Nortel Networks 8600 User Manual 2

Ethernet Routing Switch

8600

Engineering

> Technical Configuration Guide
for SNMP

Enterprise Network Engineering
Document Date: December 15, 2006
Document Version: 2.0

Technical Configuration Guide for SNMP v2.0 December 2006

Nortel is a recognized leader in delivering communications capabilities that enhance the human
experience, ignite and power global commerce, and secure and protect the world’s most critical
information. Serving both service provider and enterprise customers, Nortel delivers innovative
technology solutions encompassing end-to-end broadband, Voice over IP, multimedia services
and applications, and wireless broadband designed to help people solve the world’s greatest
challenges. Nortel does business in more than 150 countries. For more information, visit Nortel
on the Web at nortel.com.

NORTEL NETWORKS CONFIDENTIAL: This document contains material considered to be
proprietary to Nortel. No part of it shall be disclosed to a third party for any reason except after
receiving express written permission from Nortel and only after securing agreement from the third
party not to disclose any part of this document. Receipt of this document does not confer any
type of license to make, sell or use any device based upon the teachings of the document.
Receipt of the document does not constitute a publication of any part hereof and Nortel explicitly
retains exclusive ownership rights to all proprietary material contained herein. This restriction
does not limit the right to use information contained herein if it is obtained from any other source
without restriction.

Nortel Business Made Simple, Nortel, the Nortel logo, and the Globemark are trademarks of
Nortel Networks.

All other trademarks are the property of their owners.
Copyright © 2006

Nortel Networks. All rights reserved. Information in this document is subject to
change without notice. Nortel assumes no responsibility for any errors that may appear in this
document.

Disclaimer

This engineering d ocument contains the best inform ation available at the t ime of publication in
terms of supporting the application and engineering of Nortel products in the customer
environment. They are solely for use by Nortel customers and meant as a guide for network
engineers and planners from a network engineering perspective. All information is subject to
interpretation based on internal Norte l test methodol ogies which wer e used to derive th e various
capacity and equipment performance criteria and should be reviewed with Nortel engineering
primes prior to implementation in a live environment.

______________________________________________________________________________________________________
NORTEL External Distribution

1

Technical Configuration Guide for SNMP v2.0 December 2006

Abstract

This document provi des an overvie w on how to config ure SNMP on the Norte l Ethernet Routin g
Switch (ERS) 8600.

______________________________________________________________________________________________________
NORTEL External Distribution

2

Technical Configuration Guide for SNMP v2.0 December 2006

Table of Contents

1. SNMPV3 OVERVIEW..............................................................................................................5

2. SNMP UPGRADE CONSIDERATIONS..................................................................................6

2.1 H

IDDEN FILE DETAILS.........................................................................................................6

3. BLOCKING SNMP...................................................................................................................7

3.1 B

3.2 B

3.3 SNMP

3.4 N

LOCKING SNMPV1/2 ONLY...............................................................................................7

LOCKING SNMP VIA AN ACCESS POLICY – PRIOR TO SOFTWARE RELEASE 3.7.9 OR 4.1...... 7

GROUP ACCESS POLICY – RELEASE 3.7.9, 4.1 OR HIGHER.......................................9

EW DEFAULT COMMUNITY STRINGS IN HIGH SECURE (HSECURE) MODE...........................19

4. SNMP SETTINGS..................................................................................................................20

5. SNMP WITH RADIUS AUTHENTICATION AND ACCOUNTING........................................22

6. CONFIGURING SNMPV3......................................................................................................23

6.1 L

6.2 A

6.3 A

6.4 A

6.5 A

6.6 C

OADING THE DES OR AES ENCRYPTION MODULE............................................................23

DDING A NEW SNMPV3 USER TO USM TABLE................................................................ 23

SSIGN USM USER TO USM GROUP................................................................................24

SSIGNING THE USM GROUP ACCESS LEVEL.................................................................... 25

SSIGNING THE MIB VIEW TO THE USM GROUP................................................................26

REATING A MIB VIEW .....................................................................................................27

7. CONFIGURATION EXAMPLE: CHANGING SNMP COMMUNITIES..................................28

7.1 C

7.2 C

ONFIGURATION EXAMPLE: SNMP COMMUNITIES WITH RELEASE 3.5.................................28

ONFIGURATION EXAMPLE: CHANGING THE DEFAULT SNMP COMMUNITY NAME WITH

RELEASE 3.7 OR 4.1.....................................................................................................................29

