Re: SNMP Configuration on HPE 2920

basti23 · ‎05-29-2017

Hello

by default following line is in config:

snmp-server community "public" unrestricted

this means in my eyes that everyone has read/write access to all MIBs if he knows that there is a community "public right?

Index Name   Community Name         Security Name
------------------------- ------------------------- -------------------------
1            public                 CommunityManagerReadWrite



SNMP Communities

Community Name           MIB View                 Write Access
-------------------- -------- ------------
public                   Manager                  Unrestricted

so i guess configuring SNMPv2 like below would be much more secure:

snmp-server contact "it@xxx.local" location "ServerRoom"
snmp-server community public operator restricted
snmp-server community snmp-private-data operator unrestricted
snmp-server host 192.168.1.10 community snmp-private-data (Monitoring Server)
snmp-server trap-source 10.254.254.2 (Switch IP)

Complete config looks like this:

ServerRoom(config)# show snmp-server

 SNMP Communities

  Community Name       MIB View Write Access
  -------------------- -------- ------------
  public               Operator Restricted
  snmp-private-data    Operator Unrestricted

 Trap Receivers

  Link-Change Traps Enabled on Ports [All] : All

  Traps Category                          Current Status
  _____________________________________   __________________
  SNMP Authentication                   : Extended
  Stacking                              : Enabled
  Password change                       : Enabled
  Login failures                        : Enabled
  Port-Security                         : Enabled
  Authorization Server Contact          : Enabled
  DHCP-Snooping                         : Enabled
  DHCPv6-Snooping Out of Resource       : Enabled
  DHCPv6-Snooping Errant Replies        : Enabled
  Dynamic ARP Protection                : Enabled
  Dynamic IP Lockdown                   : Enabled
  Dynamic IPv6 Lockdown Out of Resource : Enabled
  Dynamic IPv6 Lockdown Violations      : Enabled
  Startup Config change                 : Disabled
  Running Config Change                 : Disabled
  MAC address table changes             : Disabled

  DHCP-Server                           : Enabled

  Address                Community              Events   Type   Retry   Timeout
  ---------------------- ---------------------- -------- ------ ------- -------
  192.168.1.10           snmp-private-data      None     trap   3       15


 Excluded MIBs


 Snmp Response Pdu Source-IP Information

  Selection Policy   : rfc1517

 Trap Pdu Source-IP Information

  Selection Policy   : configuredIP
  IP Address         : 10.254.254.2

Am i missing anything or can i configure SNMP this way?

Thanks

TerjeAFK · ‎05-29-2017

Looks OK. If you haven't already I would recommend to have the switches in a separate management VLAN so you can restrict SNMP access through firewall rules.

basti23 · ‎05-29-2017

thanks for your confirmation!

yes, switches are in a separate VLAN and protected by ACL

thanks

Linkk · ‎05-29-2017

With the firewall/ACL this looks fine.

I would recommend using SNMPv3, which isn't much more of a trouble. If your Monitoring Tool supports it.
It uses encryption and authentication for the different views.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: SNMP Configuration on HPE 2920

SNMP Configuration on HPE 2920