manualshive.com logo in svg

Avaya VSP 4000, Technical Configuration Manual, Page: 115 / 137

Share
Download
Avaya VSP 4000 Technical Configuration Manual Download Page 115

 

 

Avaya Inc. 

– External Distribution 

115 

avaya.com 

March 2015 

8.14 SNMPv3 Configuration Example 

For this configuration example, we wish to accomplish the following: 

 

Add  User  1  to  USM  table  with  authentication  protocol  of  MD5  and  privacy  protocol  of  DES,  i.e. 
authPriv) 

o

 

Use a user name of 

user1

, a MD5 authentication password of 

user1234

, and a DES privacy 

password of 

userpriv

 

o

 

Allow User 1 full MIB views with full permission starting the existing view “org”  

 

Add User 2 to USM table authentication protocol of MD5 with no privacy protocol, i.e. authNoPriv 

o

 

Use a user name of 

user2 

with a MD5 authentication password of 

user2abcd

 

o

 

Allow User 2 full MIB read permission starting from the exiting “org” level, but exclude write 
permission from all Private Enterprise MIB’s 

To accomplish the above, please follow the steps below. 

8.14.1  Configuration 

Step 1 

– Make sure the DES file is loaded on the switch and then issue the following command – 

note this step is not required for VOSS release 4.2 or higher

 

VSPswitch:1(config)#

load-encryption-module DES 

Step  2 

–  Add SNMPv3 authPriv User. In this example, we will use a user name of 

user1

,  a  MD5 

password of 

user1234

, and a DES privacy password of 

userpriv

 

VSPswitch:1(config)#

snmp-server user user1 group group_1 md5 user1234 des userpriv 

Step 3 

– Add SNMPv3 authNoPriv User. In this example, we will use a user name of 

user2

 and a 

MD5 password of 

user2abcd

 

VSPswitch:1(config)#

snmp-server user user2 group group_1 md5 user2abcd 

Step  4 

– Add USM group using a name of 

group_1

 with an access level of authPriv and  read  & 

write view to 

org

. For the PPCLI, we will need to add the user name to the group; in our example, 

this is 

user1

 

VSPswitch:1(config)#

snmp-server group group_1 "" auth-priv read-view org write-view 

org 

Step 5 

– Using USM created above, 

group_1

,  add an access level of authNoPriv with read view to 

org

 and write to 

private

  where we will use this level to setup the MIB view in the next step. For 

the PPCLI, we will need to add the user name to the group; in our example, this is 

user2

 

VSPswitch:1(config)#

snmp-server group group_1 "" auth-no-priv read-view org write-view 

private 

Step 6 

– Create a new MIB view to exclude the private MIB for User 2

 

VSPswitch:1(config)#

snmp-server view p1 

Summary of Contents for VSP 4000

Page 1: ...Virtual Services Platform 4000 8000 9000 Engineering Management Access Security Technical Configuration Guide Avaya Networking Document Date April 2015 Document Number NN48500 650 Document Version 1 1...

Page 2: ...SING THE SOFTWARE OR AUTHORIZING OTHERS TO DO SO YOU ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING DOWNLOADING OR USING THE SOFTWARE HEREINAFTER REFERRED TO INTERCHANGEABLY AS YOU A...

Page 3: ...tch using Telnet HTTP SSL SSH and SNMP Revision Control Version Date Revised By Remarks Draft 1 3 16 2015 John Vant Erve Jeff Cox Initial Draft Draft 2 4 3 2015 Didier Ducarre Review Draft 3 4 9 2015...

Page 4: ...word prompt 21 3 7 Telnet Access Configuration Examples using Local Users with hsecure disabled 22 3 7 1 Local Password Configuration Password Security Disabled 22 3 7 2 Verify Operations 23 4 Passwor...

Page 5: ...anager 95 7 1 EDM configuration Example 96 7 1 1 Configuration 96 7 1 2 Verify Operations 100 8 SNMP 101 8 1 SNMPv3 Overview 101 8 2 Blocking SNMP 102 8 3 Blocking SNMPv1 2 only 102 8 4 Community Stri...

Page 6: ...fy Operations 116 8 15 SNMP Traps 119 8 15 1 Trap Receivers 119 8 16 SNMPv1 Trap Configuration Example 120 8 16 1 Configuration 120 8 16 2 Verify Operations 120 9 Access Policy 123 9 1 Enable Access P...