7.3 C

ONFIGURATION EXAMPLE: ADDING A NEW SNMP COMMUNITY TO AN EXISTING SNMP

GROUP MEMBER..........................................................................................................................29

7.4 T

7.5 C

ESTING SNMP USING DEVICE MANAGER ........................................................................32

ONFIGURATION EXAMPLE: CHANGING THE MIB VIEW FOR AN SNMPV1/2 COMMUNITY......32

8. CONFIGURATION EXAMPLE USING SNMPV3.................................................................. 34

8.1 T

ESTING SNMPV3 USING DEVICE MANAGER ....................................................................35

9. SOFTWARE BASELINE: ...................................................................................................... 36

10. REFERENCE DOCUMENTATION:...................................................................................37

11. APPENDIX A: CONFIGURATION FILES.........................................................................38

11.1 F

11.2 F

ROM CONFIGURATION EXAMPLE 7.5................................................................................38

ROM CONFIGURATION EXAMPLE 8...................................................................................38

______________________________________________________________________________________________________
NORTEL External Distribution

3

Technical Configuration Guide for SNMP v2.0 December 2006

List of Figures

Figure 1: SNMPv3 USM................................................................................................................... 5

Figure 2: MIB Structure.................................................................................................................. 27

List of Tables

Table 1: New Default Password Settings ......................................................................................19

Table 2: New Default Community Settings....................................................................................19

______________________________________________________________________________________________________
NORTEL External Distribution

4

Technical Configuration Guide for SNMP v2.0 December 2006

1. SNMPv3 Overvie w

SNMPv3 is the third version of the Internet-Standard Management Framework and is derived
from and builds u pon b oth the original Internet-Standard M ana gement Framework ( SNM Pv 1) a nd
the second Internet-Stan dard Managem ent Fram ework (SNMPv2). SNM Pv3 is not a s tand-alone
replacement for SNM Pv1 and/or SNMv2. It d efines se curity capab ilities to be used in c onjuncti on
with SNMPv2 (preferr ed) or SNMPv 1. As shown in the Figure 1 belo w, SNMPv3 s pecif ies a User
Security Model (U SM) that uses a payload of either a SNMPv1 or a SNMPv2 protocol dat a unit
(PDU).

PDU Processing

(SNMPv1 or SNMPv2)

Message Processing

(SNMPv3 USM)

UDP

UDP-H

V3-MH

V3-MH

SNMP PDU

SNMP PDU

SNMP PDU

PDU = Protocol Data Unit
USM = User Based Security

IP

IP-H

UDP-H

V3-MH

IP-H = IP header
UDP-H = UDP header
V3-MH = SNMPv3 message header

SNMP PDU

Figure 1: SNMPv3 USM

Authentication with in the User-based Secur ity Model (USM) allows t he recipient of the mes sage
to verify whom the message is from and whether the message has been altered. As per RFC
2574, if authentication is used, the entire message is checked for the integrity. Authentication
uses a secret key to produc e a fingerpr int of the m essage, which is incl uded in th e mes sage. T he
receiving entity uses the same secret key to validate the fingerprint. Currently there are 2
authentication protocols defined, HMAC-MD5 and HMAC-SHA-96 for use with USM.

While the USM provides the user-name/password authentication and privacy services, control
access to management information (MIB) must be defined. The View-based Access Control
Module (VACM) is used to define a set of services that an application can use for checking
access rights (read, wr ite, notify) to a par ticular object. V ACM uses the ASN.1 n otation (3.6.1.4)
or the name of the SNM P MIB branch, i.e. Org. Dod.In ternet. Privat e. T he adm inist rator can def in e
a MIB group view for a us er to allow access to an ap propriate portion of the MIB matched to an
approved security level. The three security levels are:

• NoAuthNoPriv-Communication without authentication and privacy

• AuthNoPriv-Communication with authentication (MD5 or SHA) and without privacy

• AuthPriv-Communication with authentication (MD5 or SHA) and privacy (DES or AES)

NOTE: Please refer to the Ether net Ro uti ng S witc h 86 00 4.1 re le as e not es ( Part number 317177­D Rev 01) regarding im portant inf orm ation r egardin g SNMP v3. Spec ial c onsider ati ons nee d to be
considered regarding hidden and encrypted that contains community table information.

