Posts Tagged SNMP
How to configure SNMP v3 on Nortel Ethernet Routing Switches
Posted by Michael McNamara in EthernetRtngSwitch, Nortel on October 24, 2009
Here are the values I’m going to be using below;
SNMP v1,v2 read-only string = readme123
SNMP v1,v2 read-write string = writeme123
SNMP v3 userID = Manager (yes I use the same username as the old BayRS software)
SNMP v3 SHA authentication = winnie2009
SNMP v3 AES encryption = poobear2009
Nortel Ethernet Routing Switch 8600
One word of caution with the ERS8600; early default switch configurations included a SNMPv3 user called initial that had full read-write access to the entire switch. I’m not sure if Nortel has changed this behavior but I would strongly urge you to delete any default SNMP v3 users as well as change the default SNMP community strings.
Let’s set the SNMP community strings right away;
ERS-8610:5# config snmp-v3 community commname first new-commname readme123 ERS-8610:5# config snmp-v3 community commname second new-commname writeme123
Let’s load the proper AES, 3DES and DES encryption files;
ERS-8610:5# config load-encryption-module 3DES /flash/p80c5110.img ERS-8610:5# config load-encryption-module AES /flash/p80c5110.aes
Let’s create a new SNMP v3 user called Manager;
config snmp-v3 usm create Manager sha auth winnie priv-prot aes priv poo
Let’s create a new SNMP v3 group called admin;
config snmp-v3 group-access create admin "" usm authPriv
Let’s give this new group access to the root MIB;
config snmp-v3 group-access view admin "" usm authPriv read root write root notify root
Let’s add the user Manager to the group admin;
config snmp-v3 group-member create Manager usm admin
Let’s clear out any previous SNMP trap hosts;
config snmp-v3 target-addr delete TAddr1 config snmp-v3 target-addr delete TAddr2
Let’s configure two new SNMP trap hosts. I actually have two configured on all my switches, with one being our HP OpenView Network Node Manager server (10.1.31.1) and the second being our Nortel Enterprise Network Management System server (10.1.31.2);
config snmp-v3 target-addr create HPOpenView 10.1.31.1:162 TparamV1 taglist trapTag config snmp-v3 target-addr create NortelENMS 10.1.31.2:162 TparamV1 taglist trapTag
Let’s delete that default SNMP v3 user just in case it still exists;
config snmp-v3 usm delete initial
Let’s set the source IP address used to communicate with the SNMP trap hosts. I want this to be the CLIP (Circuitless IP Interface) that I use for all management purposes which in this example is 10.1.50.1. I should mention that the commands below may not appear in switch software earlier than 4.7.1 or 4.6.3.
config sys set snmp sender-ip 10.1.31.1 10.1.50.1 config sys set snmp sender-ip 10.1.31.2 10.1.50.1 config sys set snmp force-trap-sender true config sys set snmp force-iphdr-sender true
That should be everything for the Ethernet Routing Switch 8600.
Nortel Ethernet Routing Switch 1600
I’m not going to go into the line by line detail here as I did above. You should be able to follow the explanation provided above.
ERS-1648T:1# config load-module DES /flash/p16c2160.des ERS-1648T:1# config snmp-v3 community commname first new-commname readme123 ERS-1648T:1# config snmp-v3 community commname second new-commname writeme123 ERS-1648T:1# config snmp-v3 usm create Manager sha auth winnie2009 priv poobear2009 ERS-1648T:1# config snmp-v3 group-access create admin "" usm authPriv ERS-1648T:1# config snmp-v3 group-access view admin "" usm authPriv read root write root notify root ERS-1648T:1# config snmp-v3 group-member create Manager usm admin ERS-1648T:1# config snmp-v3 target-addr create HPOpenView 10.1.31.1:162 TparamV1 taglist trapTag ERS-1648T:1# config snmp-v3 target-addr create NortelNMS 10.1.31.2:162 TparamV1 taglist trapTag ERS-1648T:1# config snmp-v3 usm delete initial
That’s the ERS1600 series switch.
