- Community Home
- >
- Networking
- >
- IMC
- >
- SNMPv3 and HPE IMC 7.3: ArubaOS-Switch based switc...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-04-2018 05:07 AM - edited тАО07-04-2018 05:09 AM
тАО07-04-2018 05:07 AM - edited тАО07-04-2018 05:09 AM
Hello, I'm little bit at lost with regard to SNMPv3 settings on ArubaOS-Switch 16.05 (actually I'm working with Aruba 5400R zl2 switch series but switches family is a little bit irrelevant) and device discovery from the HPE IMC 7.3 (E0605) using SNMP/SSH and Telnet templates.
Actually SNMPv3, SSH and Telnet are enabled switch side, Switch is also pingable from HPE IMC host.
I've hardened SNMP service at Switch level using suggestion taken from ArubaOS-Switch Hardening Guide for 16.04 manual (Revision 1 April 2018) at SNMPv1/2c vs. SNMPv3 chapter...so actually the Aruba 5400R zl2 owns this SNMPv3 configuration (with no SNMP Community, as you can see):
HPE5412Rzl2(config)# show snmpv3 enable Status and Counters - SNMP v3 Global Configuration Information SNMP v3 enabled : No HPE5412Rzl2(config)# snmpv3 enable SNMPv3 Initialization process. Creating user 'initial' Authentication Protocol: MD5 Enter authentication password: *************** Privacy protocol is DES Enter privacy password: ***************** User 'initial' has been created Would you like to create a user that uses SHA? [y/n] y Enter user name: my-snmpv3-user Authentication Protocol: SHA Enter authentication password: ***************** Privacy protocol is DES Enter privacy password: ****************** User creation is done. SNMPv3 is now functional. Would you like to restrict SNMPv1 and SNMPv2c messages to have read only access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] y HPE5412Rzl2(config)# show snmpv3 enable Status and Counters - SNMP v3 Global Configuration Information SNMP v3 enabled : Yes HPE5412Rzl2(config)# show snmpv3 user Status and Counters - SNMP v3 Global Configuration Information User Name Auth. Protocol Privacy Protocol -------------------------------- ---------------- ---------------- my-snmpv3-user SHA CBC DES initial MD5 CBC DES HPE5412Rzl2(config)# snmpv3 only HPE5412Rzl2(config)# no snmp-server community public HPE5412Rzl2(config)# show snmpv3 group Status and Counters - SNMP v3 Global Configuration Information Security Name Security Model Group Name ----------------------------- -------------- -------------------------------- CommunityManagerReadOnly ver1 ComManagerR CommunityManagerReadWrite ver1 ComManagerRW CommunityOperatorReadOnly ver1 ComOperatorR CommunityOperatorReadWrite ver1 ComOperatorRW CommunityManagerReadOnly ver2c ComManagerR CommunityManagerReadWrite ver2c ComManagerRW CommunityOperatorReadOnly ver2c ComOperatorR CommunityOperatorReadWrite ver2c ComOperatorRW HPE5412Rzl2(config)# snmpv3 group managerpriv user my-snmpv3-user sec-model ver3 HPE5412Rzl2(config)# show snmpv3 group Status and Counters - SNMP v3 Global Configuration Information Security Name Security Model Group Name ----------------------------- -------------- -------------------------------- CommunityManagerReadOnly ver1 ComManagerR CommunityManagerReadWrite ver1 ComManagerRW CommunityOperatorReadOnly ver1 ComOperatorR CommunityOperatorReadWrite ver1 ComOperatorRW CommunityManagerReadOnly ver2c ComManagerR CommunityManagerReadWrite ver2c ComManagerRW CommunityOperatorReadOnly ver2c ComOperatorR CommunityOperatorReadWrite ver2c ComOperatorRW my-snmpv3-user ver3 ManagerPriv HPE5412Rzl2(config)# no snmpv3 user initial HPE5412Rzl2(config)# show snmpv3 user Status and Counters - SNMP v3 Global Configuration Information User Name Auth. Protocol Privacy Protocol -------------------------------- ---------------- ---------------- my-snmpv3-user SHA CBC DES HPE5412Rzl2(config)# snmpv3 user my-snmpv3-user auth sha 17-chars-long-password priv aes 18-chars-long-password HPE5412Rzl2(config)# show snmpv3 user Status and Counters - SNMP v3 Global Configuration Information User Name Auth. Protocol Privacy Protocol -------------------------------- ---------------- ---------------- my-snmpv3-user SHA CFB AES-128 HPE5412Rzl2(config)# snmpv3 restricted-access HPE5412Rzl2(config)# show snmpv3 restricted-access Status and Counters - SNMP v3 Global Configuration Information SNMP v1 and SNMP v2c messages restricted to read only : Yes
Also note that SNMPv3 User my-snmp-user's Authentication and Privacy Passwords are, respectively, 17 and 18 characters long.
