technology, networking and IP telephony
ERS 8600 Access Policy
Protecting your network switches from un-authorized access should be high on everyone’s list these days. It’s clear that an insecure switch is a liability in any network topology. In the vast majority of cases this means at least changing the default username and passwords along with the SNMP community strings. In environments where you need additional access security you can use the Ethernet Routing Switch 8600 Access Policy to restrict administrative access to the switch. This allows you to easily define networks which should have access and what services they should have access to.
In the example below I’m allowing access from the network 10.1.1.0/24 for FTP, HTTP, SNMP(v3), SSH, TELNET and TFTP.
ERS-8610:5# config sys access-policy policy 10 create ERS-8610:5# config sys access-policy policy 10 network 10.1.1.0/24 ERS-8610:5# config sys access-policy policy 10 service ftp enable ERS-8610:5# config sys access-policy policy 10 service http enable ERS-8610:5# config sys access-policy policy 10 service snmpv3 enable ERS-8610:5# config sys access-policy policy 10 service ssh enable ERS-8610:5# config sys access-policy policy 10 service telnet enable ERS-8610:5# config sys access-policy policy 10 service tftp enable ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv2c ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv2c ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv1 ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv2c ERS-8610:5# config sys access-policy policy 10 enable
Just don’t forget to enable the access policy;
ERS-8610:5# config sys access-policy enable true
You could also use host masks as opposed to network masks if you wish to allow only specific management stations access to the switch.
Cheers!
Related posts:
| Print article | This entry was posted by Michael McNamara on January 12, 2008 at 9:00 am, and is filed under EthernetRtngSwitch. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
Loading ...
about 1 year ago
Do you happen to have any examples of how to implement SNMPv3 on the 8600 and 4500s? I keep going through Nortel’s docs and configuration guide but can’t seem to find an operational example, just lists of commands and explainers.
Thanks,
Vic
about 1 year ago
Hi Victor,
Here’s a few quick commands that you can use on the ERS 8600 to enable SNMP v3 access (assuming you don’t have an access policy restricting access).
You’ll need to substitute the variables in {} with your appropriate IP addressing and passwords, etc.
config load-encryption-module 3DES /flash/p80c4182.img config load-encryption-module AES /flash/p80c4182.aes config snmp-v3 usm create Manager sha auth {auth_password} priv-prot aes priv {priv_password} config snmp-v3 group-access create admin "" usm authPriv config snmp-v3 group-access view admin "" usm authPriv read root write root notify root config snmp-v3 group-member create Manager usm admin config snmp-v3 target-addr delete TAddr1 config snmp-v3 target-addr delete TAddr2 config snmp-v3 target-addr create HP_OpenView {HP OPENVIEW OPENVIEW IP ADDRESS}:162 TparamV1 taglist trapTag config snmp-v3 usm delete initial config sys set snmp sender-ip {HP OPENVIEW IP ADDRESS} {CLIP INTERFACE} config sys set snmp force-trap-sender true config sys set snmp force-iphdr-sender trueHopefully that should get you going…
Cheers!
about 11 months ago
Thanks for the info Michael which pretty much mirrors what I’m trying to set up, in allowing only access via 2 hosts. The problem I’m having is loss of Device Manager, how does these settings sit with the default policy? I mean I want to only allow any connectivity from 2 ip addresses and deny everything else – will invoking the 2 policies for the two addresses automatically deny all other ips? I can provide a config if you like
about 11 months ago
Ignore my last, I cracked it by some additional policy statements on my trusted ip’s plus restricting the default policy, thanks
about 11 months ago
Hi Justin,
Glad to hear you figured it out!
Cheers!
about 9 months ago
Hi Michael
I have a question about access policy for SNMP. The configuration below is the access policy on an ERS8600 and I also changed the default community to new one. But, I still can’t use SNMPv1/v2 to get data from ERS8600. Could you please let me know what I might miss ?
Thanks
sys access-policy policy 2 create
sys access-policy policy 2 accesslevel rwa
sys access-policy policy 2 name “mgmt access”
sys access-policy policy 2 precedence 1
sys access-policy policy 2 network 172.16.0.0/16
sys access-policy policy 2 service snmpv3 enable
sys access-policy policy 2 service telnet enable
sys access-policy policy 2 service tftp enable
sys access-policy policy 2 snmp-group-add readgrp snmpv1
sys access-policy policy 2 snmp-group-add readgrp snmpv2c
sys access-policy policy 2 snmp-group-add v1v2grp snmpv1
sys access-policy policy 2 snmp-group-add v1v2grp snmpv2c
about 9 months ago
Hi dophilin,
If you disable the access policy can you access the switch via SNMP? This will help you determine if the problem is with the access policy or if the problem lies in your SNMP configuration.
You might want to make sure that someone hasn’t disabled SNMP globally from the bootconfig flags. You can check that by issuing a “show config bootconfig flags” command.
You might want to post the specific details of your problem over on the forums; http://forums.networkinfrastructure.info/nortel-ethernet-switching/
Good Luck!
about 9 months ago
Hi Maicael
Thanks for your advices. I could access ERS8600 when I disabled the access policy and the global SNMP access is enabled from bootconfig flags. So, I am wondering what else I should setup for SNMP access with access policy.
Regards
about 9 months ago
In your example you were configuring the second rule. What was the first access policy rule?
That rule might be blocking you. I believe you can show the statistics of how many time each rule is fired or triggered although I can’t remember the command right now.
Cheers!
about 9 months ago
Hi Michael
This is the first policy
sys access-policy policy 1 disable
sys access-policy policy 1 service ftp enable
I finally got the root cause of this issue. Someone changed the security name of community and that’s why the original community strings couldn’t match default groups for SNMPv1/v2.
Thanks for your kind help and advices.
about 1 month ago
Hello
Will you help me?
I’ve got a problem with the module on a passport 3DES 8010.
My image p80c37170.img, unable to load the software.
I can not load module 3DES.
In my logs I get the message:
SW ERROR Dynamic loading of 3DES encryption module failed, Module IS Already loaded.
I do not see the module to load when I type the command “config info” and when I run the SSH command he replied “no matching cipher found”.
All this worked well on other passport with the same software.
Do you have an answer to this problem?
Regards.
about 1 month ago
Hi Marc,
Well something needs to be wrong somewhere. Have you tried restarting the switch? You might have a corrupt file, so you might need to delete the file p80c3717.img and then re-upload it to the switch.
You should see the 3DES file loaded from a ‘config info’ like so (this was run from a 5.1.2.0 software);
ERS-8610:6# config info Sub-Context: clear config dump monitor mplsping mplstrace peer show switchover test trace wsm asfm sam Current Context: load-encryption-module : 3DES File p80c5120.img setdate : N/A mac-flap-time-limit : 500 auto-recover-delay : 30Good Luck!