Page 7: ...Avaya Inc External Distribution 7 avaya com March 2015 Figures Figure 1 SNMPv3 USM 101 Figure 2 MIB Structure 110...

Page 8: ...tributes 24 Table 5 Enhanced Security RADIUS Attributes 25 Table 6 RADIUS Events Logged 25 Table 7 TACACS Access Levels 56 Table 8 Enhanced Security TACACS Attributes 56 Table 9 SSH clients 78 Table 1...

Page 9: ...dicates text the user must enter or select in a menu item button or command ERS5520 48T show running config Output examples from Avaya devices are displayed in a Lucida Console font ERS5520 48T show s...

Page 10: ...1 config boot config flags block snmp VSPswitch 1 config no boot config flags block snmp VSPswitch 1 config boot config flags ftpd VSPswitch 1 config no boot config flags ftpd VSPswitch 1 config boot...

Page 11: ...e switch supports the following authentication access levels for local authentication Remote Authentication Dial In User Service RADIUS and Terminal Access Controller Access Control System Plus TACACS...

Page 12: ...ase character from the range ABCDEFGHIJKLMNOPQRSTUVWXYZ Two lowercase character from the range abcdefghijklmnopqrstuvwxyz Two numeric character from the range 1234567890 Two special character from the...

Page 13: ...Re enter the New password Admin Jvelab123 8202 1 en 8202 1 show cli password change interval 24 min passwd len 8 password history 3 password rule 1 1 1 1 pre expiry notification interval 1 7 30 post...

Page 14: ...e the same user name or password as that temporarily configured Login user1 Password This is an initial attempt using the default user name and password Please change the user name and password to con...

Page 15: ...ages explaining when the password will expire The administrator can define the pre and post notification interfaces between 1 and 99 days If you do not change the password before the expiry date the s...

Page 16: ...return the system back to the factory default defaults and delete all the configured user accounts VSPswitch 1 config sys system default WARNING Executing this command returns the system to factory d...

Page 17: ...nd status information and change physical port settings l1 l1 Layer 2 read write View and change configuration and status information for Layer 2 bridging and switching functions l2 l2 Layer 3 read wr...

Page 18: ...ssword followed by the entering and verifying the new password VSPswitch 1 config cli password rwa read write all Enter the old password rwa Enter the New password Re enter the New password 3 1 2 Enab...

Page 19: ...The following command confirms the change VSPswitch 1 show cli password access level aging 90 min passwd len 8 password history 3 ACCESS LOGIN STATE rwa rwa NA rw rw ena l3 l3 ena l2 l2 ena l1 l1 ena...

Page 20: ...must re enable SNMP using the command no boot config flag block snmp After you enable the hsecure flag you can configure a duration after which you must change your password You configure the duration...

Page 21: ...t CLI prompt VSPswitch 1 config default prompt 3 6 Login message and password prompt To change the default CLI login prompt first you must disable the default login prompt no login message and then en...

Page 22: ...nly user name from rw to user2 o For user2 use the password readwrite Change the default login and password prompt from Login and Password to Enter username and Enter your password Step 1 Add new user...

Page 23: ...na Default Lockout Time 60 Lockout Time IP Time Step 2 Verify the login prompt VSPswitch 1 config show cli info cli configuration more true screen lines 23 telnet sessions 8 rlogin sessions 8 timeout...

Page 24: ...erver authenticates the user name and assigns one of the existing access priorities to that name Unauthenticated user names are denied access to the device User names ro L1 L2 L3 rw and rwa must be ad...

Page 25: ...deny CLI commands for a user This is done using RADIUS vendor identifier 1584 attribute types 194 and 195 Attribute type 194 needs to be set to a value of 0 while attribute 195 lists the command you...

Page 26: ...the source IP address If you do not specify the source IP the VSP switch will use the source IP address of the out going interface Depending on the number of out going interfaces you may have to add t...

Page 27: ...e default CLI command attribute value to another value other than 195 enter the following command VSPswitch 1 config radius cli commands attribute 192 240 4 4 Enabling RADIUS accounting globally To us...

