Writable SNMP
Christopher Morrow
morrowc.lists at gmail.com
Tue Dec 6 19:57:54 UTC 2011
On Tue, Dec 6, 2011 at 12:15 PM, Jared Mauch <jared at puck.nether.net> wrote:
>
> On Dec 6, 2011, at 11:28 AM, Christopher Morrow wrote:
>
>> long ago, in a network far away (not on the interwebs) we used snmp
>> write to trigger a tftp config load. It worked nicely... I'm fairly
>> certain I'd not do this on an internet connected network today though.
>
> Many vendors have poor TFTP implementations, such that any additional
> latency creates very slow transfer rates. This is why things like the
> RCPD were done, and others use FTP/HTTP even. I am not sure if you can
> tell it to trigger some protocol other than TFTP in IOS.
agreed, I did say 'long time ago' :) (like before 2000 long time ago)
I get the impression we could have said copy http:// instead of tftp
though. (if it were supported at the time, http I mean)
> As someone who has moved large configs around in the past (1-16MB in cases)
> transfer speeds do matter.
agreed
>> Also, who tests snmp WRITE in their code? at scale? for daily
>> operations tasks? ... (didn't the snmp incident in 2002 teach us
>> something?)
>
> This is also a whole other interesting problem. Part of it is lack of
> exposure to it. Part of it is ease of operation. Many people still
> telnet over when they should use ssh. (feedback is more immediate if
> you are not in the VTY ACL for example). People revert to what they
> are comfortable with. Some it's scripts, others its typing configure
> or conf t and hitting ? a lot.
>
> There's no reason one can't program a device with SNMP, the main issue IMHO
> has always been what I dubbed "config drift". You have your desired
> configuration and variances that happen over time. If you don't force
> a 'wr mem' or similar event after you trigger a 'copy tftp run' operation,
> you may have troubles that are not apparent if there is a power failure
> or other lossage. The boot-time parser doesn't interpret SNMP, it parses
> text. This and other reasons have made people fail-safe to using the language
> most easily interpreted by the device.
Yup, I think the OP was maybe getting at:
"Why can't I snmp configure my cisco/juniper/alteon device?"
I took that to mean (probably naively?) that they also would validate
configs and update drift out of the configuration. You CAN force a 'wr
mem' via snmp as well, of course (in cisco world).
More information about the NANOG
mailing list