Ethernet Routing Switch 8600 Engineering > Technical Configuration Guide for SNMP Enterprise Network Engineering Document Date: December 15, 2006 Document Version: 2.
Technical Configuration Guide for SNMP v2.0 December 2006 Nortel is a recognized leader in delivering communications capabilities that enhance the human experience, ignite and power global commerce, and secure and protect the world’s most critical information.
Technical Configuration Guide for SNMP v2.0 December 2006 Abstract This document provides an overview on how to configure SNMP on the Nortel Ethernet Routing Switch (ERS) 8600.
Technical Configuration Guide for SNMP v2.0 December 2006 Table of Contents 1. SNMPV3 OVERVIEW .............................................................................................................. 5 2. SNMP UPGRADE CONSIDERATIONS .................................................................................. 6 2.1 3. HIDDEN FILE DETAILS ......................................................................................................... 6 BLOCKING SNMP...............................
Technical Configuration Guide for SNMP v2.0 December 2006 List of Figures Figure 1: SNMPv3 USM................................................................................................................... 5 Figure 2: MIB Structure.................................................................................................................. 27 List of Tables Table 1: New Default Password Settings ......................................................................................
Technical Configuration Guide for SNMP v2.0 December 2006 1. SNMPv3 Overview SNMPv3 is the third version of the Internet-Standard Management Framework and is derived from and builds upon both the original Internet-Standard Management Framework (SNMPv1) and the second Internet-Standard Management Framework (SNMPv2). SNMPv3 is not a stand-alone replacement for SNMPv1 and/or SNMv2. It defines security capabilities to be used in conjunction with SNMPv2 (preferred) or SNMPv1.
Technical Configuration Guide for SNMP v2.0 December 2006 2. SNMP Upgrade Considerations Please note the following when upgrading software on the ERS8600. Starting in software release 3.7 and continued to software release 4.1.x, the CLI command save config creates a hidden and encrypted file that contains the SNMP community table information. For security purposes, the save config command also removes reference to the existing SNMP community strings in the newly created configuration file.
Technical Configuration Guide for SNMP v2.0 December 2006 3. Blocking SNMP By default, SNMP access is enabled. You can disable SNMP; this includes SNMPv1/v2 and SNMPv3, access to the ERS 8600 by using the following commands: • ERS-8610:5# config bootconfig flags block-snmp true • ERS-8610:5#save boot • ERS-8610:5#boot -y To re-enable SNMP access, type in the following command: • ERS-8610:5# config bootconfig flags block-snmp false 3.
Technical Configuration Guide for SNMP v2.0 December 2006 To add an access policy, you must first enable the access policy feature globally by entering the following command: • ERS-8606:5# config sys access-policy enable After the access policy feature has been enabled globally, to add a new access policy, enter the following command: a) Add a new policy • ERS-8606:5# config sys access-policy policy <1..
Technical Configuration Guide for SNMP v2.0 December 2006 3.2.1 Configuration Example: Blocking SNMP via an Access Policy In this example, we will create an access policy to not allow SNMP for any user coming from network 172.30.x.y/16.
Technical Configuration Guide for SNMP v2.
Technical Configuration Guide for SNMP • v2.
Technical Configuration Guide for SNMP v2.
Technical Configuration Guide for SNMP TrustedHostUserName: AccessLevel: AccessStrict: Usage: • v2.0 December 2006 none readWriteAll false 385 ERS-8610:5# show sys access-policy snmp-group-info snmpv3-groups : Policy 1 snmpv3-groups: Group Name Snmp-Model Group Name readgrp readgrp v1v2grp v1v2grp Snmp-Model snmpv1 snmpv2c snmpv1 snmpv2c Policy 2 snmpv3-groups: 3.3.
Technical Configuration Guide for SNMP 3.3.3.1 v2.0 December 2006 Setting the SNMP Community String and Trap Receivers with Software Release 3.3 In the ERS 8000 Series Switch Release 3.3, SNMP community strings and traps are added by using the two commands shown below. In the 3.3 release, these commands appear in the configuration file.
