[c-nsp] Regain CLI access with snmp sets?

Persio Pucci persio at gmail.com
Sat Sep 10 14:18:42 EDT 2011


Lee,

I'll give it a try later using your suggestion. As for limiting, I already
limit both TFTPs and who can RW into it.

On Sat, Sep 10, 2011 at 2:14 PM, Lee <ler762 at gmail.com> wrote:

> On 9/10/11, Persio Pucci <persio at gmail.com> wrote:
> > Here is my steps:
> >
> > persio.pucci at tacacs:/tftpboot$snmpset -v2c -c COMUNITY 10.20.30.1
> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.2.200 integer 1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.2.200 = INTEGER: 1
> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.3.200 integer 1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.3.200 = INTEGER: 1
> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.4.200 integer 4
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.4.200 = INTEGER: 4
> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.5.200 address 10.10.10.1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.5.200 = IpAddress: 10.10.10.1
> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.6.200 string user
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.6.200 = STRING: "user"
> >> persio.pucci at tacacs:/tftpboot$ snmpset -v2c -c COMUNITY 10.20.30.1
> >> .1.3.6.1.4.1.9.9.96.1.1.1.1.14.200 integer 4
> >> Error in packet.
> >> Reason: inconsistentValue (The set value is illegal or unsupported in
> some
> >> way)
> >> Failed object: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.14.200
> >
> >
> > As you can see, the object gets created, but it does not accepts the
> active
> > command
>
> I'm guessing the row already exists.  For createAndGo(4) to work (your
> last snmpset) the row has to be created in one call & you've got
> multiple snmpsets
>
> Try deleting the row, doing a create & wait on the row, set the other
> variables and then set the row status to active(1)
>
> Take a look at the description of ccCopyEntry in CISCO-CONFIG-COPY-MIB
> and of RowStatus in SNMPv2-TC for a full explanation.
>
> And I'd strongly suggest that you restrict which hosts the router
> allows tftp to/from.  See the
> snmp-server tftp-server-list command.
>
> Regards,
> Lee
>
>
> >
> >  persio.pucci at tacacs:/tftpboot$ snmpwalk -v2c -c COMUNITY 10.20.30.1
> >> .1.3.6.1.4.1.9.9.96.1.1.1.1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.2.200 = INTEGER: 1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.3.200 = INTEGER: 1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.4.200 = INTEGER: 4
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.5.200 = IpAddress: 10.10.10.1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.6.200 = STRING: "user"
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.9.200 = INTEGER: 2
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.10.200 = INTEGER: 4
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.11.200 = Timeticks: (1836298009)
> >> 212
> >> days, 12:49:40.09
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.12.200 = Timeticks: (1836302109)
> >> 212
> >> days, 12:50:21.09
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.13.200 = INTEGER: 3
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.14.200 = INTEGER: 1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.15.200 = INTEGER: 1
> >> SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.16.200 = STRING: "10.10.10.1"
> >> persio.pucci at tacacs:/tftpboot$
> >
> >
> > On Fri, Sep 9, 2011 at 10:12 PM, Lee <ler762 at gmail.com> wrote:
> >
> >> On 9/9/11, Persio Pucci <persio at gmail.com> wrote:
> >> > Anybody would have a working recipe for routers, specialy 7200? I've
> >> > been trying the ones posted at Cisco (specially the one where you need
> >> > several commands) but the final "activate" command gets an error
> >> > response...
> >>
> >> echo "processing $DEV"
> >> echo "     delete row 3"
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyEntryRowStatus.3
> i
> >> 6
> >> echo "     create row 3 & wait"
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyEntryRowStatus.3
> i
> >> 5
> >>
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyProtocol.3 i 1
> >> #   use tftp
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopySourceFileType.3
> i
> >> 1
> >> #   1=networkFile  3=startupConfig   4=runningConfig
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyDestFileType.3 i
> 4
> >> #   1=networkFile  3=startupConfig   4=runningConfig
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV
> >> ccCopyServerAddress.3 a $TFTPHOST
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyFileName.3 s
> $FILE
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV
> >> ccCopyNotificationOnCompletion.3 i 1
> >> #  1: true  2: false
> >> $SNMPSET $community -m CISCO-CONFIG-COPY-MIB $DEV ccCopyEntryRowStatus.3
> i
> >> 1
> >> #  make it active
> >> echo "Done!"
> >>
> >>
> >> Regards,
> >> Lee
> >>
> >>
> >>
> >>
> >> > Em 08/09/2011, às 18:44, Mike <mike-cisconsplist at tiedyenetworks.com>
> >> > escreveu:
> >> >
> >> >> Hello,
> >> >>
> >> >>    I am sure this can be done and am calling on my fellows to help
> >> >> light
> >> >> the way!
> >> >>
> >> >>    I have a cisco 2970 switch newly installed in a remote,
> inaccessible
> >> >> location that presently lacks OOB serial access. Due to a config
> error,
> >> I
> >> >> cannot telnet into the unit due to missing config elements:
> >> >>
> >> >> Escape character is '^]'.
> >> >>
> >> >>
> >> >> Password required, but none set
> >> >> Connection closed by foreign host.
> >> >>
> >> >>
> >> >>    I do have, however, a writable snmp community string. So I am
> >> wondering
> >> >> if it would be possible to update the running config using snmp in
> >> >> order
> >> >> to give me telnet access to this unit? It would beat a trip back out
> >> there
> >> >> and would serve my cisco education well too. So how about it, any
> >> takers?
> >> >>
> >> >> Mike-
> >> >> _______________________________________________
> >> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> >
> >> > _______________________________________________
> >> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> >
> >>
> >
>


More information about the cisco-nsp mailing list