The NMC DOES have an Authorized Stations list, in which you can limit snmp access to a given set of ip addresses. It would be probably be a good idea to use it. WIthin TCM its uner Security | Authorized Stations. STeve Jeff Mcadams <jeffm@iglou.com> on 10/14/99 01:50:26 PM Please respond to usr-tc@lists.xmission.com Sent by: Jeff Mcadams <jeffm@iglou.com> To: usr-tc@lists.xmission.com cc: (Steve Valiunas/MW/US/3Com) Subject: (usr-tc) Ah...what the heck... *grab stick, stir some more* ;) Well...just got a response back from the individual within 3Com that I reported the latest SNMP security bug to...his response to my request for a status report? Call tech support and give them your contract number to ask about it. Ayiyi! So...here we go...the latest, greatest way to screw up your competitor's Total Control gear. ;) As most of you are, no doubt, aware from previous discussions on the list, and indeed, from my previous SNMP security bug report, the NMC card is capable of acting as a "relay" agent for other cards in the chassis. Basically, you send your SNMP request to the NMC card, with the NMC's community string, with "@xxxx" appended on the end of the community string (xxxx is the entity number for the card, 16000 for the card in slot 16, 5000 for the card in slot 5, etc.). Here's the trick though...the NMC doesn't check the access of the community string that its sent if its relay'ed. It checks to make sure that the community string *exists*, but not what its access level is. So...you send the NMC's read-only community string to the NMC, with the relay information attached to send it on to the Arc with an SNMP set operation. The set is taken without complaint. So...if you have the read-only community string for the NMC, you can make whatever changes you want in to other SNMP capable card in the rack (note, you can't muck with DSP's or quads or anything like that as they don't actually do SNMP, they use the NMC's agent directly, but Arc's, and any other gateway type card...basically anything that runs the Pilgrim code base...is able to be set). Unfortunately, the NMC doesn't have any (that I could find) internal access controls on where it will accept SNMP ops from, so about the only thing I can say is filter on the next-hop, and make sure *all* of your community strings are secret. -- Jeff McAdams Email: jeffm@iglou.com Head Network Administrator Voice: (502) 966-3848 IgLou Internet Services (800) 436-4456 - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message. - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.