Hello, Not so long ago there was discussion on this list regarding problems with SNMP and this is our contribution to it. With this I will fulfill a request of the customer who brought this to our attention. Cheers, Gaus --------- Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. This version is first introduced in Cisco IOS 12.0(3)T. In all images which implement the new SNMPv3 engine (12.0(3)T and above and images based on this), the new SNMP engine now requires that a community string be defined (if used). Example: If user enters this command: snmp-server host <ip-address> foonly then the community string must be defined first with the command: snmp-server community <community> [ro|rw] e.g. snmp-server community foonly ro If this required line is not present, then it will be inserted automatically, using the password defined in snmp-server host command. The automatically generated snmp-server community line can not be erased from configuration file. It will be automatically generated every time. This requirement was not well documented, but it is indeed a requirement of the new engine and it is intended behavior. The updated documentation can be found at http://www.cisco.com/univercd/cc/td/doc/product/software/ ios120/120newft/120t/120t3/snmp3.htm (URL is wrapped) In the case where the customer wishes to use a unique community string with the "snmp-server host" command but does NOT want that string to be valid for SNMP polling, simply define that community string with an access-list which specifies "deny any" e.g. snmp-server community foonly ro 10 snmp-server host <ip-address> foonly access-list 10 deny any If the administrator is not aware of this and if the configuration is not carefully inspected after every change, this may lead to using a weak password for the community string. When snmptrap daemons do not require a community string, the administrator may be tempted to use easily guessable passwords. ============== Damir Rajnovic <psirtat_private>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/warp/public/707/sec_incident_response.shtml> Phone: +44 7715 546 033 4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB ============== There is no insolvable problems. Question remains: can you accept the solution?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:35 PDT