HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Aruba & ProVision-based
Showing results for 
Search instead for 
Did you mean: 

SNMP Configuration on HPE 2920

Go to solution
Occasional Advisor

SNMP Configuration on HPE 2920


by default following line is in config:

snmp-server community "public" unrestricted

this means in my eyes that everyone has read/write access to all MIBs if he knows that there is a community "public right?


Index Name   Community Name         Security Name
------------------------- ------------------------- -------------------------
1            public                 CommunityManagerReadWrite

SNMP Communities

Community Name           MIB View                 Write Access
-------------------- -------- ------------
public                   Manager                  Unrestricted


so i guess configuring SNMPv2 like below would be much more secure:

snmp-server contact "it@xxx.local" location "ServerRoom"
snmp-server community public operator restricted
snmp-server community snmp-private-data operator unrestricted
snmp-server host community snmp-private-data (Monitoring Server)
snmp-server trap-source (Switch IP)

Complete config looks like this:

ServerRoom(config)# show snmp-server

 SNMP Communities

  Community Name       MIB View Write Access
  -------------------- -------- ------------
  public               Operator Restricted
  snmp-private-data    Operator Unrestricted

 Trap Receivers

  Link-Change Traps Enabled on Ports [All] : All

  Traps Category                          Current Status
  _____________________________________   __________________
  SNMP Authentication                   : Extended
  Stacking                              : Enabled
  Password change                       : Enabled
  Login failures                        : Enabled
  Port-Security                         : Enabled
  Authorization Server Contact          : Enabled
  DHCP-Snooping                         : Enabled
  DHCPv6-Snooping Out of Resource       : Enabled
  DHCPv6-Snooping Errant Replies        : Enabled
  Dynamic ARP Protection                : Enabled
  Dynamic IP Lockdown                   : Enabled
  Dynamic IPv6 Lockdown Out of Resource : Enabled
  Dynamic IPv6 Lockdown Violations      : Enabled
  Startup Config change                 : Disabled
  Running Config Change                 : Disabled
  MAC address table changes             : Disabled

  DHCP-Server                           : Enabled

  Address                Community              Events   Type   Retry   Timeout
  ---------------------- ---------------------- -------- ------ ------- -------           snmp-private-data      None     trap   3       15

 Excluded MIBs

 Snmp Response Pdu Source-IP Information

  Selection Policy   : rfc1517

 Trap Pdu Source-IP Information

  Selection Policy   : configuredIP
  IP Address         :

Am i missing anything or can i configure SNMP this way?




Respected Contributor

Re: SNMP Configuration on HPE 2920

Looks OK. If you haven't already I would recommend to have the switches in a separate management VLAN so you can restrict SNMP access through firewall rules.

Occasional Advisor

Re: SNMP Configuration on HPE 2920

thanks for your confirmation!


yes, switches are in a separate VLAN and protected by ACL



Frequent Advisor

Re: SNMP Configuration on HPE 2920

With the firewall/ACL this looks fine. 

I would recommend using SNMPv3, which isn't much more of a trouble. If your Monitoring Tool supports it. 
It uses encryption and authentication for the different views.