arris cmts 1000 snmp access-specific | docsis.org

You are here

arris cmts 1000 snmp access-specific

3 posts / 0 new
Last post
jnorell
arris cmts 1000 snmp access-specific

Hello,

We just got a Cornerstone CMTS 1000 I'm setting up, and wondering if anyone has experience they could share on how the snmp access-specific settings come into play with telnet access (and possibly user accounts). We're running Software Version: 3.6.2.

Our needs I think are pretty basic, I'd like to allow snmp and telnet access from a few specific subnets, but I've not yet come upon the right setup in my trial and error. In the default config, I find this under manage->snmp:

[cmts] access-specific/2147483647# info

Parameter Value
--------- -----
ip-addr 255.255.255.255
ip-mask 255.255.255.255
community ""
control read-write
interfaces ethernet+cable
extensions account-manager
status active

That empty community string, allowing read/write from anywhere looked odd. I set a root password and tested this out, and indeed, I can use anything as an snmp community string and query the box (I presume I would have write access as well, but didn't test). That's a pretty poor default config, and I promptly deleted that, to find I no longer had any rights on the console. A quick factory reset and I started playing with it.

I found if I change the ip addr there to 127.0.0.1, I still have rights on the console, and no longer have wide-open snmp access from the world. However then I cannot telnet to the box from anywhere. I added a second access-specific level restricting the ip-addr and mask to a specific subnet, and with an empty community string, I can again telnet from there. That's closer to what I'd like, but again snmp access is wide open (the empty community string allows anything to work). I tried setting the community to the username (root) and also to the root password, but I cannot login with telnet when that is set.

I might start playing around with adding a secondary account next and see if I stumble upon a working setup. All I'm looking for is to require a proper snmp community for snmp access, and to allow telnet from a specific subnet (with a username/password). That's not asking too much, right? Anyone have any pointers?

Thanks...

jnorell
resolved (well enough)

After piecing some comments from the MIB docs together with some trial and error, I found a solution that will work well enough. It's simply to set the "security-name" in the privileges to the same thing as the community in the access-specific level. Eg.

console> manage
box# accounts
accounts# privileges-modify/1
privileges-modify/1# security-name "some community"

box# snmp
snmp# access-specific/2147483647
access-specific/2147483647# community "some community"
access-specific/2147483647# ip-addr 127.0.0.1
access-specific/2147483647# back
snmp# access-specific/1
access-specific/1# community "some community"
access-specific/1# ip-addr x.x.x.x
access-specific/1# ip-mask y.y.y.y
access-specific/1# control read-write
access-specific/1# extensions account-manager
access-specific/1# status active

Now I can login on the console (matching 127.0.0.1), and telnet from x.x.x.x, without wide-open snmp access from x.x.x.x (although "some community" will still work for snmp .. I don't see any way to disable that, so just make it really long/random I suppose).

hinzoo
SNMP-Arris
Log in or register to post comments