Page 28: ...hen adding a RADIUS server no additional configuration steps are required to enable CLI RADIUS authentication Step 1 Add RADIUS server enable RADIUS enable RADIUS accounting and enable RADIUS accounti...

Page 29: ...d count 5 radius sourceip flag Step 2 Verify that RADIUS has been enabled globally VSPswitch 1 show radius Sub Context clear config dump monitor mplsping mplstrace peer show switchover test trace Curr...

Page 30: ...rch 2015 Step 3 Verify that RADIUS Server Configuration VSPswitch 1 show radius server Radius Server Entries ACCT ACCT SOURCE NAME USEDBY SECRET PORT PRIO RETRY TIMEOUT ENABLED PORT ENABLED IP 10 12 1...

Page 31: ...und attribute values required by the VSP switch for each access level for RADIUS vendor identifier 1584 Bay Networks attribute type 192 For this example we will configure IDE with attribute values of...

Page 32: ...rity Values for Read Only and Read Write All Access IDE Step 1 IDE already has the vendor specific attributes defined Bay Networks vendor code 1584 using attribute type 192 for the VSP switch which ca...

Page 33: ...ing Outbound Attributes New IDE Step 3 Via the Outbound Attribute window type in a name for the attribute to be used for access priority i e VSP Access Priority as used in this example click the VSA r...

Page 34: ...Avaya Inc External Distribution 34 avaya com March 2015 IDE Step 4 Go to Site Configuration Provisioning RADIUS Outbound Values New...

Page 35: ...entering a name via the Outbound Value Name window i e vsp ro as used in this example and click on New IDE Step 6 Select the Outbound Attributes name created in Step 3 i e VSP Access Priority as used...

Page 36: ...dd an attribute value of 6 for read write all access Start by entering a name via the Outbound Value Name window i e vsp rwa as used in this example and click on New IDE Step 8 Select the Outbound Att...

Page 37: ...e to be used to list the CLI command click the VSA radio button select Bay Networks vendor code 1584 via Vendor and ERS8xxx CLI Commands attribute 195 via VSA Click on OK when done IDE Step 3 Set the...

Page 38: ...3 3 Add Users For this configuration example we will add the following users User Name Access Level user1 Read Only Access user6 Read Write All Access IDE Step 1 Start by going to Site Configuration...

Page 39: ...or read only access via User Name i e user1 as used in this example and enter the password for this user via Password and Confirm Password Click on OK when done If you wish you can also change the exp...

Page 40: ...ll access user Enter the user name for read write all access via User Name i e user6 as used in this example and enter the password for this user via Password and Confirm Password Click on OK when don...

Page 41: ...ya com March 2015 4 6 3 4 Add an Access Policy IDE Step 1 Go to Site Configuration Access Policies RADIUS Right click RADIUS and select New Access Policy Enter a policy name i e VSP Access as used in...

Page 42: ...2 avaya com March 2015 IDE Step 2 Click on the policy we just created i e ERS8000 Access and click on Edit via the Authentication Policy tab IDE Step 3 Under Edit Authentication Policy window select N...

Page 43: ...Avaya Inc External Distribution 43 avaya com March 2015 IDE Step 4 Go to the Identity Routing tab and click on Edit IDE Step 5 Check off the Enable Default Directory Set and click on OK when done...

Page 44: ...on Edit IDE Step 7 Once the Edit Authorization Policy window pops up click on Add Add a rule for read only access When the New Rule window pops up for this example name the rule read only access Add...

Page 45: ...raint For the read only access rule we configure the rule to look for a user id of user1 o Attribute Category User Attribute user id Static Value user1 For the read only access rule we configure the r...

Page 46: ...ernal Distribution 46 avaya com March 2015 Select the read write all rule and add the following constraint usig the user id s we configured in above Select the read write all rule and add the followin...

Page 47: ...alues window select the output attribute we created previously named vsp ro and click on the less than arrow key to move the attribute to the Provision With window Click on the rule named read write a...

Page 48: ...Avaya Inc External Distribution 48 avaya com March 2015...

Page 49: ...Avaya Inc External Distribution 49 avaya com March 2015 IDE Step 10 When completed you can view the complete policy by clicking on the Access Policy Summary button...

Page 50: ...2015 4 6 3 5 Add the Avaya VSP switch as an RADIUS Authenticator For Ignition Server to process the Avaya switch RADIUS requests each switch must be added as an Authenticator IDE Step 1 Go to Site Con...

