Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WSLE - Device discovery without SNMP

Due to security issues, both the CDP and SNMP protocols are disabled. I am unable to discover a device when I enter it in manually via just the IP.

The run log shows:

Seed value entered: 10.50.33.254

Seed value entered: 10.50.33.253

Seed value entered: 10.50.33.252

Hop count defined: 1

CDP Discovery started at 2004-02-17 22:43:50.761 (UTC)

10.50.33.252 is SNMP unreachable, unable to read CDP cache.

10.50.33.253 is SNMP unreachable, unable to read CDP cache.

10.50.33.254 is SNMP unreachable, unable to read CDP cache.

Number of devices (re)discovered: 0

CDP Discovery completed at 2004-02-17 22:44:50.81 (UTC)

Is there a way to discover it without using SNMP?

7 REPLIES
Blue

Re: WSLE - Device discovery without SNMP

Discovery can work without CDP enabled but it will not work if SNMP is also disabled. There is no way to do discovery with SNMP being disabled on the devices.

Bronze

Re: WSLE - Device discovery without SNMP

The best you can do is to import APs from csv file or CW. However, say you have all APs in inventory, you still can not do anything on it.

It will not generate faults when they break, you can not upgrade firmware, and periodical reports won't run. Because they all rely on snmp.

Anonymous
N/A

Re: WSLE - Device discovery without SNMP

Thanks for your help.

Has anyone else used WLSE with alot (400+) AP's over a large area, such as the US, and found security issues using SNMPv3?

The WAN admin refuses to enable SNMP because of security issues he thinks are there, but he want me to manage them all somehow. Is he being too paranoid with SNMP?

Bronze

Re: WSLE - Device discovery without SNMP

Yes, I think he is. It's true that snmp community is in clear text meaning who ever sniffer the wire can get the read-only and read-write strings. And with RW string, one can manupilate AP's configs. However, there's also a thing called access-list that can be configured on devices to prevent unauthorized access.

It's also a fact that snmp v3 is more secure because the username is encrypted. However, v3 is never be mass deployed because of it's complexity.

Based on experience, most customers are comfortable to enable snmp in their network. After all, with mass network devices deployed, snmp is the only way for managing them.

New Member

Re: WSLE - Device discovery without SNMP

Minie, can you give an example of how you would ACLs to lock down 1230 APs running IOS to just the specific IP address of the WLSE?

Blue

Re: WSLE - Device discovery without SNMP

access-list 1 permit 1.1.1.1

snmp-server community string1 ro 1

In this example the trusted management station is configured with an IP address of 1.1.1.1. Apply an access list to all of the read-only and read-write community strings configured on the device.

Bronze

Re: WSLE - Device discovery without SNMP

Rizwan is correct. You configure an ACL, and apply the ACL to the snmp community string which will restrict who can poll the AP using the community. Or you can apply the ACL to the FE interface, just like other IOS devices.

183
Views
0
Helpful
7
Replies