HPE Community
HPE Aruba Networking & ProVision-based
1835219 Members
2310 Online
110078 Solutions
New Discussion

SNMPv3 Restricted-Access NOT

 
dmesser-hhs
Frequent Advisor

‎04-10-2013 09:14 AM

‎04-10-2013 09:14 AM

SNMPv3 Restricted-Access NOT

I was just looking at one of my 5400 switches and I noticed from the web interface that "public" community string had write access.  I said to myself impossible.  I double checked the config on a couple of switches. Yep right there in the config:

snmpv3 restricted access.  This is supposed to restrict snmp v1/2 to read only.  However when I issue the command:

show snmp-server... sure enough is shows that my "public" community has unrestricted (write) access.

 

This is only the case on the 5400 switches (16) of them.  All of my 2900 and 8200 show my public community as "restricted" when I issue the show snmp-server command.

 

Now I can fix this by simply issuing snmp-server community public restricted  but what is the purpose of the snmpv3 restricted access command.  Flaky....

 

Config cut:

snmp-server community "public"
snmp-server host 172.16.1.33 community "public" trap-level all
snmp-server host 172.16.1.33 community "public"
snmp-server enable traps startup-config-change
snmp-server enable traps running-config-change
snmp-server contact "Dominic Messer" location "Dunn, NC"
snmpv3 enable
snmpv3 restricted-access

 

 

show snmp-server output:

SNMP Communities

Community Name MIB View Write Access
-------------------------------- -------- ------------
public Manager Unrestricted

0 Kudos
3 REPLIES 3
Peter_Debruyne
Honored Contributor

‎04-11-2013 06:43 AM

‎04-11-2013 06:43 AM

Re: SNMPv3 Restricted-Access NOT

I assume that the show output remains stable, independent of the "restricted" command. So if you would remove the restricted command, the public is full RW, with restricted command, the public would be RO.

It is best practice to get rid of that default public unrestricted command for obvious reasons :) (public could be used to reset the manager password for instance )

 

 

0 Kudos
dmesser-hhs
Frequent Advisor

‎04-11-2013 09:28 AM

‎04-11-2013 09:28 AM

Re: SNMPv3 Restricted-Access NOT

That is what snmpv3 restricted-access is supposed to do according to the manual.  It makes it so that no snmpv1/2 community has write access.  The only way to write is from the snmpv3 r/w account that I setup.  All of my switches are using snmpv3 for write access but I was just lost as to why this command did not work.  I ended up going back through each one of my switches and entering:

snmp-server community public restricted

 

again I though that snmpv3 restricted-access would cover me.. but it did not.

0 Kudos
paulgear
Esteemed Contributor

‎04-28-2013 02:53 PM

‎04-28-2013 02:53 PM

Re: SNMPv3 Restricted-Access NOT

Obviously, manually setting the community to read only is a workaround, but that sounds like a bug to me. Check that you're running the latest firmware version, and if so, i would suggest logging a bug with HP.
Regards,
Paul
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.