Technical Configuration Guide for SNMP v2.0 December 2006 3.3.4 Modifying and/or adding community strings Initially, there are 4 communities: first, second, index1 and index2. first represents the default read-only access (public) and second represents the default read-write access (private) created by the SNMPv3 engine. The access rights are determined by the Security Name from the VACM table. Previously existing default communities prior to software upgrade to release 3.
Technical Configuration Guide for SNMP v2.0 December 2006 For example, assuming we have upgraded to release 3.
Technical Configuration Guide for SNMP v2.0 December 2006 3.3.5 Creating or deleting trap receivers with Software release 3.7 or 4.1 With software release 3.7 or 4.1, you create trap receivers by creating SNMP-v3 trap notifications and then specifying the target address where you wish to send the notifications along with specific target parameters. By default, the ERS8600 has a default trap notification of “trapTag”.
Technical Configuration Guide for SNMP v2.0 December 2006 For example, to add a SNMPv1 trap-receiver, enter the following assuming the Target Name is TAddr1 and assuming you are using the default trap notify of trapTag and the default targetparam of TparamV1 for SNMPv1 traps: • ERS-8606:5# config snmp-v3 target-addr create TAddr1 X.X.X.X:162 TparamV1 timeout 1500 retry 3 taglist trapTag mask 0xff:ff:00:00:00:00 mms 484 Where X.X.X.X is the IP-Address of your trap-receiver.
Technical Configuration Guide for SNMP v2.0 December 2006 3.4 New Default Community Strings in High Secure (hsecure) Mode If the ERS 8600 has been configured for high security mode (config bootconfig flags hsecure true) after a factory default setting, the software will change the default password and SNMP communities. All new passwords must be at least 8 characters and in release 4.1, all new passwords must be at least 10 characters. All old passwords less than 8 or 10 (for release 4.
Technical Configuration Guide for SNMP v2.0 December 2006 4.
Technical Configuration Guide for SNMP v2.0 December 2006 After the ERS 8600 has been configured, the trap receiver should display traps from the ERS 8600 with a source IP address of 1.1.1.1 as shown below using Enterprise Switch Manager.
Technical Configuration Guide for SNMP v2.0 December 2006 5. SNMP with RADIUS Authentication and Accounting Radius-SNMP authentication and accounting is supported in release 3.5 for SNMPv1 and SNMPv2. Radius-SNMP authentication operates by passing the community string to a RADIUS server. The RADIUS server will in return will send an integer value indicating the level of access allowed or no access at all. Please note that software releases 3.7 and 4.1.x do not support this feature.
Technical Configuration Guide for SNMP v2.0 December 2006 6. Configuring SNMPv3 The following are the configuration steps required to enable SNMPv3: • Load the DES or AES (release 4.1 only) Encryption Module • Adding a SNMP User USM • Assigning the USM as a member to a SNMPv3 USM group • Assigning the USM group access level of either authPriv, authNoPriv, or noAuthNoPriv • Assigning a MIB view to the USM group 6.
Technical Configuration Guide for SNMP v2.0 December 2006 For release 3.7, the command will be: • ERS-8610:5# config snmp-v3 usm create user1 md5 auth user1234 priv userpriv For release 4.
Technical Configuration Guide for SNMP v2.0 December 2006 6.4 Assigning the USM Group Access Level The next step is to assign the access level to the USM Group. One of the following three USM access levels must be configured: • NoAuthNoPriv-Communication without authentication and privacy • AuthNoPriv-Communication with authentication (MD5 or SHA) and without privacy • AuthPriv-Communication with authentication (MD5 or SHA) and privacy (DES or AES in release 4.
Technical Configuration Guide for SNMP v2.0 December 2006 6.5 Assigning the MIB View to the USM Group We can assign the USM group to either an existing MIB view or create a new MIB view fist (next step) and then assign it to the USM group. The next section will describe how to add a new MIB view.
Technical Configuration Guide for SNMP v2.0 December 2006 6.6 Creating a MIB View As mentioned in the previous step, the ERS 8600 has a number of default MIB views. The MIB view configures the branches of the SNMP MIB tree that are permitted or not permitted for a particular user or group. The ERS 8600 MIB tree follows the ASN.1 hierarchical structure for both private and enterprise (private) MIBs.