______________________________________________________________________________________________________
NORTEL External Distribution

5

Technical Configuration Guide for SNMP v2.0 December 2006

2. SNMP Upgrade Consider ations

Please note the following when upgra di ng sof t ware on the ERS8600.
Starting in software release 3.7 and continued to software release 4.1.x, the CLI command save

config creates a hidden and encrypted file that contains the SNMP community table information.
For security purposes, the save config command also removes reference to the existing SNMP
community strings in the newly created configuration file. Please note that if you only have one
CPU, and if you swap the CPU, you must backup all hidden files or else all the password and
SNMP references will be lost. If you do not backup the hidden files, you must reconfigure your
trap receivers and community strings every time you change the CPU.

The commands to change the SNMP Community strings and trap receivers in software release

3.3 have changed in software releases 3.5, 3.7, 4.0, and 4.1.x. However, even though software
releases 3.5, 3.7, 4.0, and 4.1.x use the same commands, in software release 3.7 and 4.1.x only,
the SNMP community strings and trap receivers are stored in a hidden and encrypted file and are
not found in the configuration file. This is similar with software releases 3.5 and 4.0; however the
files are stored in a hidden non-encrypted file. Upgrades from 3.7 to 4.1.x, all files are translated
as-is. Please see section 3.3.3 for more details.

2.1 Hidden File Details

Backup the following configuration files to either via FTP, a TFTP server or a PCMCIA card:

• shadov.txt

• snmp_usm.txt

• snmp_comm.txt

• password.txt

______________________________________________________________________________________________________
NORTEL External Distribution

6

Technical Configuration Guide for SNMP v2.0 December 2006

3. Blocking SNMP

By default, SNMP access is enabled. You can disable SNMP; this includes SNMPv1/v2 and
SNMPv3, access to the ERS 8600 by using the following commands:

• ERS-8610:5# config bootconfig flags block-snmp true

• ERS-8610:5#save boot

• ERS-8610:5#boot -y

To re-enable SNMP access, type in the following command:

• ERS-8610:5# config bootconfig flags block-snmp false

3.1 Blocking SNMPv1/2 only

If you wish to allow only SNMPv3 access, you c an d isa ble SNMPv1/2 by configur ing the SNMPv3
MIB view. Portions of the MIB can be conf igured to either include or exclude access at an MIB
OID level. This is explained in section 5.5 . For SNMPv3, this can be done on a per-user bas ic.
For SNMPv1/v2, it can be d one o n a g lob al/c om munity basis. By defau lt, SNM Pv 1/ v2 is p er mitted
access to all MIB OIDs un der 1.3 in the MIB O ID tree with the except ion with sections r elated to
the SNMP USM, VACM, and Community MIBs. This cannot be altered, but, if an additional
exclusion statement is added, the entire usable MIB can be disabled through SNMPv1/v2.
Specifically, if the entire MIB tree under 1.3.6 (iso org dod) is excluded, none of the switches
public or private MIBs will b e acces s ibl e.

To disable SNMPv1/v2 only, enter the following command:

• PP8600-B:6# config snmp-v3 mib-view create v1v2only 1.3.6 type exclude

At this point, SNMPv1/v2 will be disabled and only SNMPv3 will be allowed.

3.2 Blocking SNMP via an Access Policy – prior to

software release 3.7.9 or 4.1

You can also ena ble or disable SN MP via an Acces s Policy. Over all, the Acces s Policy feature
on the ERS 8600 supports the following feature:

• Access level: Specifies th e access level of the trust ed as hostreadOnly (ro), readW rite
(rw), or readWriteAll (rwa)

• Mode: Indic ates whether a packet having a so urce IP address that matches t his entry
should be permitted to enter the device or denied access.

• Service: Indicates the protocol to whic h this entry should be a pplied. Choices ar e telnet,
snmp, tftp, ftp, http, rlogin, and/or ssh.

• Precedence: Indicates the precedence of the policy. T he lower the number, the higher
the precedence (1 to 128).

• Network Address and Network Mask: Indicates the source network IP address and
mask. An address of 0.0.0.0 specifies any address on the network.

• Host: Indicates the trusted IP addres s of the hos t perf or ming rlogin or rsh into the dev ic e.
Applies only to rlogin and rsh.

• Access-strict: Sets the access level strictly.

______________________________________________________________________________________________________
NORTEL External Distribution

7

Technical Configuration Guide for SNMP v2.0 December 2006

To add an access polic y, you must first enable the ac cess policy feature gl obally by enter ing the
following command:

• ERS-8606:5# config sys access-policy enable <true/false>

After the access polic y feature has been en abled globa lly, to add a new acces s policy, enter the
following command:

a) Add a new policy

• ERS-8606:5# config sys access-policy policy <1..65535>

b) After entering the above command, enter the appropriate parameters:

• ERS-8606:5# config sys access-policy policy <1..65535> ?

