| Title: | DEChub/HUBwatch/PROBEwatch CONFERENCE |
| Notice: | Firmware -2, Doc -3, Power -4, HW kits -5, firm load -6&7 |
| Moderator: | NETCAD::COLELLA�DT |
| Created: | Wed Nov 13 1991 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 4455 |
| Total number of notes: | 16761 |
Back to the issue of SNMP community strings.
1. MAM code T5.0.32 does not allow the READ/WRITE community name string
to be changed. It reports a change but it is always "public".
2. On MAM code V4.1.1 I set up MAM R/W Comm = "hubmam"
& slot 3 module R/W Comm = "module"
I fired up MCM using string "public".
Hub MAM responds to gets using "public". I assume the read comm
cannot be changed ??
Now I click on slot 3 module and try to make a config chnage on it.
First MCM tries to use module's IP address with "public" and gets no
response. This is what I expect.
Next MCM tries backup agent retry, using SNMP SET to MAM's IP address
and "public-3". Module responds and config is changed.
Why does the module repond to sets using "public-3". when its R/W
Comm is "module". This means anyone can mess with the hub modules
at will, or am I missing something.
I know that SNMP is not secure but I would expect Comm string
checking.
R.
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 4236.1 | Correction | COMICS::BUTT | Give me the facts real straight. | Wed Feb 26 1997 12:26 | 4 |
Re. 0 Correction "On MAM code V4.1.1" , I meant V4.2.0.
R.
| |||||
| 4236.2 | NETCAD::MILLBRANDT | answer mam | Thu Feb 27 1997 14:38 | 62 | |
There are two community name strings at play here: read-only and read-write.
You can invoke MCM with either one. When you look at the Manage Current
display, MCM will show you the community name you used when you invoked
MCM. (And, in the latest version I have here, X6.0.20, MCM labels the
read-only one as "Read/Write Access" as well as the read-write one,
which is a bug.)
Okay so go to the setup console. You can change the read-write community
name, say from public to monkey. (You can't change the read-only community
string either from the console or from MCM, though other network management
tools may allow you to.) Now exit MCM.
[If you are running MAM version V4.x or earlier, reset your hub to
current settings now so that the chassis slot tables can pick up the
change to monkey. If you are running V5.0 (or a T5.x) you don't need
to reset, the change is propagated when it occurs.]
You should now be able to invoke MCM with either "public" or "monkey".
If you choose public, you can view the hub and the modules, but not
change anything. If you choose monkey, you can change port names, lan
connections, etc.
Now to your questions.
> 1. MAM code T5.0.32 does not allow the READ/WRITE community name string
> to be changed. It reports a change but it is always "public".
Oh it does, but perhaps you did not exit and reinvoke MCM, thus leaving
MCM to think the read-write community was still public. Or perhaps you
re-invoked MCM using public, in which case you are now looking at the
read-only string, not the read-write string.
> 2. On MAM code V4.1.1 I set up MAM R/W Comm = "hubmam"
> & slot 3 module R/W Comm = "module"
> I fired up MCM using string "public".
> Hub MAM responds to gets using "public". I assume the read comm
> cannot be changed ??
It is a settable mib object, but neither the console nor MCM set it.
> Now I click on slot 3 module and try to make a config chnage on it.
> First MCM tries to use module's IP address with "public" and gets no
> response. This is what I expect.
> Next MCM tries backup agent retry, using SNMP SET to MAM's IP address
> and "public-3". Module responds and config is changed.
This is because you didn't reset this older MAM version after changing the
string.
> Why does the module repond to sets using "public-3". when its R/W
> Comm is "module". This means anyone can mess with the hub modules
> at will, or am I missing something.
>
> I know that SNMP is not secure but I would expect Comm string
> checking.
Fixed in V5.0, now available.
Dotsie
| |||||
| 4236.3 | Reset fixes T5 mam still fails | COMICS::BUTT | Give me the facts real straight. | Fri Feb 28 1997 05:35 | 16 |
Ref .2
Many thanks for the explanations.
I missed the reset of the V4.2 MAM for the change in string to be
propagated. After this is worked as expected.
I retested T5.0.32 MAM. I try to set the R/W community name from the
redirected console and it tells me it has been set after the change.
I then do a show IP config and it still tells me "public". I reset
with current and it tells me "public". I try SNMP sets with "public"
and it works.
Maybe this is fixed in V5 ?
R.
| |||||
| 4236.4 | Does V5 do this ? | COMICS::BUTT | Give me the facts real straight. | Fri Feb 28 1997 06:19 | 9 |
After furter testing on MAM T5.0.32. What happens is the console change
of MAM R/W COMM string gets propagated to the modules but is not set on
the MAM itself. So sets to the MAM using "public" work but sets to the
modules using "Newcomm-n" fail. The MAM console shows "public" but MCM
picks up "Newcomm-n" is tries to use it for the modules.
Confusing ?
R.
| |||||
| 4236.5 | NETCAD::MILLBRANDT | answer mam | Mon Mar 03 1997 12:19 | 11 | |
> I try to set the R/W community name from the > redirected console and If you are setting the communitiy name from a redirected console, you are setting one module's community string, not the MAM's community string and not the string that the MAM will use when relaying management commands to the modules. You must set the community name from the hub menu itself. Dotsie | |||||