Technical Configuration Guide for SNMP v2.0 December 2006 7. Configuration Example: Changing SNMP Communities 7.1 Configuration Example: SNMP Communities with Release 3.5 PP8600 CLIP = 1.1.1.1/32 Core Network SNMP NMS Server 10.1.30.
Technical Configuration Guide for SNMP v2.0 December 2006 7.2 Configuration Example: Changing the Default SNMP Community Name with Release 3.7 or 4.1 By default, the ERS 8600 public and private communities are configured using the names first and second respectively. You can view the SNMP community table by using the following command. Notice the community names, public and private by default, are asterisk out.
Technical Configuration Guide for SNMP v2.
Technical Configuration Guide for SNMP • v2.0 December 2006 ERS-8610-C:5# config snmp-v3 mib-view info ================================================================================ MIB View ================================================================================ View Name Subtree Mask Type -------------------------------------------------------------------------------org 1.3 include root 1 include snmp 1.3.6.1.6.3 include snmp 1.3.6.1.2.1.1 include layer1 1.3 exclude layer1 1.3.6.1.2.1.2.2.1.
Technical Configuration Guide for SNMP v2.0 December 2006 7.4 Testing SNMP Using Device Manager Now that you have changed the read and write communities, you can test the configuration by using Device Manager. The window shown below displays the parameters entered for the read and write communities. Enter ro567pp8600 for the Read Community Enter rwa123pp8600 for the Write Community 7.5 Configuration Example: Changing the MIB View for an SNMPv1/2 Community In software release 3.7 or 4.
Technical Configuration Guide for SNMP v2.0 December 2006 • ERS-8610:5# config snmp-v3 group-access create no_private "" snmpv2 noAuthNoPriv • ERS-8610-C:5# config snmp-v3 group-access view no_private "" snmpv2 noAuthNoPriv read org write private_restrict notify org C) Create a new SNMP group member named “private” for SNMPv1/2 and add group access “no_private” created in step 2 above 1.
Technical Configuration Guide for SNMP v2.0 December 2006 8. Configuration Example Using SNMPv3 User 1 SNMPv3 Access User 2 For this configuration example, we wish to accomplish the following: • Add User 1 to USM table with authentication protocol of MD5 and privacy protocol of DES, i.e. authPriv) • Allow User 1 full MIB views with full permission starting the existing view “org” • Add User 2 to USM table authentication protocol of MD5 with no privacy protocol, i.e.
Technical Configuration Guide for SNMP • v2.0 December 2006 ERS-8610:5# config snmp-v3 group-access view group_1 "" usm authPriv read org write org F) Add User 2 to USM table. In this example, we will use a user name of ‘user2’, and a MD5 password of ‘user2abcd. • ERS-8610:5# config snmp-v3 usm create user2 md5 auth user2abcd G) Add User 2 to USM group. We will add User 2 to the group named ‘group_1’ created above. 1.
Technical Configuration Guide for SNMP v2.0 December 2006 9. Software Baseline All configuration examples are based on the ERS 8600 3.7 release with updated information release to AES support for release 4.1.
Technical Configuration Guide for SNMP v2.0 December 2006 10. Reference Documentation (Identify reference documentation such as Technical Pubs and Engineering Guidelines).
Technical Configuration Guide for SNMP v2.0 December 2006 11. Appendix A: Configuration Files 11.1 From Configuration Example 7.
Technical Configuration Guide for SNMP snmp-v3 mib-view create private 1.3.6.1.4 v2.0 December 2006 type exclude # # SNMP V3 NOTIFY CONFIGURATION # # # SNMP V3 TARGET ADDRESS CONFIGURATION # snmp-v3 target-addr create OpsQosPolicyUser 47.133.56.
Technical Configuration Guide for SNMP v2.0 December 2006 Contact us If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Nortel Networks service program, contact Nortel Technical Support. To obtain contact information online, go to www.nortel.com/contactus.
