IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuration download only via SNMP

SOLVED
Go to solution
Mauro Furini
Frequent Advisor

Configuration download only via SNMP

Hi all,

    in a customer network I have the switches managed and reached only via SNMP and not via Telnet or SSH, in your opinion I can download the configuration anyway or IMC must have a Telnet/SSH reachability?

 

thanks

11 REPLIES
LindsayHill
Honored Contributor
Solution

Re: Configuration download only via SNMP

It depends on the device, and what it supports.

 

Some devices, such as Cisco, support the use of SNMP read-write to obtain the configuration. IMC use snmpset to set some OIDs, to tell the switch to send its configuration via either FTP or TFTP to the IMC server.

 

If you have configured SNMP read-write, and set the file transfer mode for these switches to use TFTP/FTP,  then IMC will automatically try this mode first, before falling back to CLI mode.

 

If IMC doesn't have an SNMP adapter for your device, but the device does support that concept of using SNMP read/write, then you can write your own adapter fairly easily.

 

Of course, this is all hopelessly insecure.

Mauro Furini
Frequent Advisor

Re: Configuration download only via SNMP

thank you!

Mauro Furini
Frequent Advisor

Re: Configuration download only via SNMP

..but the problem are not ended..

 

i'm at the customer now, IMC can reach the switches (Procurve 5400, 2650 and 2910) only via SNMP, not Telnet or SSH.

The monitoring works fine, but when I try to download the config it return to me the Telnet is not working...of course I now, but why it use Telnet?

 

The snmp used is SNMPv3, but in the old PCM+ installed it worked fine also to download the configurations...

 

any ideas?

 

here the snmp conf:

 

snmp-server community "xxxx" operator
snmp-server community "xxxx2" operator unrestricted
snmp-server host 192.168.1.1 community "xxxx2" trap-level not-info    (old pCM)
snmp-server host 192.168.1.100 community "xxxx2" trap-level not-info   (new IMC)

snmpv3 enable
snmpv3 only
snmpv3 restricted-access
snmpv3 group managerpriv user "root" sec-model ver3
snmpv3 group operatorauth user "initial" sec-model ver3
snmpv3 targetaddress "traphost.root.192.168.1.100" params "traphost.root.192.168.1.100" 192.168.1.100 taglist "TrapHost"
snmpv3 params "traphost.root.192.168.1.100" user "root" sec-model ver3 message-processing ver3 priv
snmpv3 user "initial"
snmpv3 user "root"

 

 

edit: I make a test in my lab with Cisco3550 and Hp 2610 and 2520 and everything works fine, I have no telnet or ssh configuration and the IMC correctly download the config, but I have tested only with snmpv2, no the v3, may could be the problem?

LindsayHill
Honored Contributor

Re: Configuration download only via SNMP

You've listed both v2 & v3 configuration there. You've also got two different v3 users. What are you using within IMC? What file transfer mode do you have set within IMC?

I haven't tried using SNMPv3 only to manage configs on Procurve, but I think it should work. What do the logs say? (imccfgbakdm*)

Of course, you could always just make your network more secure, and your life easier by using SSH + SFTP.

Mauro Furini
Frequent Advisor

Re: Configuration download only via SNMP

Thanks for the reply.

I  can't use SSH and SFTP cause I can't log in on the switch, this customer use a token method to login to the switch, make it impossible to IMC to log.

Initial is the default user, we have create another "root" user dedicated to IMC with MD5 and DES auth, the transfer mode is the default TFTP.

In my pseudo-lab I had similar problem with an HP2650 instead the Cisco works fine, do you have experience about the configuration download of other Procurve with the telnet disable?

 

LindsayHill
Honored Contributor

Re: Configuration download only via SNMP

I thought you did have it working with 2610 & 2520 devices?

But I've just been looking through the IMC adapters, and it doesn't look like there are any SNMP adapters written for Procurve devices. I think that the devices support it, so it shouldn't be hard to write an adapter. Start with the CiscoSNMP adapter, and modify the OIDs is probably all that's needed.

I haven't done a lot with SNMP read+write with Procurve before, mainly because few customers I work with use SNMP read-write (they use read-only), and I've mostly used SSH/SFTP (and haven't had your problem with token logins). It was mainly with Cisco devices I was using SNMP read-write for config mgmt.

If I get a chance, I'll see if I can get it working with the Procurve 2910 in my lab.
LindsayHill
Honored Contributor

Re: Configuration download only via SNMP

I've been doing some tests with this today, and it doesn't look great.

 

The hpicfDownloadInetTable looks like it contains the sorts of OIDs I need - the TFTP server, transfer type, file name, etc.

 

But I've been trying to manually set these OIDs, and can't figure out the way to do it. Keep getting "Wrong Value" or "Inconsistent Value" when I tried to set the various values needed. I'm not sure if this is because I'm doing it wrong, or my switch doesn't support it. I can't find ANY other references anywhere that shows people using these OIDs.

 

I have found some references to using SNMP to backup Procurve devices, where it uses snmpset to enable the TFTP server on the switch itself, then TFTPs the file off the switch, then disables the TFTP server again. Older references indicated that this was how PCM worked, but I don't know if it still does.

 

The problem with this method is that it's not how the IMC backup routines are designed. IMC can do backups these ways:

* Use SNMP read/write to instruct the switch to backup its configuration to a TFTP/FTP server (NB the switch is the client, IMC is the TFTP/FTP server).

* Use CLI (via Telnet or SSH) to connect to switch, and then run commands to backup config to TFTP/FTP server

* Use SCP/SFTP to copy config back to IMC. In this case the switch is the SCP/SFTP server, and IMC is the SCP/SFTP client (this is the other way around to the TFTP/FTP methods)

* Use CLI to do "show run" or equivalent, and capture & parse the output.

 

It might be possible to write an adapter that works by using SNMP read-write, and then acts as a TFTP client to pull the config. But that would be a bit more involved, and probably a consulting exercise.

 

Do you have a PCM system handy? Can you run a backup of a Procurve system, and use Wireshark to capture the snmp-set commands? I'd like to verify the OIDs its using.

Mauro Furini
Frequent Advisor

Re: Configuration download only via SNMP

Thanks for the reply, unfortunately I can't do more tests 'cause this network is of a customer, I hace opened a case to the HP support, i'm waiting for an answer...
Mauro Furini
Frequent Advisor

Re: Configuration download only via SNMP

News from HP Support: to download configuration from a HP Procurve the IMC MUST HAVE TELNET or SSH ACCESS...

 

IMC does not have this problem with Cisco

I have no words...

LindsayHill
Honored Contributor

Re: Configuration download only via SNMP


Mauro Furini wrote:

 

I have no words...


I don't understand why you're so surprised by this? IMC tries to work with various vendors, and has numerous options for device config management, including SCP, SFTP, CLI, TFTP, FTP. But there's a limit to what they can do. This network has painted itself into a corner by limiting their options, and it's not realistic to expect HP to support that. Sure, HP could try and support every corner case, but the more you do that, the more cruft ends up in the supported codebase (look at IOS).

 

You could write your own adapter to handle it. Find another tool that does the backup using whatever method you want, figure out what steps it's doing, then write your own adapter to replicate that functionality.

 

(Random aside: So the network enforces token-based logins, but has no problems with cleartext configs going around the network?)

UnzenSekai
Occasional Visitor

Re: Configuration download only via SNMP

Hi, i have a question : I want to configurate in snmp v3 two groups that are already in use.

the first one is in read only and sha1
the second one is ine read/Write, sha1 and aes128

Can you help me please ?