From time-to-time, network administrators need to perform audits on their network devices under management to validate that they are all using the proper community strings, and that no old or "unauthorized" strings (public, private) are being used anywhere on the network. In most environments there are hundreds or thousands of devices that need to be checked, making this task a prime target for automation!
IBM's Rapid Network Automation solution is a "no-code/low-code" automation platform that allows you to easily create automation workflows using its graphical drag-and-drop interface. You simply define a few variables, then drag "action blocks" onto the workflow canvas in order to design your desired workflow.
Let's take a look at how we can audit our devices for their SNMP community string settings.
The method we are going to use is as follows:
- We will create a list of devices (array) to query with SNMP.
- We will create a list of SNMP community strings to query the devices with.
- We will attempt to query the device using a SNMP Get action block, retrieving the SNMP host name of the device.
- For each device, we will try each of the SNMP community strings to determine the first one in the list that works.
- If a community string successfully returns a value, we will write the device ip address, community string, and snmp host name to a "responders" list.
- We will iterate through all devices until the processing is complete.
- We will print the resulting "responders" list to the log window for viewing.
Step 1: Create an Authentication defining SNMP credentials and settings that a device might respond to.
Authentications are used by action blocks, such as the "GetSNMP" action block, allowing for secure communication from within the workflow.
We want to make sure we check the boxes for the "overridable" fields we want to change later, since we will need to try multiple different read-only community strings.
We want to define three arrays (lists of values):
- strings_to_test - which contain our SNMP community string values;
- snmp_host_ips - which contain one or more host IP addresses;
- responders - which will contain the results of our successful queries.
We will start by adding a "ForEach" block to iterate through the list of $snmp_host_ips.
Within that ForEach block, we will add another ForEach block to iterate through the list of $strings_to_test.
We will be looping through the results until we have tried all $snmp_host_ips.
Before we can issue any SNMPGet requests, we need to generate an authentication key using the "AuthOverride_1" block.
Once that is complete, we can use the result of the AuthOverride ($AuthOverride_1.result) within our SNMPGet action block in order to check whether the device will respond to our request.
We also populate the host value using the $ForEach_hosts.item value.
Finally we populate the "oid" array with the following oid (MIB2: hostname): ["1.3.6.1.2.1.1.5.0"]
Note: we are placing the SNMPGet block with a "Try/Catch" block so we can detect errors and handle them if found. In this case, an error indicates that the device did not respond to SNMP. If it does respond, then we have found a working community string.
We use an "If" action block to check whether our SNMPGet request was successful or not. If successful, the $Try_1 block should provide a "undefined" value, since the SNMPGet returned a valid value. If unsuccessful, the $Try_1 block will return a value containing the error message, indicating that the SNMP community string did not work for the device.
If successful, we can update the $responders array with information about this device and its working SNMP community string value, so we can display it later.
Finally, we can run our workflow and then view the results in the log window.