Nortel Ethernet Routing Switch 4500, 5500, 5600 Series
We need to create a new view so we’ll use the name snmpView;
5520-48T-PWR(config)# snmp-server view snmpView +1.3
If you have the secure image loaded then you have access to SHA authentication, DES, 3DES and AES encryption.
5520-48T-PWR(config)# snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView write-view snmpView notify-view snmpView
If you receive an error using the command above (see below) you may not have the secure software image loaded on the switch. If you want to use SHA authentication, DES, 3DES or AES encryption you’ll need to load the secure image. Example SW:v6.1.0.006 will only allow you to use the md5 authentication with no encryption while SW:v6.1.0.007 will allow both MD5 and SHA authentication along with DES, 3DES or AES encryption.
5520-48T-PWR(config)#snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView write-view snmpView notify-view snmpView
snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView writ
^
% Invalid input detected at '^' marker.
You can use the following command to just use MD5 authentication with no encyrption;
5520-48T-PWR(config)#snmp-server user Manager md5 winnie2009 read-view snmpView write-view snmpView notify-view snmpView
Java Device Manager
With all that done you can now use Nortel’s Java Device Manager to manage the switch using SNMP v3.
In the example to the left I’m going to connect to the ERS8600 switch at the management IP address of 10.1.50.1.
We are going to use the SNMP v3 user of Manager which we configured above.
We will also use the Authentication Protocol of SHA-96 using the Authentication Password of winnie2009 which we configured above.
We will use the Privacy Protocol of AES which we configured above along with the Privacy Password of poobear2009.
Cheers
How to restrict SNMP community strings on the ERS8600
Posted by Michael McNamara in EthernetRtngSwitch, Nortel on October 24, 2009
Today I’ve a little challenge on my network: configure a permission to a specific IP for read the temperature of two ERS8600. This specific host don’t become part of my management network, so I can’t use the same snmp read community. I don’t like to free everything on the core to be read, so I start to liberate only the specific OID (temperature of chassis) on my two ERS8600, and only for the specific IP of the host, with a new read community.
After some study on Nortel documentation (2008_04_04_SNMP_on_ERS_8600_TCG_NN48500564.pdf) I present us my little todo for everone that needs some similar, because this document is not the mos objective guide of the world. My steps:
Step1: Create a MIB view, called “only_temp”, restricted for the temperature OID:
config snmp-v3 mib-view create only_temp 1.3.6.1.4.1.2272.1.100.1.2.0 type include
View the changes:
config snmp-v3 mib-view info
Step2: Create a access group called “group_temp”, with snmpv1 and v2c, no authentication, reading the “only_temp” mib-view:
config snmp-v3 group-access create group_temp "" snmpv1 noAuthNoPriv config snmp-v3 group-access create group_temp "" snmpv2c noAuthNoPriv config snmp-v3 group-access view group_temp "" snmpv1 noAuthNoPriv read only_temp write only_temp config snmp-v3 group-access view group_temp "" snmpv2c noAuthNoPriv read only_temp write only_temp
View the changes:
config snmp-v3 group-access info
Step3: Create the user “user_temp” inside the group:
config snmp-v3 group-member create user_temp snmpv1 group_temp config snmp-v3 group-member create user_temp snmpv2c group_temp
View the changes:
config snmp-v3 group-member info
Step4: Create a new community “ers8600″, index “third” (the first and second already exist, adapt for you scenario), for the user “user_temp”
config snmp-v3 community create third ers8600 user_temp
View the changes:
config snmp-v3 community info
Step5: Create a new access-policy (policy 6 in my case) for the specific IP 10.10.10.1 (where the temperature has been monitored):
config sys access-policy policy 6 create config sys access-policy policy 6 name policy6 config sys access-policy policy 6 accesslevel ro config sys access-policy policy 6 network 10.10.10.1/255.255.255.255 config sys access-policy policy 6 snmp-group-add group_temp snmpv1 config sys access-policy policy 6 snmp-group-add group_temp snmpv2c config sys access-policy policy 6 service telnet disable config sys access-policy policy 6 service ssh disable config sys access-policy policy 6 service tftp disable config sys access-policy policy 6 service ftp disable config sys access-policy policy 6 service snmpv3 enable
I hope this can help someone. Bye!
