Protecting your network switches from un-authorized access should be high on everyone’s list these days. It’s clear that an insecure switch is a liability in any network topology. In the vast majority of cases this means at least changing the default username and passwords along with the SNMP community strings. In environments where you need additional access security you can use the Ethernet Routing Switch 8600 Access Policy to restrict administrative access to the switch. This allows you to easily define networks which should have access and what services they should have access to.
In the example below I’m allowing access from the network 10.1.1.0/24 for FTP, HTTP, SNMP(v3), SSH, TELNET and TFTP.
ERS-8610:5# config sys access-policy policy 10 create ERS-8610:5# config sys access-policy policy 10 network 10.1.1.0/24 ERS-8610:5# config sys access-policy policy 10 service ftp enable ERS-8610:5# config sys access-policy policy 10 service http enable ERS-8610:5# config sys access-policy policy 10 service snmpv3 enable ERS-8610:5# config sys access-policy policy 10 service ssh enable ERS-8610:5# config sys access-policy policy 10 service telnet enable ERS-8610:5# config sys access-policy policy 10 service tftp enable ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv2c ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv2c ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv2c ERS-8610:5# config sys access-policy policy 10 enable
Just don’t forget to enable the access policy;
ERS-8610:5# config sys access-policy enable true
You could also use host masks as opposed to network masks if you wish to allow only specific management stations access to the switch.
Cheers!
Do you happen to have any examples of how to implement SNMPv3 on the 8600 and 4500s? I keep going through Nortel’s docs and configuration guide but can’t seem to find an operational example, just lists of commands and explainers.
Thanks,
Vic
Hi Victor,
Here’s a few quick commands that you can use on the ERS 8600 to enable SNMP v3 access (assuming you don’t have an access policy restricting access).
You’ll need to substitute the variables in {} with your appropriate IP addressing and passwords, etc.
config load-encryption-module 3DES /flash/p80c4182.img config load-encryption-module AES /flash/p80c4182.aes config snmp-v3 usm create Manager sha auth {auth_password} priv-prot aes priv {priv_password} config snmp-v3 group-access create admin "" usm authPriv config snmp-v3 group-access view admin "" usm authPriv read root write root notify root config snmp-v3 group-member create Manager usm admin config snmp-v3 target-addr delete TAddr1 config snmp-v3 target-addr delete TAddr2 config snmp-v3 target-addr create HP_OpenView {HP OPENVIEW OPENVIEW IP ADDRESS}:162 TparamV1 taglist trapTag config snmp-v3 usm delete initial config sys set snmp sender-ip {HP OPENVIEW IP ADDRESS} {CLIP INTERFACE} config sys set snmp force-trap-sender true config sys set snmp force-iphdr-sender trueHopefully that should get you going…
Cheers!
Thanks for the info Michael which pretty much mirrors what I’m trying to set up, in allowing only access via 2 hosts. The problem I’m having is loss of Device Manager, how does these settings sit with the default policy? I mean I want to only allow any connectivity from 2 ip addresses and deny everything else – will invoking the 2 policies for the two addresses automatically deny all other ips? I can provide a config if you like
Ignore my last, I cracked it by some additional policy statements on my trusted ip’s plus restricting the default policy, thanks
Hi Justin,
Glad to hear you figured it out!
Cheers!
Hi Michael
I have a question about access policy for SNMP. The configuration below is the access policy on an ERS8600 and I also changed the default community to new one. But, I still can’t use SNMPv1/v2 to get data from ERS8600. Could you please let me know what I might miss ?
Thanks
sys access-policy policy 2 create
sys access-policy policy 2 accesslevel rwa
sys access-policy policy 2 name “mgmt access”
sys access-policy policy 2 precedence 1
sys access-policy policy 2 network 172.16.0.0/16
sys access-policy policy 2 service snmpv3 enable
sys access-policy policy 2 service telnet enable
sys access-policy policy 2 service tftp enable
sys access-policy policy 2 snmp-group-add readgrp snmpv1
sys access-policy policy 2 snmp-group-add readgrp snmpv2c
sys access-policy policy 2 snmp-group-add v1v2grp snmpv1
sys access-policy policy 2 snmp-group-add v1v2grp snmpv2c
Hi dophilin,
If you disable the access policy can you access the switch via SNMP? This will help you determine if the problem is with the access policy or if the problem lies in your SNMP configuration.