Sub-Context: service
Current Context:

accesslevel <ro|rw|rwa>
access-strict <true|false>
create
delete
disable
enable
host <ipaddr>
info
mode <allow|deny>
name <name>
network <addr/mask>
precedence <precedence>
username <string>

c) Add the services to the newly created access policy:

• ERS-8606:5# config sys access-policy policy <1..65535> service ?

Sub-Context:
Current Context:

ftp <enable|disable>
http <enable|disable>
info
rlogin <enable|disable>
snmp <enable|disable>
ssh <enable|disable>
telnet <enable|disable>
tftp <enable|disable>

Please refer to p ublication number 314997-C titled I mportant Security Information for th e 8000
Series Switch for more details on Access Policies.

______________________________________________________________________________________________________
NORTEL External Distribution

8

Technical Configuration Guide for SNMP v2.0 December 2006

3.2.1 Configuration Example: Blocking SNMP via an Access Policy

In this example, we will create an access policy to not allo w SNMP for any user coming from
network 172.30.x.y/16.

a) Enable access policy globally:

• ERS-8606:5# config sys access-policy enable true

b) Add a ne w pol icy, in t his ex am ple, s ince it is the f irst p olic y, we will s im ply create polic y 2

and name it policy2:

• ERS-8606:5# config sys access-policy policy 2 create

• ERS-8606:5# config sys access-policy policy 2 name policy2

c) Add network 172.30.0.0/16 to policy 2:

• ERS-8606:5# config sys access-policy policy 2 network 172.30.0.0/16

d) Add read/write/all access level to policy 2:

• ERS-8606:5# config sys access-policy policy 2 accesslevel rwa

e) Disable SNMP service for policy 2:

• ERS-8606:5# config sys access-policy policy 2 service snmp disable
After the policy has been created, enter the following command to view policy 2:

• ERS-8606:5# show sys access-policy info policy2

AccessPolicyEnable: on

Id: 2
Name: policy2
PolicyEnable: true
Mode: allow
Service: http|telnet|ssh
Precedence: 128
NetAddr: 172.30.0.0
NetMask: 255.255.0.0
TrustedHostAddr: 0.0.0.0
TrustedHostUserName: none
AccessLevel: readWriteAll
AccessStrict: false
Usage: 337

3.3 SNMP Group Access Policy – Release 3.7.9, 4.1 or
higher

In release 3.7.9 or 4.1, a new policy enhancem ent was added that allows the administrator to
specify a group or groups for SNMPv3 access. With SNMPv3, the community name is not
mapped to an access level, but det ermined only thr ough VACM. T his allows the administrator to
create separate policies for SNMP users based on USM or community and associate them to
groups.

The following items where added high-lighted in red below.
ERS-8610:5# config sys access-policy policy 1 ?

______________________________________________________________________________________________________
NORTEL External Distribution

9

Technical Configuration Guide for SNMP v2.0 December 2006

Sub-Context: service
Current Context:

accesslevel <level>
access-strict <true|false>
create
delete
disable
enable
host <ipaddr>
info
mode <mode>
name <name>
network <addr/mask>
precedence <precedence>
snmp-group-add <group name> <model>

snmp-group-del <group name> <model>

snmp-group-info

username <string>

ERS-8610:5# config sys access-policy policy 1 service ?

Sub-Context:
Current Context:

ftp <enable|disable>
http <enable|disable>
info
rlogin <enable|disable>
snmpv3 <enable|disable>
ssh <enable|disable>
telnet <enable|disable>
tftp <enable|disable>

3.3.1 SNMPv3 Group Access Policy: Configuration Example

For this example, we wish to create a policy for read-writ e-all access and only allow teln et and
SNMPv3 access onl y for SNMPv3 usm group named grou p_example. Please see Section 5 in
regards to how to configure SNMPv3.

a) Enable access policies globally

• ERS-8606:5# config sys access-policy enable true

b) Assuming no access policies have been created, we can start with policy 2 and nam e the

policy policy2.