I think this was a great post and appreciate Forrequi sharing this with everyone!
Cheers!
Changing SNMP Community Strings
Posted by Michael McNamara in EthernetRtngSwitch, EthernetSwitch, Nortel on October 20, 2009
In this day and age it’s not a very good idea to leave the default SNMP community strings configured in any network electronics. The general default configuration uses public for read-only and private for read-write, these defaults apply to the Nortel Ethernet Switch and the Nortel Ethernet Routing Switch.
You can certainly do this from Nortel’s Java Device Manager, however, you need to be careful that you don’t saw off the branch you’re standing on when you change the SNMP community string. It’s best to configure the SNMP community strings from the CLI interface to avoid any potential issues.
Here are the CLI commands to configure the SNMP community strings on the ERS 8600 and 1600 switch. In the example below we’ll set the read-only string to open and the read-write string to lock.
ERS-8610:5# config snmp-v3 community commname first new-commname open ERS-8610:5# config snmp-v3 community commname second new-commname lock
Here are the CLI commands to configure the SNMP community strings on the ERS 4500, ERS 5500 and ES460/470 switches. In the example below we’ll set the read-only string to open and the read-write string to lock.
5520-48T-PWR (config)# snmp-server community open ro 5520-48T-PWR (config)# snmp-server community lock rw
Cheers!
Perl Script to poll ARP Table
Posted by Michael McNamara in NetworkMgmt on May 5, 2008
I’ve written a lot of Perl scripts to help make managing the network easier and more efficient. One of the scripts I’ve written allows me to dump the IP ARP table of the Nortel Ethernet Routing Switch 8600 to a file for later/additional processing. While the script was original written for the ERS 8600 switch it will also work on just about any router (Layer 3 device) that supports the RFC1213 (ipNetToMediaNetAddress).
The script has been tested and works on Nortel’s BayRS routers (ARN, ASN, BLN, BCN). You just obviously need to be careful of how the script interprets the ipNetToMediaIfIndex value depending on the device you are polling.
The script get8600arp.pl is a very straight forward script. It simply polls various SNMP OIDs and then stores the results in a file. It does this for every switch (FQDN/IP Address) that is listed in the input file.
#!/usr/bin/perl # # Filename: /root/get8600arp.pl # # Purpose: Query Nortel Ethernet Routing Switch 8600 for the IP ARP # table via SNMP. This script will poll a list of devices # (input file) and dump the contents of the IP ARP table to # and outputfile. # # Author: Michael McNamara # # Date: December 5, 2002 # # Support Switches: # - Nortel ERS 8600 # - Nortel ERS 1600 # - Nortel ERS 5500 # - Nortel BayRS Routers # # Requirements: # - Net-SNMP # - Net-SNMP Perl Module # - SNMP-MIBS # # Changes: # # - May 5, 2007 (M.McNamara) # clean up code and documentation for release to public # - Oct 10, 2006 (M.McNamara) # went back to SNMP v1 to support BayRS legacy routers # - Sep 04, 2003 (M.McNamara) # migrated from vendor specific MIB to RFC1213 (ipNetToMediaNetAddress) # # Load Modules use strict; use SNMP; use Net::Ping; # Declare constants #use constant DEBUG => 0; # DEBUG settings use constant RETRIES => 3; # SNMP retries use constant TIMEOUT => 1000000; # SNMP timeout, in microseconds use constant SNMPVER => 1; # SNMP version # SNMP Settings $SNMP::verbose = 0; $SNMP::use_enums = 1; $SNMP::use_sprint_value = 0; &SNMP::initMib(); &SNMP::loadModules('RAPID-CITY'); # Declaration Variables my ($sess, @vals); my @devices; my ($card, $port); my $snmphost; my $comm = "public"; # SNMP ReadOnly Community String my %array; my $switchfile; my $datafile; our $DEBUG; # DEBUG flag undef @devices; # Program and help information my $program = "get8600arp.pl"; my $version = "v1.3"; my $author = "Michael McNamara"; my $purpose = "This Perl script is retreieve the IP ARP table from the ERS8600 Layer 3 switch/router and store it in file