Writable SNMP

Christopher Morrow morrowc.lists at gmail.com
Tue Dec 6 19:57:54 UTC 2011

On Tue, Dec 6, 2011 at 12:15 PM, Jared Mauch <jared at puck.nether.net> wrote:
> On Dec 6, 2011, at 11:28 AM, Christopher Morrow wrote:
>> long ago, in a network far away (not on the interwebs) we used snmp
>> write to trigger a tftp config load. It worked nicely... I'm fairly
>> certain I'd not do this on an internet connected network today though.
> Many vendors have poor TFTP implementations, such that any additional
> latency creates very slow transfer rates.  This is why things like the
> RCPD were done, and others use FTP/HTTP even.  I am not sure if you can
> tell it to trigger some protocol other than TFTP in IOS.

agreed, I did say 'long time ago' :) (like before 2000 long time ago)
I get the impression we could have said copy http:// instead of tftp
though. (if it were supported at the time, http I mean)

> As someone who has moved large configs around in the past (1-16MB in cases)
> transfer speeds do matter.


>> Also, who tests snmp WRITE in their code? at scale? for daily
>> operations tasks? ... (didn't the snmp incident in 2002 teach us
>> something?)
> This is also a whole other interesting problem.  Part of it is lack of
> exposure to it.  Part of it is ease of operation.  Many people still
> telnet over when they should use ssh.  (feedback is more immediate if
> you are not in the VTY ACL for example).  People revert to what they
> are comfortable with.  Some it's scripts, others its typing configure
> or conf t and hitting ? a lot.
> There's no reason one can't program a device with SNMP, the main issue IMHO
> has always been what I dubbed "config drift".  You have your desired
> configuration and variances that happen over time.  If you don't force
> a 'wr mem' or similar event after you trigger a 'copy tftp run' operation,
> you may have troubles that are not apparent if there is a power failure
> or other lossage.  The boot-time parser doesn't interpret SNMP, it parses
> text.  This and other reasons have made people fail-safe to using the language
> most easily interpreted by the device.

Yup, I think the OP was maybe getting at:
  "Why can't I snmp configure my cisco/juniper/alteon device?"

I took that to mean (probably naively?) that they also would validate
configs and update drift out of the configuration. You CAN force a 'wr
mem' via snmp as well, of course (in cisco world).

More information about the NANOG mailing list