Expectations for Setting and Clearing SNMP Commands on Enterasys Switching products

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 10308 

Products
SecureStack C3, C2, B3, B2, A2
D-Series
G-Series
I-Series 

Symptoms 
'clear snmp...' command is present after clearing a 'set snmp...' command. 
'set snmp...' command is present after overriding or removing a 'clear snmp...' command. 

Cause
The SNMP commands for the SecureStacks, D-Series, G-Series, and I-Series are designed a little differently than the SNMP commands for the other cli-based Enterasys switching products. 

On these products; if you Clear a default Set command (by issuing the Clear command), the Set command is removed and a Clear command appears; and if you eliminate the Clear command (by issuing the Set command or by removing the Clear command before downloading/activating the configuration), the Set command reappears. 

For example... 
C2(su)->show config snmp
. . .
set snmp community :3fb03022e4966512343b511c263dcf1240739359ec6cad7d8c6277007e7e
0657521e0641967b150156:
. . .
C2(su)->clear snmp community public
C2(su)->show config snmp
. . .
clear snmp community :3fb03022e4966512343b511c263dcf1240739359ec6cad7d8c6277007e
7e0657521e0641967b150156:
. . .
C2(su)->set snmp community public
C2(su)->show config snmp
. . .
set snmp community :3fb03022e4966512343b511c263dcf1240739359ec6cad7d8c6277007e7e
0657521e0641967b150156:
. . .
C2(su)->

On the other products, if you Clear a default Set command (by issuing the Clear command or by removing the Set command before downloading/activating the configuration), the Set command is removed and there is no visible command for that feature; and if you issue the Set command, the Set command reappears. 

For example... 
N7(su)->show config snmp
. . .
set snmp community public
. . .
N7(su)->clear snmp community public
N7(su)->show config snmp
. . .
N7(su)->set snmp community public
N7(su)->show config snmp
. . .
set snmp community public
. . .
N7(su)->

Solution/Workaround
FAD (Functions as Designed). 

The difference in the SNMP command sets of these two sets of hardware is largely irrelevant to the flexibility and effectiveness of SNMP operation. However, there is at least one possible caveat that deserves mention: 

If it is desired to "simplify" a (for example) SecureStack's non-default SNMP configuration by offloading the configuration, removing the 'clear snmp...' commands, then reloading the configuration and booting off of it (5623), it will be observed that the 'clear snmp...' commands are indeed no longer present. However, if the user then does not notice that the original associated 'set snmp...' commands (establishing a public SNMPv1 community name, default SNMPv2C/SNMPv3 users, and read/write access to all MIBs) have been re-established, this can lead to a security hole that could be exploited. 

As with any configuration change, review the resulting configuration to ensure that it is as you intended. 

For a more general discussion about clearing commands, please refer to 5542.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.