[147273] in North American Network Operators' Group
Re: Writable SNMP
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Dec 6 14:58:51 2011
In-Reply-To: <1AB264E2-E1BC-41BF-BF9B-89BF642FFC4E@puck.nether.net>
Date: Tue, 6 Dec 2011 14:57:54 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Jared Mauch <jared@puck.nether.net>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Dec 6, 2011 at 12:15 PM, Jared Mauch <jared@puck.nether.net> wrote:
>
> On Dec 6, 2011, at 11:28 AM, Christopher Morrow wrote:
>
>> long ago, in a network far away (not on the interwebs) we used snmp
>> write to trigger a tftp config load. It worked nicely... I'm fairly
>> certain I'd not do this on an internet connected network today though.
>
> Many vendors have poor TFTP implementations, such that any additional
> latency creates very slow transfer rates. =A0This is why things like the
> RCPD were done, and others use FTP/HTTP even. =A0I am not sure if you can
> tell it to trigger some protocol other than TFTP in IOS.
agreed, I did say 'long time ago' :) (like before 2000 long time ago)
I get the impression we could have said copy http:// instead of tftp
though. (if it were supported at the time, http I mean)
> As someone who has moved large configs around in the past (1-16MB in case=
s)
> transfer speeds do matter.
agreed
>> Also, who tests snmp WRITE in their code? at scale? for daily
>> operations tasks? ... (didn't the snmp incident in 2002 teach us
>> something?)
>
> This is also a whole other interesting problem. =A0Part of it is lack of
> exposure to it. =A0Part of it is ease of operation. =A0Many people still
> telnet over when they should use ssh. =A0(feedback is more immediate if
> you are not in the VTY ACL for example). =A0People revert to what they
> are comfortable with. =A0Some it's scripts, others its typing configure
> or conf t and hitting ? a lot.
>
> There's no reason one can't program a device with SNMP, the main issue IM=
HO
> has always been what I dubbed "config drift". =A0You have your desired
> configuration and variances that happen over time. =A0If you don't force
> a 'wr mem' or similar event after you trigger a 'copy tftp run' operation=
,
> you may have troubles that are not apparent if there is a power failure
> or other lossage. =A0The boot-time parser doesn't interpret SNMP, it pars=
es
> text. =A0This and other reasons have made people fail-safe to using the l=
anguage
> most easily interpreted by the device.
Yup, I think the OP was maybe getting at:
"Why can't I snmp configure my cisco/juniper/alteon device?"
I took that to mean (probably naively?) that they also would validate
configs and update drift out of the configuration. You CAN force a 'wr
mem' via snmp as well, of course (in cisco world).