for later use."; my $usage = "Usage: $program \[input\] \[output\] \[-help\] \[debug\]\n <input> = filename listing each switch to poll\n <output> = filename where to store output\n"; if (($#ARGV +1) <= 2) { print "Program: $program \nVersion: $version \nWritten by: $author \n$purpose\n\n$usage\n"; print "DEBUG: ARGV = $#ARGV\n"; print "DEBUG: ARGV = $ARGV[0] $ARGV[1] $ARGV[2] $ARGV[3]\n"; exit; } my $arg1 = shift @ARGV; my $arg2 = shift @ARGV; my $arg3 = shift @ARGV; if ($arg1 =~ /help/) { print "Program: $program \nVersion: $version \nWritten by: $author \n$purpose\n\n$usage\n"; print "DEBUG: ARGV = @ARGV\n"; print "DEBUG: ARGV = $ARGV[0] $ARGV[1] $ARGV[2] $ARGV[3]\n"; exit; } $switchfile = $arg1; $datafile = $arg2; $DEBUG = $arg3; # Test to see if inputifle exists if (!-e $switchfile) { die "ERROR: Unable to locate and/or open inputfile $switchfile..."; } ############################################################################ ##### B E G I N M A I N ################################################## ############################################################################ &load_switches; &collect_arp; exit 0; ############################################################################ #### E N D M A I N ####################################################### ############################################################################ ############################################################################ # Subroutine collect_arp # # Purpose: collect ARP information from layer 3 switches/routers ############################################################################ sub collect_arp { # Open output datafile for appending open(DATAFILE, ">>$datafile"); # Loop over each Passport 8600 switch foreach $snmphost (@devices) { my $packet = Net::Ping->new('icmp'); $snmphost =~ s/\n//g; # remove CRLF if ($packet->ping($snmphost)) { $sess = new SNMP::Session ( DestHost => $snmphost, Community => $comm, Retry => RETRIES, Timeout => TIMEOUT, Version => SNMPVER ); my $vars = new SNMP::VarList( ['ipNetToMediaIfIndex', 0], ['ipNetToMediaPhysAddress', 0], ['ipNetToMediaNetAddress', 0], ['ipNetToMediaType', 0] ); while (1) { @vals = $sess->getnext($vars); # retreive SNMP information last unless ($vars->[0]->tag eq 'ipNetToMediaIfIndex'); $vals[1] = unpack('H12', $vals[1]); $vals[1] =~ tr/a-z/A-Z/; $card = (($vals[0] & 62914560) / 4194304); $port = (($vals[0] & 4128768) / 65536) + 1; print "$snmphost, $vals[0], ($card/$port), $vals[1], $vals[2], $vals[3]\n" if ($DEBUG); print DATAFILE "$snmphost, $vals[0], $card, $port, $vals[1], $vals[2]\n"; $array{$snmphost}[$card][$port] = $vals[2]; } # end while } else { print ("ERROR: $snmphost not responding to ICMP ping skipping...\n"); } #end if $packet } #end foreach close(DATAFILE); } #end sub collect_arp ############################################################################ # Subroutine load_switches # # Purpose: load list of switches ############################################################################ sub load_switches { open(SWITCHLIST, "<$switchfile"); # Walk through data file while (<SWITCHLIST>) { # Skip blank lines next if (/^\n$/); # Skip comments next if (/^#/); #print "DEBUG: adding $_ to our list of devices \n" if ($DEBUG); push (@devices, $_); } close(SWITCHLIST); return 1; } # end sub load_switches ############################################################################
The real magic that folks have always been searching for is the binary formula to turn the ipNetToMediaIfIndex into a location that denotes the card and port where that specific device is connected to.
$card = (($vals[0] & 62914560) / 4194304); $port = (($vals[0] & 4128768) / 65536) + 1;
While I still use flat files you could certainly adopt this code to dump the output into a database. I just haven’t had the time although I’ve been playing with MySQL quite a bit lately.
Cheers!
About Me
network architect and security professional, excited about helping folks make the most out of what technology as a whole has to offer.
POLL
Loading ...
RECENT COMMENTS