You might want to make sure that someone hasn’t disabled SNMP globally from the bootconfig flags. You can check that by issuing a “show config bootconfig flags” command.
You might want to post the specific details of your problem over on the forums; http://forums.networkinfrastructure.info/nortel-ethernet-switching/
Good Luck!
Hi Maicael
Thanks for your advices. I could access ERS8600 when I disabled the access policy and the global SNMP access is enabled from bootconfig flags. So, I am wondering what else I should setup for SNMP access with access policy.
Regards
In your example you were configuring the second rule. What was the first access policy rule?
That rule might be blocking you. I believe you can show the statistics of how many time each rule is fired or triggered although I can’t remember the command right now.
Cheers!
Hi Michael
This is the first policy
sys access-policy policy 1 disable
sys access-policy policy 1 service ftp enable
I finally got the root cause of this issue. Someone changed the security name of community and that’s why the original community strings couldn’t match default groups for SNMPv1/v2.
Thanks for your kind help and advices.
Hello
Will you help me?
I’ve got a problem with the module on a passport 3DES 8010.
My image p80c37170.img, unable to load the software.
I can not load module 3DES.
In my logs I get the message:
SW ERROR Dynamic loading of 3DES encryption module failed, Module IS Already loaded.
I do not see the module to load when I type the command “config info” and when I run the SSH command he replied “no matching cipher found”.
All this worked well on other passport with the same software.
Do you have an answer to this problem?
Regards.
Hi Marc,
Well something needs to be wrong somewhere. Have you tried restarting the switch? You might have a corrupt file, so you might need to delete the file p80c3717.img and then re-upload it to the switch.
You should see the 3DES file loaded from a ‘config info’ like so (this was run from a 5.1.2.0 software);
ERS-8610:6# config info Sub-Context: clear config dump monitor mplsping mplstrace peer show switchover test trace wsm asfm sam Current Context: load-encryption-module : 3DES File p80c5120.img setdate : N/A mac-flap-time-limit : 500 auto-recover-delay : 30Good Luck!
Hi,
In ERS 8600 can we create any access list/policy so that we can block certain Multicast Group Addresses (229.x.x.x) from being sent/floooded ? DVMRP has been implemented for multicast routing.
I never tried it myself, so I don’t really know. Sorry.
Hi,
Thanks for your reply. I shall be really helpful if you guide me on the following issue.
I am recently looking after a customer network who is a stock brocker. So multicast routing is obvious. Now the customer had a previous experience that when they triedto do multicast routing in their core 8300, the CPU and memory utilisation peaked up to 100% causing the network to get chocked.
So they are doin multicast routing by a Cisco router and other features are implemented in core ers 8300 only.
I think due to virus this this had caused. I had seen this virus issue causing the sender list of igmp to get filled up and causing 100-% CPU utilisation in 8600 at different network. After implementing proper antivirus in the network it’s working fine now.
Now I want to reconfigure the core 8300 and do the multicast routing in core only. May b it can shoot CPU and memory utilisation up but stil I want to check. Pim sm is the only option. Core is running software version 4.2.
I need ur help in this regard that whether it’s possible to upgrade the dram of 839rsf module which is having default 128 mb of dram.
Hi
i am not able to registered my switch on server it is due to snmp V3.
can you help mw
sys access-policy policy 25 name “HPNNMI”
sys access-policy policy 25 host 10.208.224.16
sys access-policy policy 25 service snmpv3 enable
sys access-policy policy 25 snmp-group-add readgrp snmpv1
sys access-policy policy 25 snmp-group-add readgrp snmpv2c
sys access-policy policy 25 snmp-group-add nortel1 usm
Are you able to get SNMPv2 to work? I would start there, that will let you know if you’ve got at least some piece working.
Cheers!