the community. Or you can apply the ACL to the FE interface, just like other IOS devices.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: