Summary of the content on the page No. 1
Ethernet Routing Switch
8600
Engineering
> Technical Configuration Guide
for SNMP
Enterprise Network Engineering
Document Date: December 15, 2006
Document Version: 2.0
Summary of the content on the page No. 2
Technical Configuration Guide for SNMP v2.0 December 2006 Nortel is a recognized leader in delivering communications capabilities that enhance the human experience, ignite and power global commerce, and secure and protect the world’s most critical information. Serving both service provider and enterprise customers, Nortel delivers innovative technology solutions encompassing end-to-end broadband, Voice over IP, multimedia services and applications, and wireless broad
Summary of the content on the page No. 3
Technical Configuration Guide for SNMP v2.0 December 2006 Abstract This document provides an overview on how to configure SNMP on the Nortel Ethernet Routing Switch (ERS) 8600. ______________________________________________________________________________________________________ NORTEL External Distribution 2
Summary of the content on the page No. 4
Technical Configuration Guide for SNMP v2.0 December 2006 Table of Contents 1. SNMPV3 OVERVIEW.............................................................................................................. 5 2. SNMP UPGRADE CONSIDERATIONS.................................................................................. 6 2.1 HIDDEN FILE DETAILS......................................................................................................... 6 3. BLOCKING SNMP..
Summary of the content on the page No. 5
Technical Configuration Guide for SNMP v2.0 December 2006 List of Figures Figure 1: SNMPv3 USM................................................................................................................... 5 Figure 2: MIB Structure.................................................................................................................. 27 List of Tables Table 1: New Default Password Settings ............................................................
Summary of the content on the page No. 6
Technical Configuration Guide for SNMP v2.0 December 2006 1. SNMPv3 Overview SNMPv3 is the third version of the Internet-Standard Management Framework and is derived from and builds upon both the original Internet-Standard Management Framework (SNMPv1) and the second Internet-Standard Management Framework (SNMPv2). SNMPv3 is not a stand-alone replacement for SNMPv1 and/or SNMv2. It defines security capabilities to be used in conjunction with SNMPv2 (preferred) or
Summary of the content on the page No. 7
Technical Configuration Guide for SNMP v2.0 December 2006 2. SNMP Upgrade Considerations Please note the following when upgrading software on the ERS8600. Starting in software release 3.7 and continued to software release 4.1.x, the CLI command save config creates a hidden and encrypted file that contains the SNMP community table information. For security purposes, the save config command also removes reference to the existing SNMP community strings in the newly cr
Summary of the content on the page No. 8
Technical Configuration Guide for SNMP v2.0 December 2006 3. Blocking SNMP By default, SNMP access is enabled. You can disable SNMP; this includes SNMPv1/v2 and SNMPv3, access to the ERS 8600 by using the following commands: • ERS-8610:5# config bootconfig flags block-snmp true • ERS-8610:5#save boot • ERS-8610:5#boot -y To re-enable SNMP access, type in the following command: • ERS-8610:5# config bootconfig flags block-snmp false 3.1 Blocking SNMPv1/2 only If y
Summary of the content on the page No. 9
Technical Configuration Guide for SNMP v2.0 December 2006 To add an access policy, you must first enable the access policy feature globally by entering the following command: • ERS-8606:5# config sys access-policy enable After the access policy feature has been enabled globally, to add a new access policy, enter the following command: a) Add a new policy • ERS-8606:5# config sys access-policy policy <1..65535> b) After entering the above command, ent
Summary of the content on the page No. 10
Technical Configuration Guide for SNMP v2.0 December 2006 3.2.1 Configuration Example: Blocking SNMP via an Access Policy In this example, we will create an access policy to not allow SNMP for any user coming from network 172.30.x.y/16. a) Enable access policy globally: • ERS-8606:5# config sys access-policy enable true b) Add a new policy, in this example, since it is the first policy, we will simply create policy 2 and name it policy2: • ERS-8606:5# config sys
