In this day and age it’s not a very good idea to leave the default SNMP community strings configured in any network electronics. The general default configuration uses public for read-only and private for read-write, these defaults apply to the Nortel Ethernet Switch and the Nortel Ethernet Routing Switch.
You can certainly do this from Nortel’s Java Device Manager, however, you need to be careful that you don’t saw off the branch you’re standing on when you change the SNMP community string. It’s best to configure the SNMP community strings from the CLI interface to avoid any potential issues.
Here are the CLI commands to configure the SNMP community strings on the ERS 8600 and 1600 switch. In the example below we’ll set the read-only string to open and the read-write string to lock.
ERS-8610:5# config snmp-v3 community commname first new-commname open ERS-8610:5# config snmp-v3 community commname second new-commname lock
Here are the CLI commands to configure the SNMP community strings on the ERS 4500, ERS 5500 and ES460/470 switches. In the example below we’ll set the read-only string to open and the read-write string to lock.
5520-48T-PWR (config)# snmp-server community open ro 5520-48T-PWR (config)# snmp-server community lock rw
Cheers!
A suggestion that folks consider moving to SNMP v3. It’s not that hard to setup and will provide end-to-end encryption between DM and the device.
Hi Tom,
While I won’t disagree with you, I’m not surethere’s an absolute need for SNMP v3 within a private corporate network. It’s roughly akin to using SSH as opposed to telnet for remote CLI access. I’d be happy with people just changing the default SNMP community strings.
In any case I hope to cover how to configure SNMP v3 in the next post and then SSH in subsequent posts.
Thanks for the comment!
Hi Michael,
Very informative blog you have…. I’d like to be able to change snmp strings for quite a number of ES470s and ERS8600s. Do you have a script or tool you have used in the past to accomplish the same ?
Thank you for your time.
Hi Gbenga,
I’ve written a few Expect scripts that essentially telnet into the switches and then issue the appropriate CLI commands.
If you are familiar with Linux I could provide you a few examples.
Cheers!
Have you used CLImanager (freebie from Nortel – https://app23.nortelnetworks.com/climanager/)? It is easy to connect to multiple devices and issue the commands to all connected devices. Or put the commands in a script and run it against a list of devices.
Let me know if you need any more info.
Ian
Hi IanNorm,
You’ve stumbled onto a gem with CLImanager. When we had Nortel Passport 6480/7480 ATM switches we used CLImanager to help manage them. I haven’t used CLImanager recently but it could certainly accomplished the task (I’m not sure how many switches it could configure at once). I’ve personally just become accustom to writing Expect scripts on a CentOS Linux server. For anyone that’s not familiar with Except, then CLImanager might be a nice alternative. You actually don’t need to even script anything. CLImanager will literally login to multiple switches at one time, you issue a single command and it will pass that command on to every switch that you are logged into, pretty neat stuff. I know the author of CLImanager, Brett Sinclair, and he’s a very sharp fellow.
Cheers!
I know Brett as well – I worked at Nortel for 10 years working on management solutions for MSS (aka Passport) 6K, 7K, 15K switches. If anyone ever needs any help with MDM give me a shout! So, yes, I’ve been using CLImanager extensively for many years – batch files, CLI*Script files, Java plugins, etc. If anyone needs any help with CLImanager let me know.
Hi Michael,
Thank you for your response. I am not familiar with Linux but I can always figure it out… It’s the least I can do. I will be glad to have the examples you talk about using Expect. I presume this will work with ssh too because all these devices have telnet disabled.
Regards,
Let me dig up a sample Expect script and post it here…
Here’s an Expect script that will configure the Daylight Saving Time on the Nortel 460,470,2500,4500,5500,5600 switches. You can easily adopt this script to reset the SNMP community strings as oppose to reconfiguring the date/time.
Expect Script: set-nortel-timezone.exp.txt
Bash Script that calls Expect script: set-nortel-timezone.sh.txt.
You can read more about it in this post; http://blog.michaelfmcnamara.com/2008/07/expect-script-daylight-saving-time.
Cheers!
Thank you so much for all the input.. CLImanager definitely dummies it up..I tested okay with telnet however I seem to be running into issues with ssh enabled switches. It logins okay but then I am not at the proper prompt.. when I attempt to type anything it comes back with ” invalid timeout value” error.
Hi Michel/IanNorm
I’m using CLImanager and trying to write a script to login to UNIX machine. I’ve input the username/passwd via script but not lucky.
cmd (“telnet 10.10.10.10”);
waitfor(“login: “)
send(“test”);
waitfor(“Password: “)
send(“test”);
The CLImanager hangs at the login prompt and does nothing.
Please let me know who can I use this way to connect to my machine.
Thanks and Regards,
Nvinh
Hi IanNorm,
Could you please share me some script or document of CLIManager?
I would like to catch the result from a command but I don’t know how to do that.
my mail: ngocvinh1906@yahoo.com
Thanks and regards,
Nvinh
Hi Mike,
We are currently running Nortekl 8600s 5.1 with VRFs implemented. I have a few questions in regards to the SNMP configurations in regards to VRFs. I was hoping you might have an idea or two.
I am wanting to configure different SNMP communities for the different VRFs.
1st I have noticed, I can not view the existing snmp community names, they’re all “asterixes” out. How can I view the current snmp communities ?
2nd Is it possible to assign different SNMP communities for different VRFs.
The thing is : I can only see what SNMP config. for the whole 8600, and not for the different VRFs.
I have gone over various Nortel docs, but they really only refer to SNMPv3.
Any advice would be most welcome.
Thank you
Kind Regards
Ryan
Hello Mike,
We have a ERS8600 i can use jdm in only management port but i want to use jdm in vlan 1 or 5
how can i use jdm which ip i use
for example,
vlan 1 10.0.0.1/255.255.0.0
vlan 5 15.0.0.1/255.255.0.0
but i can’t use for management ip 10.0.1.1 or 15.0.1.1
what can i do
Hi Mikail,
As long as you don’t have an access policy or ACL you can enable SNMP and you should be good to go.
Cheers!
Hi ,
i’ll do that link commands but which ip adress use for on jdm
http://blog.michaelfmcnamara.com/2008/01/ers-8600-access-policy/
thanks for your help
You can use any IP address that’s configured on the ERS 8600, assuming you can ping it.
The management port on the CPU/SF is really meant as an out-of-band interface. You can manage he switch (in-band) using any IP interface configured on it.
Cheers!
We changed the default SNMP string to something else in the lab on a 8600 running version 3.7 and now when you open device manager the CLI displays this alert below every time an SNMP poll goes from DM to the Passport:
================================================================================
Community Table
================================================================================
Index Name Security Name Transport Tag
——————————————————————————–
first ******** readview
ronly ******** readview
rwonly ******** readwrite
second ******** initialview
4 out of 4 Total entries displayed
——————————————————————————–
WR:5# no ack on data: dev 28 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 28 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 28 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 29 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 29 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 29 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 28 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 28 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 28 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 29 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 29 datac 0 nbytes 0 off 0 csr 0x8
no ack on data: dev 29 datac 0 nbytes 0 off 0 csr 0x8
any ideas? Avaya support can’t figure it out. Our code is too old.
Dan