• ERS-8606:5# config sys access-policy policy 2 create

• ERS-8606:5# config sys access-policy policy 2 name policy2

c) Add read/write/all access level to policy 2:

• ERS-8606:5# config sys access-policy policy 2 accesslevel rwa

d) Add the usm group ‘group_example’ to policy 2:

______________________________________________________________________________________________________
NORTEL External Distribution

10

Technical Configuration Guide for SNMP v2.0 December 2006

• ERS-8610:5# config sys access-policy policy 2 snmp-group-add group_example
usm

e) Enable access strict enable

• ERS-8610:5# config sys access-policy policy 2 access-strict true

f) Enable telnet and SNMPv3 service:

• ERS-8610:5# config sys access-policy policy 2 service telnet enable

• ERS-8610:5# config sys access-policy policy 2 service snmpv3 enable

g) Enable policy 2:

• ERS-8610:5# config sys access-policy policy 2 enable

h) After the policy has been created, enter the following command to view policy 2:

• ERS-8606:5# show sys access-policy info policy2

AccessPolicyEnable: on

Id: 2
Name: policy2
PolicyEnable: true
Mode: allow
Service: telnet|snmpv3
Precedence: 10
NetAddr: 0.0.0.0
NetMask: 0.0.0.0
TrustedHostAddr: 0.0.0.0
TrustedHostUserName: none
AccessLevel: readWriteAll
AccessStrict: true
Usage: 3777

• ERS-8610:5# show sys access-policy snmp-group-info

snmpv3-groups :

Policy 1 snmpv3-groups :
Group Name Snmp-Model

Policy 2 snmpv3-groups :
Group Name Snmp-Model
group_example usm

3.3.2 SNMPv1/2 Group Access Policy: Configuration Example

As release 3.7 and 4.1 is based on the SNMPv3, you must add the SNMPv3 group name and
model for both SNMPv1 and SNMPv2 when setting up an access policy. To view the SNMPv3
group name and model, please use the following as shown below. Note that the items high­lighted in red need to be added when setting up the access policy.

• ERS8610-B:5# show snmp-v3 group-access

=========================================================================
VACM Group Access Configuration
=========================================================================

______________________________________________________________________________________________________
NORTEL External Distribution

11

Technical Configuration Guide for SNMP v2.0 December 2006

Group Prefix Model Level ReadV WriteV NotifyV

------------------------------------------------------------------------­initial usm noAuthNoPriv root root root
initial usm authPriv root root root

readgrp snmpv1 noAuthNoPriv v1v2only org
readgrp snmpv2c noAuthNoPriv v1v2only org
v1v2grp snmpv1 noAuthNoPriv v1v2only v1v2only v1v2only
v1v2grp snmpv2c noAuthNoPriv v1v2only v1v2only v1v2only

esegroup usm authPriv org org
sBladeGrp snmpv1 noAuthNoPriv sBladeView sBladeView sBladeView
sBladeGrp snmpv2c noAuthNoPriv sBladeView sBladeView sBladeView

9 out of 9 Total entries displayed

-------------------------------------------------------------------------

The following example will add a new access policy that will allow SNMPv1/2 and telnet.
a) Enable access policies globally

• ERS-8606:5# config sys access-policy enable true

b) Assuming no access policies have been created, we can start with policy 2 and nam e the

policy policy2.

• ERS-8606:5# config sys access-policy policy 2 create

• ERS-8606:5# config sys access-policy policy 2 name policy2

c) Add read/write/all access level to policy 2:

• ERS-8606:5# config sys access-policy policy 2 accesslevel rwa

d) Add the SNMPv1/2 group name and models to policy 2:

• ERS-8610:5# config sys access-policy policy snmp-group-add readgrp snmpv1

• ERS-8610:5# config sys access-policy policy 2 snmp-group-add readgrp snmpv2c

ERS-8610:5# config sys access-policy policy snmp-group-add v1v2grp snmpv1

•

ERS-8610:5# config sys access-policy policy snmp-group-add v1v2grp snmpv2c

•

e) Enable telnet and SNMPv3 service:

• ERS-8610:5# config sys access-policy policy 2 service telnet enable

• ERS-8610:5# config sys access-policy policy 2 service snmpv3 enable

f) Enable policy 2:

• ERS-8610:5# config sys access-policy policy 2 enable

g) After the policy has been created, enter the following command to view policy 2:

• ERS-8606:5# show sys access-policy info policy2

AccessPolicyEnable: on

Id: 2
Name: policy2
PolicyEnable: true
Mode: allow
Service: telnet|snmpv3
Precedence: 10
NetAddrType: ipv4
NetAddr: 0.0.0.0
NetMask: 0.0.0.0
TrustedHostAddr: 47.133.58.69

______________________________________________________________________________________________________
NORTEL External Distribution

12