Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 16

Con SNMP v3, Rationale, Configuration, Con SNMP engine ID.

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 16 highlights

OS10(config-ipv4-acl)# exit OS10(config)# snmp-server community public ro acl snmp-read-only-acl OS10(config)# exit OS10# write memory Configure SNMP v3 Rationale: SNMP v2 does not support encryption or authentication. Dell EMC Networking strongly recommends that you use SNMP v3 which supports secure access to SNMP resources. Configuration: • Configure SNMP engine ID.snmp-server engineID [local engineID] [remote ip-address {[udp-port portnumber] remote-engineID}] ○ local engineID-Enter the engine ID that identifies the local SNMP agent on the switch as an octet colon-separated number. A maximum of 27 characters. ○ remote ip-address-Enter the IPv4 or IPv6 address of a remote SNMP device that accesses the local SNMP agent. ○ udp-port port-number-Enter the UDP port number on the remote device, from 0 to 65535. ○ remote-engineID-Enter the engine ID that identifies the SNMP agent on a remote device, 0x then by a hexadecimal string). • Configure SNMP views. OS10(config)# snmp-server view view-name oid-tree [included | excluded] ○ view-name-Enter the name of a read-only, read/write, or notify view. A maximum of 32 characters. ○ oid-tree-Enter the SNMP object ID at which the view starts in 12-octet dotted-decimal format. ○ included-(Optional) Include the MIB family in the view. ○ excluded-(Optional) Exclude the MIB family from the view. • Configure SNMP groups. OS10(config)# snmp-server group group-name v3 security-level [read view-name] [write viewname] [notify view-name] ○ group-name-Enter the name of the group. A maximum of 32 alphanumeric characters. ○ v3 security-level-SNMPv3 provides optional user authentication and encryption for SNMP messages, configured with the snmp-server user command. ○ security-level-(SNMPv3 only) Configure the security level for SNMPv3 users: ▪ auth-Authenticate users in SNMP messages. ▪ noauth-Do not authenticate users or encrypt SNMP messages; send messages in plain text. ▪ priv-Authenticate users and encrypt or decrypt SNMP messages. ○ access acl-name-(Optional) Enter the name of an IPv4 or IPv6 access list to filter SNMP requests received on the switch. A maximum of 16 characters. ○ read view-name-(Optional) Enter the name of a read-only view. A maximum of 32 characters maximum. ○ write view-name-(Optional) Enter the name of a read/write view. A maximum of 32 characters maximum. ○ notify view-name-(Optional) Enter the name of a notification view. A maximum of 32 characters maximum. • Configure SNMP users. OS10(config)# snmp-server user user-name group-name security-model localized auth sha authpassword priv aes priv-password OS10(config)# exit OS10# write memory ○ user-name-Enter the name of the user. A maximum of 32 alphanumeric characters. ○ group-name-Enter the name of the group to which the user belongs. A maximum of 32 alphanumeric characters. ○ security-model-Enter an SNMP version that sets the security level for SNMP messages: ▪ 3-SNMPv3 provides user authentication and encryption for SNMP messages. ○ auth-(SNMPv3 only) Include a user authentication key for SNMPv3 messages sent to the user: ▪ sha-Generate an authentication key using the SHA algorithm. ▪ auth-password-Enter the encrypted string. ○ priv-Configure encryption for SNMPv3 messages sent to the user: ▪ aes-Encrypt messages using AES 128-bit algorithm. 16 OS10 security best practices

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
OS10(config-ipv4-acl)# exit
OS10(config)# snmp-server community public ro acl snmp-read-only-acl
OS10(config)# exit
OS10# write memory
Configure SNMP v3
Rationale
: SNMP v2 does not support encryption or authentication. Dell EMC Networking strongly recommends that you use SNMP v3
which supports secure access to SNMP resources.
Configuration
:
Configure SNMP engine ID.
snmp-server engineID [local
engineID
] [remote
ip-address
{[udp-port
port-
number
]
remote-engineID
}]
local
engineID
—Enter the engine ID that identifies the local SNMP agent on the switch as an octet colon-separated number.
A maximum of 27 characters.
remote
ip-address
—Enter the IPv4 or IPv6 address of a remote SNMP device that accesses the local SNMP agent.
udp-port
port-number
—Enter the UDP port number on the remote device, from 0 to 65535.
remote-engineID
—Enter the engine ID that identifies the SNMP agent on a remote device,
0x
then by a hexadecimal string).
Configure SNMP views.
OS10(config)# snmp-server view
view-name oid-tree
[included | excluded]
view-name
—Enter the name of a read-only, read/write, or notify view. A maximum of 32 characters.
oid-tree
—Enter the SNMP object ID at which the view starts in 12-octet dotted-decimal format.
included
—(Optional) Include the MIB family in the view.
excluded
—(Optional) Exclude the MIB family from the view.
Configure SNMP groups.
OS10(config)# snmp-server group
group-name
v3
security-level
[read
view-name
] [write
view-
name
] [notify
view-name
]
group-name
—Enter the name of the group. A maximum of 32 alphanumeric characters.
v3
security-level
—SNMPv3 provides optional user authentication and encryption for SNMP messages, configured with
the
snmp-server user
command.
security-level
—(SNMPv3 only) Configure the security level for SNMPv3 users:
auth
—Authenticate users in SNMP messages.
noauth
—Do not authenticate users or encrypt SNMP messages; send messages in plain text.
priv
—Authenticate users and encrypt or decrypt SNMP messages.
access
acl-name
—(Optional) Enter the name of an IPv4 or IPv6 access list to filter SNMP requests received on the switch. A
maximum of 16 characters.
read
view-name
—(Optional) Enter the name of a read-only view. A maximum of 32 characters maximum.
write
view-name
—(Optional) Enter the name of a read/write view. A maximum of 32 characters maximum.
notify
view-name
—(Optional) Enter the name of a notification view. A maximum of 32 characters maximum.
Configure SNMP users.
OS10(config)# snmp-server user
user-name
group-name
security-model
localized auth sha
auth-
password
priv aes priv-password
OS10(config)# exit
OS10# write memory
user-name
—Enter the name of the user. A maximum of 32 alphanumeric characters.
group-name
—Enter the name of the group to which the user belongs. A maximum of 32 alphanumeric characters.
security-model
—Enter an SNMP version that sets the security level for SNMP messages:
3
—SNMPv3 provides user authentication and encryption for SNMP messages.
auth
—(SNMPv3 only) Include a user authentication key for SNMPv3 messages sent to the user:
sha
—Generate an authentication key using the SHA algorithm.
auth-password
—Enter the encrypted string.
priv
—Configure encryption for SNMPv3 messages sent to the user:
aes
—Encrypt messages using AES 128-bit algorithm.
16
OS10 security best practices