Page 51: ...a com March 2015 IDE Step 2 Enter the settings as shown below making sure you select the policy we created previously named ERS8000 Access via Access Policy Leave Enable Authenticator and Enable RADIU...

Page 52: ...gnition Server click on the Troubleshoot tab go to Directory Service Debugger and select the Auth User tab Make you select Internal User Store and PAP and the enter a valid user name and password conf...

Page 53: ...r user IDE Step 1 In Dashboard select the IP address of the Ignition Server and click on the Monitor tab go to Log Viewer and select the Access tab Via the message of a valid user right click the mess...

Page 54: ...Avaya Inc External Distribution 54 avaya com March 2015...

Page 55: ...ous step and if this also fails verify the Ignition Server configuration User Id Displays the name of the user id in this example a user id of user6 was used for the user with read write all access ri...

Page 56: ...rt to ensure reliable delivery of packets TACACS provides security by encrypting all traffic between the switch which acts as the Network Access Server and the TACACS server The VSP switch supports le...

Page 57: ...assword authentication PAP CHAP MSCHAP authentication methods The FOLLOW response of a TACACS server in which the AAA services are redirected to another server The response is interpreted as an authen...

Page 58: ...connenction the switch uses the default connection type which is per session or multi connection mode Enabling TACACS authentication VSPswitch 1 config tacacs authentication all cli web Enabling TACA...

Page 59: ...interface VSPswitch 1 config interface loopback 1 VSPswitch config if ip address 1 10 1 1 81 255 255 255 255 VSPswitch config if exit Step 2 Add TACACS server enable TACACS and enable TACACS accountin...

Page 60: ...ion enabled for cli accounting enabled for cli authorization disabled User privilege levels set for command authorization None Server create Prio Status Key Port IP address Timeout Single Source Sourc...

Page 61: ...e expiry date via Password Expires if you do not wish to use the default setting of one year Repeat again by clicking on New to add user6 IDE Step 3 Add a new TACACS policy by going to Configuration S...

Page 62: ...l down and select user id Select Equal To with Format of None check Static Value and enter the read only access user id of user6 Click on OK when done Via Action select Allow Click on the Session Valu...

Page 63: ...ct ers switches avaya via Device Template and remove the default check via Enable RADIUS Access Under the RADIUS Setting tab uncheck the Enable RADIUS Access setting to disable RADIUS this is the defa...

Page 64: ...March 2015 IDE Step 6 Go to Configuration Site Configuration Access Policies TACACS VSP Policy Name of policy we created in Step 3 above Go to the Identity Routing tab and click on Edit Check the Enab...

Page 65: ...ation level 1 6 User privilege level all Enable tacacs command authorization for all privilege levels none Disable tacacs command authorization for all levels For this configuration example we will us...

Page 66: ...ration TACACS CONFIGURATION tacacs server host 10 12 120 120 key source 10 1 1 81 source ip interface enable tacacs protocol enable tacacs accounting enable cli tacacs authorization enable tacacs auth...

Page 67: ...00 to 2299 IDE Step 1 Go to Configuration Site name Services TACACS Ensure that TACACS is enabled if not click the Edit box and enable TACACS The default port TCP 49 should be left as is IDE Step 2 Ad...

Page 68: ...level5_set1 as used in this example and click on Add for each ACLI command set For all the normal commands via the Device Command window select Simple Command using Keywords and Arguments and Allow Fo...

Page 69: ...to the Authorization Policy tab and click on Edit o Once the Edit Authorization Policy window pops up click on Add in the Rules window Add two Rules simply named level6 and level5_cmd o For the rule n...

Page 70: ...Avaya Inc External Distribution 70 avaya com March 2015...

Page 71: ...n and select user id Select Equal To with Format of None check Static Value and enter the read only access user id of userabc Click on OK when done Via Action select Allow Click on the Session Values...

Page 72: ...Avaya Inc External Distribution 72 avaya com March 2015 o When completed you can view the complete policy by clicking on the Access Policy Summary button...

Page 73: ...ticator Type select Avaya via Vendor select ers switches avaya via Device Template and remove the default check via Enable RADIUS Access Under the RADIUS Setting tab uncheck the Enable RADIUS Access s...

