«
»

How to restrict SNMP community strings on the ERS8600


Here’s a guest post (re-post from discussion forums) from Forrequi detailing the steps he took to setup an SNMP community string that could be used by a third party to poll the temperature readings of the Nortel Ethernet Routing Switch 8600.

Today I’ve a little challenge on my network: configure a permission to a specific IP for read the temperature of two ERS8600. This specific host don’t become part of my management network, so I can’t use the same snmp read community. I don’t like to free everything on the core to be read, so I start to liberate only the specific OID (temperature of chassis) on my two ERS8600, and only for the specific IP of the host, with a new read community.

After some study on Nortel documentation (2008_04_04_SNMP_on_ERS_8600_TCG_NN48500564.pdf) I present us my little todo for everone that needs some similar, because this document is not the mos objective guide of the world. My steps:

Step1: Create a MIB view, called “only_temp”, restricted for the temperature OID:

config snmp-v3 mib-view create only_temp 1.3.6.1.4.1.2272.1.100.1.2.0 type include

View the changes:

config snmp-v3 mib-view info

Step2: Create a access group called “group_temp”, with snmpv1 and v2c, no authentication, reading the “only_temp” mib-view:

config snmp-v3 group-access create group_temp "" snmpv1 noAuthNoPriv
config snmp-v3 group-access create group_temp "" snmpv2c noAuthNoPriv
config snmp-v3 group-access view group_temp "" snmpv1 noAuthNoPriv read only_temp write only_temp
config snmp-v3 group-access view group_temp "" snmpv2c noAuthNoPriv read only_temp write only_temp

View the changes:

config snmp-v3 group-access info

Step3: Create the user “user_temp” inside the group:

config snmp-v3 group-member create user_temp snmpv1 group_temp
config snmp-v3 group-member create user_temp snmpv2c group_temp

View the changes:

config snmp-v3 group-member info

Step4: Create a new community “ers8600″, index “third” (the first and second already exist, adapt for you scenario), for the user “user_temp”

config snmp-v3 community create third ers8600 user_temp

View the changes:

config snmp-v3 community info

Step5: Create a new access-policy (policy 6 in my case) for the specific IP 10.10.10.1 (where the temperature has been monitored):

config sys access-policy policy 6 create
config sys access-policy policy 6 name policy6
config sys access-policy policy 6 accesslevel ro
config sys access-policy policy 6 network 10.10.10.1/255.255.255.255
config sys access-policy policy 6 snmp-group-add group_temp snmpv1
config sys access-policy policy 6 snmp-group-add group_temp snmpv2c
config sys access-policy policy 6 service telnet disable
config sys access-policy policy 6 service ssh disable
config sys access-policy policy 6 service tftp disable
config sys access-policy policy 6 service ftp disable
config sys access-policy policy 6 service snmpv3 enable

I hope this can help someone. Bye!

I think this was a great post and appreciate Forrequi sharing this with everyone!

Cheers!

  • Share/Bookmark

Related posts:

  1. Changing SNMP Community Strings
  2. ERS 8600 Access Policy
  3. How to configure SNMP v3 on Nortel Ethernet Routing Switches
  4. Nortel Community Discussion Forums
  5. LACP Configuration Examples (Part 2)

ERS8600, SNMP

This entry was posted on October 24, 2009, 12:00 pm and is filed under EthernetRtngSwitch, Nortel. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.
(will not be published)