Under IMC -> System -> Resource Management -> Access Parameters Template and I have added ex-novo three SNMP, Telnet and SSH templates customized with access parameters valid for the Aruba 5400R zl2 I deployed, so using SNMP, SSH and Telnet credentials. Note that I didn't remove default templates already present on SNMP and Telnet. SSH hadn't a default template.
Now the issue:
- If I test (concurrently or singularly) SNMP, SSH and Telnet accesses to the Aruba 5400R zl2 by creating a batch operation (via IMC -> Resource -> Batch Operation -> Check Access Settings) and running it immediately I always end with failure(s)
- if, instead, I test SSH and Telnet singularly by selecting the Switch and performing "Test" under Configure -> Modify SSH Settings and Modify Telnet Settings: SSH and Telnet tests do pass.
- If I test singularly by selecting the Switch and performing "Test" under Configure -> Modify SNMP Settings: SNMP test doesn't pass.
So now questions:
- How can I check if SNMPv3 settings configured above are correct?
- Do I need a SNMP Community - after all - with snmp-server community public?
- Should I re-enable by issuing no snmpv3 restricted-access (that will be a little bit counter-intuitive since we need hardened SNMPv3) given that on Initial ArubaOS Switch Configuration is explicitly advised that "restricting access to only SNMPv3 messages makes the community named тАЬpublicтАЭ inaccessible to network management applications (such as autodiscovery, traffic monitoring, SNMP trap generation, and threshold setting) from operating in the ArubaOS switch. For that reason, Aruba recommends answering no to Step 8 (which is the last step of snmp enable command listed above)"?
- Batch operations use default templates? or, better said, how can I check which templates are activated with regards to verifying access credentials to SNMP, SSH and Telnet via Batch Operations?
I'm not an HPE Employee
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-05-2018 04:40 AM
тАО07-05-2018 04:40 AM
Solutionmy experience with SNMPv3 is, it works, but if your device has various IPs and the IP of the device in IMC is different from the route to the server IMC doesnтАЩt recognize the device.
Example
Deveice IP in IMC 192.168.0.1
But default route on the switch is
0.0.0.0 0.0.0.0 192.168.1.1
The switch response with the IP in the 192.168.1.0 subnet which IMC doesnтАЩt recognize
You can change the response IP on the Aruba switch with
SNMP-Server respOnse-source dst-ip-of-request
HTH
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-05-2018 11:27 AM
тАО07-05-2018 11:27 AM
Re: SNMPv3 and HPE IMC 7.3: ArubaOS-Switch based switches discovery by using SNMP/SSH/Telnet templat
That's really interesting...indeed our HPE IMC is hosted on a (routed) VLAN - I mean that that VLAN is routed by our routing Switch which hasn't a default gateway/route at all and, AFAIK, IP routing between the VLAN hosting the IMC host and one of IP Addresses associated with VLAN Subnets on the routing Switch...works as expected (ping between these hosts is OK in any direction) - and I insited to test SNMPv3 connectivity from the HPE IMC host (VLAN Id n) to Switch IP Address (VLAN Id m)...as soon I tested the SNMPv3 access through other Switch IP Address (VLAN id n) communication succeded.
Your command (snmp-server response-source dst-ip-of-request) was the solution to make it to work between different Subnets (so between VLAN Ids).
I'm not an HPE Employee