cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10587
Views
11
Helpful
4
Replies

at (@) character not any more allowed in snmp community string?

joopv
Level 1
Level 1

We manage several 1000 switches. These are standard configured with a snmp community string that contains @ characters.

Now it seems that - starting with a certain IOS release - these community strings do not work anymore!

After changing the @ character to another 'normal' character we get snmp access again. :(

Is this issue somewhere documented?

Is there a workaround for this issue?

since our management systems are all setup up for this standard string.

Thanks!

1 Accepted Solution

Accepted Solutions

I don't know of any documentation that lists allowed characters, but after 10 years of experience, I would avoid '@' and ':'. The '@' for reasons already discussed, and the ':' because this is commonly used as a delimiter in many NMS applications.

That said, SNMP community strings are sent on the wire in clear text, and offer no real security. It would be better to avoid all special characters, and use ACLs on the devices to prevent unauthorized managers from using SNMP. If security is a real concern, consider going with SNMPv3.

No, there is no workaround for switches. The '@' is simply reserved by Cisco. And you really need community string indexing to be able to fully manage Cisco switches with SNMPv1/v2c.

View solution in original post

4 Replies 4

Joe Clarke
Cisco Employee
Cisco Employee

An '@' sign was never allowed in a switch's SNMP community string as that character has always been used by Cisco for community string indexing. This is the means by which we are able to get the BRIDGE-MIB data from multiple VLANs. In the past, switches may have allowed this at the expense of community string indexing. But you should NOT use this character in ANY Cisco switch's SNMP community.

Community string indexing is documented at ftp://ftp.cisco.com/pub/mibs/supportlists/wsc6506/wsc6506-communityIndexing.html .

Thanks for your info!

Can you point me to a document that specifies the allowed characters in the community string?

Of all managed switches with the @ sign in the community string, about 10% does not seem to work. These switches are installed in the pas several months or maybe last year.

So it is fairly recent issue, imho.

Is there a workaround where i give up the community string indexing functionality in favor of being able to use the @ sign?

(exept for downgrading the switch IOS, that is)

I don't know of any documentation that lists allowed characters, but after 10 years of experience, I would avoid '@' and ':'. The '@' for reasons already discussed, and the ':' because this is commonly used as a delimiter in many NMS applications.

That said, SNMP community strings are sent on the wire in clear text, and offer no real security. It would be better to avoid all special characters, and use ACLs on the devices to prevent unauthorized managers from using SNMP. If security is a real concern, consider going with SNMPv3.

No, there is no workaround for switches. The '@' is simply reserved by Cisco. And you really need community string indexing to be able to fully manage Cisco switches with SNMPv1/v2c.

I did a couple of google searches and it varies as to what snmp engines accept what characters in community strings. Interestingly enough, I checked the early RFCs and they just say "OCTET STRING" and never get around to saying what is valid.

However, that being said... various Cisco docs say "In the Community String Name field, enter a name for the community string. The name can contain up to 32 characters and can contain any combination of alphanumeric characters, hyphens (-), and underscore characters (_)"

Thomas Dzubin

Review Cisco Networking for a $25 gift card