snmp command line meaning

Lim Seow Hua · ‎10-14-2010

Hi,

May i know what is the meaning for below two command lines?

snmp-server community x#2b8wt! RO 15

snmp-server community R!M2stAy RW 15

Collin Clark · ‎10-14-2010

x#2b8wt! This is the community string used by the SNMP manager to communicate with the device

RO This is the read-only keyword. It specifies that you can not write via SNMP, just read

15 This is refers to ACL 15. Only IP's with a source address in this ACL can communication via SNMP

R!M2stAy Same as above

RW This allows the SNMP manager to read and write SNMP strings to the device

15 Same as above

Hope it helps.

Adam Casella · ‎10-14-2010

Hey Lim,

An SNMP community is a value used to access the device for snmp. Think of it as a password that is used to access/change SNMP parameters on the switch.

snmp-server community x#2b8wt! RO 15 <---This is the community to read-only parameters on the switch

snmp-server community R!M2stAy RW 15 <----This is the community to change/read-write parameters on the switch

Also the 15 at the end of these lines are specifiy ACL 15, as the devices which are allowed to access this device with these communites.

You can read more about this via the following link:

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html

Thanks,

Adam

Lim Seow Hua · ‎10-14-2010

But why we need to issue two command lines which is RO and RW permission, since the second command line allow read-write permission?

Collin Clark · ‎10-14-2010

Some people only need read access and some people may have more authority and have the ability to write. IMO write access is dangerous and should be removed, especially when using v2.

Adam Casella · ‎10-14-2010

Hey Lim,

The idea is to seperate users/devices that are allowed to make changes and those that are not for security. Think of it as having admin access to make changes to a parameter on the switch as compared to a regular user who is only able to poll values (which could be used for monitoring the device.)

You may not want to allow your monitoring devices to make changes and thus want to limit them only to read-only access.

You may also want to limit write access to only one device for security reasons.

Thanks,

Adam

Lim Seow Hua · ‎10-14-2010

Let's say I have below command lines:-

access-list 15 permit 10.6.170.28
snmp-server community x#2b8wt! RO 15
snmp-server community R!M2stAy RW 15

What does above commnad line indicate? Is that indicate that IP 10.6.170.28 can read-write?

Collin Clark · ‎10-14-2010

If he uses the community string of x#2b8wt! he can only read. But if he uses the community string of R!M2stAy he can read and write.

Lim Seow Hua · ‎10-14-2010

Oh i see...now I am getting clearer already. By the way, how are he going to use the community string?

Collin Clark · ‎10-14-2010

It's used in the software (typically called the SNMP Manager) on his workstation.

Lim Seow Hua · ‎10-14-2010

snmp-server community x#2b8wt! RO 15
snmp-server community R!M2stAy RW 15
snmp-server host 172.21.211.22 x#2b8wt!

Correct me if I am wrong:-

172.21.211.22 is the snmp-server used in the company. And it has been configured with community string x#2b8wt!. It is indicate that the switch configured with command snmp-server host 172.21.211.22 x#2b8wt! only can have read communication with the SNMP server?

Tq.

Collin Clark · ‎10-14-2010

Not exactly. The snmp-server host 172.21.211.22 x#2b8wt! command tells the router to send SNMP traps (think of them like alerts sent from the router- a push to the client) to the host. It does not grant the host SNMP access to the router. The snmp-server community x#2b8wt! RO 15 allows the host to query the router (assuming the host is in ACL 15- a pull from the client).