Summary of the content on the page No. 11
Technical Configuration Guide for SNMP v2.0 December 2006 Sub-Context: service Current Context: accesslevel access-strict create delete disable enable host info mode name network precedence snmp-group-add snmp-group-del snmp-group-info username ERS-8610:5# config sys
Summary of the content on the page No. 12
Technical Configuration Guide for SNMP v2.0 December 2006 • ERS-8610:5# config sys access-policy policy 2 snmp-group-add group_example usm e) Enable access strict enable • ERS-8610:5# config sys access-policy policy 2 access-strict true f) Enable telnet and SNMPv3 service: • ERS-8610:5# config sys access-policy policy 2 service telnet enable • ERS-8610:5# config sys access-policy policy 2 service snmpv3 enable g) Enable policy 2: • ERS-8610:5# config sys access-p
Summary of the content on the page No. 13
Technical Configuration Guide for SNMP v2.0 December 2006 Group Prefix Model Level ReadV WriteV NotifyV ------------------------------------------------------------------------- initial usm noAuthNoPriv root root root initial usm authPriv root root root readgrp snmpv1 noAuthNoPriv v1v2only org readgrp snmpv2c noAuthNoPriv v1v2only org v1v2gr
Summary of the content on the page No. 14
Technical Configuration Guide for SNMP v2.0 December 2006 TrustedHostUserName: none AccessLevel: readWriteAll AccessStrict: false Usage: 385 • ERS-8610:5# show sys access-policy snmp-group-info snmpv3-groups : Policy 1 snmpv3-groups: Group Name Snmp-Model Policy 2 snmpv3-groups: Group Name Snmp-Model readgrp snmpv1
Summary of the content on the page No. 15
Technical Configuration Guide for SNMP v2.0 December 2006 3.3.3.1 Setting the SNMP Community String and Trap Receivers with Software Release 3.3 In the ERS 8000 Series Switch Release 3.3, SNMP community strings and traps are added by using the two commands shown below. In the 3.3 release, these commands appear in the configuration file. • ERS-8606:5# config sys set snmp community < ro|rw|l2|l3|rwa> • ERS-8606:5# config sys set snmp trap-recv
Summary of the content on the page No. 16
Technical Configuration Guide for SNMP v2.0 December 2006 3.3.4 Modifying and/or adding community strings Initially, there are 4 communities: first, second, index1 and index2. first represents the default read-only access (public) and second represents the default read-write access (private) created by the SNMPv3 engine. The access rights are determined by the Security Name from the VACM table. Previously existing default communities prior to software upgrade to re
Summary of the content on the page No. 17
Technical Configuration Guide for SNMP v2.0 December 2006 For example, assuming we have upgraded to release 3.7 and now wish to delete community’s index1 and index2: • ERS-8606:5# config snmp-v3 community delete index1 • ERS-8606:5# config snmp-v3 community delete index2 A new SNMP community can be added by using the following command: • ERS-8606:5# config snmp-v3 community create [tag ] where: Parameter Description Comm Idx
Summary of the content on the page No. 18
Technical Configuration Guide for SNMP v2.0 December 2006 3.3.5 Creating or deleting trap receivers with Software release 3.7 or 4.1 With software release 3.7 or 4.1, you create trap receivers by creating SNMP-v3 trap notifications and then specifying the target address where you wish to send the notifications along with specific target parameters. By default, the ERS8600 has a default trap notification of “trapTag”. You can use this default notification when setti
Summary of the content on the page No. 19
Technical Configuration Guide for SNMP v2.0 December 2006 For example, to add a SNMPv1 trap-receiver, enter the following assuming the Target Name is TAddr1 and assuming you are using the default trap notify of trapTag and the default target- param of TparamV1 for SNMPv1 traps: • ERS-8606:5# config snmp-v3 target-addr create TAddr1 X.X.X.X:162 TparamV1 timeout 1500 retry 3 taglist trapTag mask 0xff:ff:00:00:00:00 mms 484 Where X.X.X.X is the IP-Address of your trap-r
Summary of the content on the page No. 20
Technical Configuration Guide for SNMP v2.0 December 2006 3.4 New Default Community Strings in High Secure (hsecure) Mode If the ERS 8600 has been configured for high security mode (config bootconfig flags hsecure true) after a factory default setting, the software will change the default password and SNMP communities. All new passwords must be at least 8 characters and in release 4.1, all new passwords must be at least 10 characters. All old passwords less than 8 o