How to configure SNMPv3 securely on Extreme Networks XOS
July 11, 2014
In two of the last posts I wrote about configuring SNMPv3 securely for Linux and Mikrotik RouterOS. This time I’ll show the configuration for Extreme Networks XOS. Its quite easy and supports more encryption algorithm and options than e.g. Mikrotiks RouterOS. To allow SNMPv3 access we only need these commands – as I use SNMP only for reading, I’ll create a readonly user:
config snmpv3 add user snmpv3ro authentication sha XXXXXXXXXX privacy aes XXXXXXXXXX
config snmpv3 add group snmpv3group user snmpv3ro sec-model usm
configure snmpv3 add access snmpv3group sec-model usm sec-level priv read-view defaultAdminView write-view None notify-view None
If we want to disable a previously configured SNMPv1 or v2c access type following:
disable snmp access snmp-v1v2c
If you want also SNMPv3 traps you need this command:
configure snmpv3 add target-addr snmpv3Target param snmpv3Params ipaddress transport-port 162 tag-list defaultNotify
Hint: You can/should also add from or vr entries depending on your switch config
Some addition ways so secure your SNMP:
- You can specify in which virtual router instance the SNMP is reachable with following commands:
disable snmp access vr all
enable snmp access vr vrMgmt - And you can also configure ACLs which defines from which IP addresses it is possible to access the SNMP service with following command:
configure snmp access-profile snmpACL readwrite
You need to create following file first with
vi snmpACL.pol
:entry allow_subnet_1 {
if match all {
source-address 10.x.x.0/24;
}
then {
permit;
}
entry allow_subnet_2 {
if match all {
source-address 10.y.y.0/24;
}
then {
permit;
}
3 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
37 queries. 0.096 seconds.
Hi There, The Syntax of your policy is not quite correct. it should be :-
entry allow_subnet_1 {
if match all {
source-address 10.x.x.0/24;
}
then {
permit;
}
}
entry allow_subnet_2 {
if match all {
source-address 10.y.y.0/24;
}
then {
permit;
}
}
You are missing the closing bracket at the end of each “entry” statement. Thought you might like to know.
Comment by Matthew — November 24, 2014 #
[…] configured our own SNMPv3 users and we thoughed we’re save. But that is not true even if […]
Pingback by Beware: Extreme Networks EXOS ships with hidden SNMPv3 default admin user | Robert Penz Blog — July 28, 2015 #
Nice post, I’m just now learning XOS. This is a big help. – JG
Comment by Jeremy — March 16, 2016 #