Users Guide
Implementation Information
The following describes SNMP implementation information.
• Dell Networking OS supports SNMP version 1 as dened by RFC 1155, 1157, and 1212, SNMP version 2c as dened by RFC 1901, and
SNMP version 3 as dened by RFC 2571.
• Dell Networking OS supports up to 16 trap receivers.
• Dell Networking OS implementation of the sFlow MIB supports sFlow conguration via SNMP sets.
• SNMP traps for the spanning tree protocol (STP) and multiple spanning tree protocol (MSTP) state changes are based on BRIDGE
MIB (RFC 1483) for STP and IEEE 802.1 draft ruzin-mstp-mib-02 for MSTP.
SNMPv3 Compliance With FIPS
SNMPv3 is compliant with the Federal information processing standard (FIPS) cryptography standard. The Advanced Encryption Standard
(AES) Cipher Feedback (CFB) 128-bit encryption algorithm is in compliance with RFC 3826. SNMPv3 provides multiple authentication and
privacy options for user conguration. A subset of these options are the FIPS-approved algorithms: HMAC-SHA1-96 for authentication and
AES128-CFB for privacy. The other options are not FIPS-approved algorithms because of known security weaknesses. The AES128-CFB
privacy option is supported and is compliant with RFC 3826.
The SNMPv3 feature also uses a FIPS-validated cryptographic module for all of its cryptographic operations when the system is congured
with the fips mode enable command in Global Conguration mode. When the FIPS mode is enabled on the system, SNMPv3
operates in a FIPS-compliant manner, and only the FIPS-approved algorithm options are available for SNMPv3 user conguration. When
the FIPS mode is disabled on the system, all options are available for SNMPv3 user conguration.
The following table describes the authentication and privacy options that can be congured when the FIPS mode is enabled or disabled:
Table 65. Authentication and Privacy Options
FIPS Mode Privacy Options Authentication Options
Disabled des56 (DES56-CBC)
aes128 (AES128-CFB)
md5 (HMAC-MD5-96)
sha (HMAC-SHA1-96)
Enabled aes128 (AES128-CFB) sha (HMAC-SHA1-96)
To enable security for SNMP packets transferred between the server and the client, you can use the snmp-server user username
group groupname 3 auth authentication-type auth-password priv aes128 priv-password command to specify
that AES-CFB 128 encryption algorithm needs to be used.
Dell(conf)#snmp-server user snmpguy snmpmon 3 auth sha AArt61wq priv aes128 jntRR59a
In this example, for a specied user and a group, the AES128-CFB algorithm, the authentication password to enable the server to receive
packets from the host, and the privacy password to encode the message contents are congured.
SHA authentication needs to be used with the AES-CFB128 privacy algorithm only when FIPS is enabled because SHA is then the only
available authentication level. If FIPS is disabled, you can use MD5 authentication in addition to SHA authentication with the AES-CFB128
privacy algorithm
You cannot modify the FIPS mode if SNMPv3 users are already congured and present in the system. An error message is displayed if you
attempt to change the FIPS mode by using the fips mode enable command in Global Conguration mode. You can enable or disable
FIPS mode only if SNMPv3 users are not previously set up. If previously congured users exist on the system, you must delete the existing
users before you change the FIPS mode.
Keep the following points in mind when you congure the AES128-CFB algorithm for SNMPv3:
712
Simple Network Management Protocol (SNMP)