05-08-2007 03:40 PM
Does every relatively recent (v12+)IOS support multiple snmp read/readwrite community strings, or does it depend on the specific version? Given the following device config, the device credentials in DCR are read1 and readwrite1, what could cause LMS to report read1 is ok, but readwrite1 is invalid on the device?
snmp-server community read1 RO 22
snmp-server community readwrite1 RW 33
snmp-server community read2 RO 22
snmp-server community readwrite2 RW 33
If the current running config displays as follows, would a "no access-list 33 remark * IPs allowed for read-write SNMP *" followed by "access-list 33 remark * IPs allowed for read-write SNMP *" put the remark in front of all the ACLs numbered 33?
access-list 33 permit 12.21.1.7
access-list 33 permit 12.21.1.3
access-list 33 remark * IPs allowed for read-write SNMP *
access-list 33 permit 12.21.1.1
access-list 33 permit 12.21.1.2
05-08-2007 04:52 PM
All IOS versions support multiple community strings. Assuming the problem is a timeout for the read-write community string, my thought would be the ACL 33. I assume that one of those addresses is your LMS server?
If you enter the command "no access-list 33 remark * IPs allowed for read-write SNMP *", that will remove the entire ACL 33. You will have to add back in all of the lines in the desired order after that. If you only entered, "access-list 33 remark * IPs allowed for read-write SNMP *" after the "no" command, then ACL 33 would only consist of the remark line.
A sniffer trace of the Device Credential Verification test would help determine if the problem is something other than the ACL.
05-08-2007 06:33 PM
It just occurred to me that particular device was discovered and added to DCR by Campus Manager. Upon a more careful look, I find CM 4.x Device Discovery isn't aware of the SNMP RW string, in contrast to CM 3.3 (IIRC). That explains my original issue, that's easily fixed by updating the device credential. Look forward to the default device credentials in LMS 3.0.
05-08-2007 09:14 PM
Correct, CM 4.0 does not pass a read-write credential into DCR (unless, of course, you use SNMPv3). The reason for this was that it was impossible to verify the read-write community string when using multiple community strings. It really doesn't work in 3.3, either in that MCS only applies to the read-only string.
As you noted, default credentials in LMS 3.0 will allow for this as well as other credentials like [telnet/SSH] username and password.
05-09-2007 12:28 AM
what is the problem with verifying RW CS in discovery - is it the problem to get a result in an acceptable timeline (especially in big environments) or are there other (logical) problems?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide