technology, networking and IP telephony
Posts tagged SNMP
Cisco Nexus Switch Backups with Perl SNMP
Sep 1st
I’ve spent some time over the past few days trying to get our home grown Perl script designed to backup all our network switches to work with the Cisco Nexus 7010 and 5010 switches.
With previous Cisco switches such as the 6509, 3750, 2960, etc we know that the following commands (when sent via a Perl script using the Net-SNMP Perl module) would instruct the switch to copy it’s running-config to a TFTP server.
snmpset -v1 -c$COMMUNITY $HOST ccCopyProtocol.$RANDOM i 1 snmpset -v1 -c$COMMUNITY $HOST ccCopySourceFileType.$RANDOM i 4 snmpset -v1 -c$COMMUNITY $HOST ccCopyDestFileType.$RANDOM i 1 snmpset -v1 -c$COMMUNITY $HOST ccCopyServerAddress.$RANDOM a "10.1.1.50" snmpset -v1 -c$COMMUNITY $HOST ccCopyFileName.$RANDOM s "sw-train-acme.cfg" snmpset -v1 -c$COMMUNITY $HOST ccCopyEntryRowStatus.$RANDOM i 1 sleep 5 snmpget -v1 -c$COMMUNITY $HOST ccCopyState.$RANDOM #if not successful sleep 3 and re-check ccCopyState else continue and destroy table entry snmpset -v1 -c$COMMUNITY $HOST ccCopyEntryRowStatus.$RANDOM i 6
I know that the both the Cisco Nexus 7010 and 5010 both balk at the SNMP OIDS/MIBS used above. So I’m searching for a set of equivalent SNMP OIDS/MIBS as those in CISCO-CONFIG-COPY-MIB for NX-OS. I’m not sure that such a OID/MIB even exists for NX-OS but it doesn’t hurt to search and ask.
I’m curious if anyone else has come across this issue? I know that there is an XML interface available but I would prefer to keep using the PERL/SNMP script that I’ve already developed. In the interim I’ll probably write an Expect script (or add some Expect code to my existing Perl script) to remotely connect to the switches and issue the appropriate copy commands.
Cheers!
How to configure SNMP v3 on Nortel Ethernet Routing Switches
Oct 24th
Here are the values I’m going to be using below;
SNMP v1,v2 read-only string = readme123
SNMP v1,v2 read-write string = writeme123
SNMP v3 userID = Manager (yes I use the same username as the old BayRS software)
SNMP v3 SHA authentication = winnie2009
SNMP v3 AES encryption = poobear2009
Nortel Ethernet Routing Switch 8600
One word of caution with the ERS8600; early default switch configurations included a SNMPv3 user called initial that had full read-write access to the entire switch. I’m not sure if Nortel has changed this behavior but I would strongly urge you to delete any default SNMP v3 users as well as change the default SNMP community strings.
Let’s set the SNMP community strings right away;
ERS-8610:5# config snmp-v3 community commname first new-commname readme123 ERS-8610:5# config snmp-v3 community commname second new-commname writeme123
Let’s load the proper AES, 3DES and DES encryption files;
ERS-8610:5# config load-encryption-module 3DES /flash/p80c5110.img ERS-8610:5# config load-encryption-module AES /flash/p80c5110.aes
Let’s create a new SNMP v3 user called Manager;
config snmp-v3 usm create Manager sha auth winnie priv-prot aes priv poo
Let’s create a new SNMP v3 group called admin;
config snmp-v3 group-access create admin "" usm authPriv
Let’s give this new group access to the root MIB;
config snmp-v3 group-access view admin "" usm authPriv read root write root notify root
Let’s add the user Manager to the group admin;
config snmp-v3 group-member create Manager usm admin
Let’s clear out any previous SNMP trap hosts;
config snmp-v3 target-addr delete TAddr1 config snmp-v3 target-addr delete TAddr2
Let’s configure two new SNMP trap hosts. I actually have two configured on all my switches, with one being our HP OpenView Network Node Manager server (10.1.31.1) and the second being our Nortel Enterprise Network Management System server (10.1.31.2);
config snmp-v3 target-addr create HPOpenView 10.1.31.1:162 TparamV1 taglist trapTag config snmp-v3 target-addr create NortelENMS 10.1.31.2:162 TparamV1 taglist trapTag
Let’s delete that default SNMP v3 user just in case it still exists;
config snmp-v3 usm delete initial
Let’s set the source IP address used to communicate with the SNMP trap hosts. I want this to be the CLIP (Circuitless IP Interface) that I use for all management purposes which in this example is 10.1.50.1. I should mention that the commands below may not appear in switch software earlier than 4.7.1 or 4.6.3.
config sys set snmp sender-ip 10.1.31.1 10.1.50.1 config sys set snmp sender-ip 10.1.31.2 10.1.50.1 config sys set snmp force-trap-sender true config sys set snmp force-iphdr-sender true
That should be everything for the Ethernet Routing Switch 8600.
Nortel Ethernet Routing Switch 1600
I’m not going to go into the line by line detail here as I did above. You should be able to follow the explanation provided above.
ERS-1648T:1# config load-module DES /flash/p16c2160.des ERS-1648T:1# config snmp-v3 community commname first new-commname readme123 ERS-1648T:1# config snmp-v3 community commname second new-commname writeme123 ERS-1648T:1# config snmp-v3 usm create Manager sha auth winnie2009 priv poobear2009 ERS-1648T:1# config snmp-v3 group-access create admin "" usm authPriv ERS-1648T:1# config snmp-v3 group-access view admin "" usm authPriv read root write root notify root ERS-1648T:1# config snmp-v3 group-member create Manager usm admin ERS-1648T:1# config snmp-v3 target-addr create HPOpenView 10.1.31.1:162 TparamV1 taglist trapTag ERS-1648T:1# config snmp-v3 target-addr create NortelNMS 10.1.31.2:162 TparamV1 taglist trapTag ERS-1648T:1# config snmp-v3 usm delete initial
That’s the ERS1600 series switch.
Nortel Ethernet Routing Switch 4500, 5500, 5600 Series
We need to create a new view so we’ll use the name snmpView;
5520-48T-PWR(config)# snmp-server view snmpView +1.3
If you have the secure image loaded then you have access to SHA authentication, DES, 3DES and AES encryption.
5520-48T-PWR(config)# snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView write-view snmpView notify-view snmpView
If you receive an error using the command above (see below) you may not have the secure software image loaded on the switch. If you want to use SHA authentication, DES, 3DES or AES encryption you’ll need to load the secure image. Example SW:v6.1.0.006 will only allow you to use the md5 authentication with no encryption while SW:v6.1.0.007 will allow both MD5 and SHA authentication along with DES, 3DES or AES encryption.
5520-48T-PWR(config)#snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView write-view snmpView notify-view snmpView
snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView writ
^
% Invalid input detected at '^' marker.
You can use the following command to just use MD5 authentication with no encyrption;
5520-48T-PWR(config)#snmp-server user Manager md5 winnie2009 read-view snmpView write-view snmpView notify-view snmpView
Java Device Manager
With all that done you can now use Nortel’s Java Device Manager to manage the switch using SNMP v3.
In the example to the left I’m going to connect to the ERS8600 switch at the management IP address of 10.1.50.1.
We are going to use the SNMP v3 user of Manager which we configured above.
We will also use the Authentication Protocol of SHA-96 using the Authentication Password of winnie2009 which we configured above.
We will use the Privacy Protocol of AES which we configured above along with the Privacy Password of poobear2009.
Cheers
How to restrict SNMP community strings on the ERS8600
Oct 24th
Today I’ve a little challenge on my network: configure a permission to a specific IP for read the temperature of two ERS8600. This specific host don’t become part of my management network, so I can’t use the same snmp read community. I don’t like to free everything on the core to be read, so I start to liberate only the specific OID (temperature of chassis) on my two ERS8600, and only for the specific IP of the host, with a new read community.
After some study on Nortel documentation (2008_04_04_SNMP_on_ERS_8600_TCG_NN48500564.pdf) I present us my little todo for everone that needs some similar, because this document is not the mos objective guide of the world. My steps:
Step1: Create a MIB view, called “only_temp”, restricted for the temperature OID:
config snmp-v3 mib-view create only_temp 1.3.6.1.4.1.2272.1.100.1.2.0 type include
View the changes:
config snmp-v3 mib-view info
Step2: Create a access group called “group_temp”, with snmpv1 and v2c, no authentication, reading the “only_temp” mib-view:
config snmp-v3 group-access create group_temp "" snmpv1 noAuthNoPriv config snmp-v3 group-access create group_temp "" snmpv2c noAuthNoPriv config snmp-v3 group-access view group_temp "" snmpv1 noAuthNoPriv read only_temp write only_temp config snmp-v3 group-access view group_temp "" snmpv2c noAuthNoPriv read only_temp write only_temp
View the changes:
config snmp-v3 group-access info
Step3: Create the user “user_temp” inside the group:
config snmp-v3 group-member create user_temp snmpv1 group_temp config snmp-v3 group-member create user_temp snmpv2c group_temp
View the changes:
config snmp-v3 group-member info
Step4: Create a new community “ers8600″, index “third” (the first and second already exist, adapt for you scenario), for the user “user_temp”
config snmp-v3 community create third ers8600 user_temp
View the changes:
config snmp-v3 community info
Step5: Create a new access-policy (policy 6 in my case) for the specific IP 10.10.10.1 (where the temperature has been monitored):
config sys access-policy policy 6 create config sys access-policy policy 6 name policy6 config sys access-policy policy 6 accesslevel ro config sys access-policy policy 6 network 10.10.10.1/255.255.255.255 config sys access-policy policy 6 snmp-group-add group_temp snmpv1 config sys access-policy policy 6 snmp-group-add group_temp snmpv2c config sys access-policy policy 6 service telnet disable config sys access-policy policy 6 service ssh disable config sys access-policy policy 6 service tftp disable config sys access-policy policy 6 service ftp disable config sys access-policy policy 6 service snmpv3 enable
I hope this can help someone. Bye!
I think this was a great post and appreciate Forrequi sharing this with everyone!
Cheers!
Changing SNMP Community Strings
Oct 20th
In this day and age it’s not a very good idea to leave the default SNMP community strings configured in any network electronics. The general default configuration uses public for read-only and private for read-write, these defaults apply to the Nortel Ethernet Switch and the Nortel Ethernet Routing Switch.
You can certainly do this from Nortel’s Java Device Manager, however, you need to be careful that you don’t saw off the branch you’re standing on when you change the SNMP community string. It’s best to configure the SNMP community strings from the CLI interface to avoid any potential issues.
Here are the CLI commands to configure the SNMP community strings on the ERS 8600 and 1600 switch. In the example below we’ll set the read-only string to open and the read-write string to lock.
ERS-8610:5# config snmp-v3 community commname first new-commname open ERS-8610:5# config snmp-v3 community commname second new-commname lock
Here are the CLI commands to configure the SNMP community strings on the ERS 4500, ERS 5500 and ES460/470 switches. In the example below we’ll set the read-only string to open and the read-write string to lock.
5520-48T-PWR (config)# snmp-server community open ro 5520-48T-PWR (config)# snmp-server community lock rw
Cheers!
Loading ...
RECENT COMMENTS