[147249] in North American Network Operators' Group
Re: Writable SNMP
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Dec 6 11:29:04 2011
In-Reply-To: <CDEE94CC-4811-4B20-AC94-BD8E5C710F4F@puck.nether.net>
Date: Tue, 6 Dec 2011 11:28:04 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Jared Mauch <jared@puck.nether.net>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Dec 6, 2011 at 11:16 AM, Jared Mauch <jared@puck.nether.net> wrote:
>
> On Dec 6, 2011, at 11:07 AM, Keegan Holley wrote:
>
>> For a few years now I been wondering why more networks do not use writab=
le
>> SNMP. =A0Most automation solutions actually script a login to the variou=
s
>> equipment. =A0This comes with extra code for different vendors, differen=
t
>> prompts and any quirk that the developer is aware of and constant patche=
s
>> as new ones come up. =A0Writable SNMP seems like an easier way to deal w=
ith
>> scripted configuration changes as well as information gathering.
>> Admittedly, you will have to deal with proprietary mibs and reformat the
>> data once it's returned. =A0Most people consider it insecure, but in rea=
lity
>> it's no worse than any other management protocol. =A0Yes I know netconf =
is
>> better, but in most circles I'd have problems explaining what netconf is=
,
>> why it's better and that I'm not making it up. =A0So I'll take what I ca=
n get.
>
> Some of the problems is the bulk nature of some config changes (or transa=
ctional
> nature on those that support atomic operations) have been harder to autom=
ate.
>
> Anyone that has spent any quantity of time with ASN.1 generally would agr=
ee.
>
> I recall some bay networks gear you could only program with the proper OI=
D
> as the cli was basically a SNMP-SET operation on the device.
yea... same with cascade devices... icky things (both bay and cascade!)
> The errors/feedback tends to be very poor over SNMP as well as you may ne=
ed
> to walk/revisit a large number of elements to make things happen properly=
.
fun story/fact, you can send an snmp write to the broadcast address of
a network of NT (at least, probably also post-nt versions of the OS)
machines, and set their default-ttl to some arbitrary number. "Your
network is too chatty... not anymore! now your internet is 5 hops
across!"
> Have you had a good experience with using SNMP-Write? =A0I have not.
long ago, in a network far away (not on the interwebs) we used snmp
write to trigger a tftp config load. It worked nicely... I'm fairly
certain I'd not do this on an internet connected network today though.
Also, who tests snmp WRITE in their code? at scale? for daily
operations tasks? ... (didn't the snmp incident in 2002 teach us
something?)
-chris
