Protecting your network switches from un-authorized access should be high on everyone’s list these days. It’s clear that an insecure switch is a liability in any network topology. In the vast majority of cases this means at least changing the default username and passwords along with the SNMP community strings. In environments where you need additional access security you can use the Ethernet Routing Switch 8600 Access Policy to restrict administrative access to the switch. This allows you to easily define networks which should have access and what services they should have access to.
In the example below I’m allowing access from the network 10.1.1.0/24 for FTP, HTTP, SNMP(v3), SSH, TELNET and TFTP.
ERS-8610:5# config sys access-policy policy 10 create ERS-8610:5# config sys access-policy policy 10 network 10.1.1.0/24 ERS-8610:5# config sys access-policy policy 10 service ftp enable ERS-8610:5# config sys access-policy policy 10 service http enable ERS-8610:5# config sys access-policy policy 10 service snmpv3 enable ERS-8610:5# config sys access-policy policy 10 service ssh enable ERS-8610:5# config sys access-policy policy 10 service telnet enable ERS-8610:5# config sys access-policy policy 10 service tftp enable ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv2c ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv2c ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv2c ERS-8610:5# config sys access-policy policy 10 enable
Just don’t forget to enable the access policy;
ERS-8610:5# config sys access-policy enable true
You could also use host masks as opposed to network masks if you wish to allow only specific management stations access to the switch.
Cheers!
Related posts:
network architect and security professional, excited about helping folks make the most out of what technology as a whole has to offer.
Loading ...
#1 by Victor Hill on April 27, 2009 - 3:52 pm
Do you happen to have any examples of how to implement SNMPv3 on the 8600 and 4500s? I keep going through Nortel’s docs and configuration guide but can’t seem to find an operational example, just lists of commands and explainers.
Thanks,
Vic
#2 by Michael McNamara on April 28, 2009 - 7:19 pm
Hi Victor,
Here’s a few quick commands that you can use on the ERS 8600 to enable SNMP v3 access (assuming you don’t have an access policy restricting access).
You’ll need to substitute the variables in {} with your appropriate IP addressing and passwords, etc.
config load-encryption-module 3DES /flash/p80c4182.img config load-encryption-module AES /flash/p80c4182.aes config snmp-v3 usm create Manager sha auth {auth_password} priv-prot aes priv {priv_password} config snmp-v3 group-access create admin "" usm authPriv config snmp-v3 group-access view admin "" usm authPriv read root write root notify root config snmp-v3 group-member create Manager usm admin config snmp-v3 target-addr delete TAddr1 config snmp-v3 target-addr delete TAddr2 config snmp-v3 target-addr create HP_OpenView {HP OPENVIEW OPENVIEW IP ADDRESS}:162 TparamV1 taglist trapTag config snmp-v3 usm delete initial config sys set snmp sender-ip {HP OPENVIEW IP ADDRESS} {CLIP INTERFACE} config sys set snmp force-trap-sender true config sys set snmp force-iphdr-sender trueHopefully that should get you going…
Cheers!
#3 by Justin Di Tomaso on September 22, 2009 - 5:37 am
Thanks for the info Michael which pretty much mirrors what I’m trying to set up, in allowing only access via 2 hosts. The problem I’m having is loss of Device Manager, how does these settings sit with the default policy? I mean I want to only allow any connectivity from 2 ip addresses and deny everything else – will invoking the 2 policies for the two addresses automatically deny all other ips? I can provide a config if you like
#4 by Justin Di Tomaso on September 22, 2009 - 10:00 am
Ignore my last, I cracked it by some additional policy statements on my trusted ip’s plus restricting the default policy, thanks
#5 by Michael McNamara on September 22, 2009 - 12:18 pm
Hi Justin,
Glad to hear you figured it out!
Cheers!
#6 by dophilin on November 9, 2009 - 7:30 pm
Hi Michael
I have a question about access policy for SNMP. The configuration below is the access policy on an ERS8600 and I also changed the default community to new one. But, I still can’t use SNMPv1/v2 to get data from ERS8600. Could you please let me know what I might miss ?
Thanks
sys access-policy policy 2 create
sys access-policy policy 2 accesslevel rwa
sys access-policy policy 2 name “mgmt access”
sys access-policy policy 2 precedence 1
sys access-policy policy 2 network 172.16.0.0/16
sys access-policy policy 2 service snmpv3 enable
sys access-policy policy 2 service telnet enable
sys access-policy policy 2 service tftp enable
sys access-policy policy 2 snmp-group-add readgrp snmpv1
sys access-policy policy 2 snmp-group-add readgrp snmpv2c
sys access-policy policy 2 snmp-group-add v1v2grp snmpv1
sys access-policy policy 2 snmp-group-add v1v2grp snmpv2c
#7 by Michael McNamara on November 9, 2009 - 8:20 pm
Hi dophilin,
If you disable the access policy can you access the switch via SNMP? This will help you determine if the problem is with the access policy or if the problem lies in your SNMP configuration.
You might want to make sure that someone hasn’t disabled SNMP globally from the bootconfig flags. You can check that by issuing a “show config bootconfig flags” command.
You might want to post the specific details of your problem over on the forums; http://forums.networkinfrastructure.info/nortel-ethernet-switching/
Good Luck!
#8 by dophilin on November 9, 2009 - 8:32 pm
Hi Maicael
Thanks for your advices. I could access ERS8600 when I disabled the access policy and the global SNMP access is enabled from bootconfig flags. So, I am wondering what else I should setup for SNMP access with access policy.
Regards
#9 by Michael McNamara on November 9, 2009 - 8:39 pm
In your example you were configuring the second rule. What was the first access policy rule?
That rule might be blocking you. I believe you can show the statistics of how many time each rule is fired or triggered although I can’t remember the command right now.
Cheers!
#10 by dophilin on November 10, 2009 - 1:39 am
Hi Michael
This is the first policy
sys access-policy policy 1 disable
sys access-policy policy 1 service ftp enable
I finally got the root cause of this issue. Someone changed the security name of community and that’s why the original community strings couldn’t match default groups for SNMPv1/v2.
Thanks for your kind help and advices.