Page 74: ...Avaya Inc External Distribution 74 avaya com March 2015 Click on OK when done The configuration should look something like the following...

Page 75: ...March 2015 IDE Step 6 Go to Configuration Site Configuration Access Policies TACACS VSP Policy Name of policy we created in Step 3 above Go to the Identity Routing tab and click on Edit Check the Enab...

Page 76: ...y NotConn 49 10 12 120 120 10 false 10 1 1 81 true Step 2 Verify TACACS users i e assuming a TACACS using a user name of user6 via privilege level 6 has successfully been authenticated VSPswitch 1 con...

Page 77: ...rnal Distribution 77 avaya com March 2015 Permission denied VSPswitch 1 config vlan create 2000 type port mstprstp 0 VSPswitch 1 config vlan members 2000 1 18 8201 1 config vlan members 1900 1 19 Perm...

Page 78: ...ssh aead aes 256 gcm ssh hmac sha1 96 hmac md5 96 o VOSS 4 2 or higher hmac md5 hmac sha1 hmac sha1 96 hmac md5 96 Secure Copy SCP and or Secure File Transfer SFTP are off by default and enabled when...

Page 79: ...n you enable the SSHv2 server To authenticate an SSHv2 client using DSA the administrator must copy the public part of the client DSA key to intflash ssh directory on the VSP switch that is acting as...

Page 80: ...y_rwa RW intflash ssh dsa_key_rw RO intflash ssh dsa_key_ro L3 intflash ssh dsa_key_rwl3 L2 intflash ssh dsa_key_rwl2 L1 intflash ssh dsa_key_rwl Client key with enhanced secure mode enabled Administr...

Page 81: ...H client authentication information using RSA Table 11 RSA authentication access level and file name Client key format Access level File name Client key in IETF format with enhanced secure mode disabl...

Page 82: ...configuration If you are using RADIUS or TACACS for password authentication please setup the RADIUS or TACACS server referring to the sections titled Password Protection using RADIUS Authentication an...

Page 83: ...ion Host Name or IP address enter the IP address of the switch select SSH and click on Open when done Step 6 Click on Yes when prompted with the public key fingerprint You will only be prompted with t...

Page 84: ...com March 2015 Step 4 Enter login credentials Step 5 Using SSH to connect to another switch VSPswitch config 1 1 exit VSPswitch 1 ssh 10 136 56 82 l rwa Trying 10 136 56 82 Are you sure you want to co...

Page 85: ...max sessions 4 timeout 60 action rsa keygen rsa keysize 2048 action dsa keygen dsa keysize 2048 rsa auth true dsa auth true pass auth true enable secure Step 3 Verify SSH session via log file VSPswit...

Page 86: ...e enable both or either of these features again Putty will be used as the SSH Client while Puttygen will be used to generate the DSA key pairs We will use the DSA key names of dsa_key_rwa and vsppriv...

Page 87: ...com March 2015 Step 4 Run Puttygen and select SSH 2 DSA key with 2048 bits and click on Generate to create both a public and private key The public key will be uploaded to the switch You will be promp...

Page 88: ...d twice once for each CPU card In this example the PSCP and SFTP program is located via the directory c putty Please note the file name must use the file naming as shown in table 10 above The file nam...

Page 89: ...assuming the remote switch is a VSP 8200 psftp open rwa 10 136 56 81 Using username rwa rwa 10 136 56 81 s password Remote working directory is intflash psftp cd ssh Remote directory is now intflash s...

Page 90: ...Distribution 90 avaya com March 2015 b Once connected to the switch copy the public key to the intflash ssh directory on the VSP switch Select file from local site and drag to remote switch under the...

Page 91: ...Avaya Inc External Distribution 91 avaya com March 2015 Step 7 Open up Putty scroll down to SSH Auth and select the private key generated above by clicking on the Browse icon and then click on Open...

Page 92: ...Avaya Inc External Distribution 92 avaya com March 2015 Step 8 Go to Session Host Name or IP address enter the IP address of the switch select SSH and click on Open when done...

Page 93: ...Avaya Inc External Distribution 93 avaya com March 2015 Step 9 Enter any user name you like when prompted with the login as prompt and enter the DSA Key passphrase from the DSA key you generated above...

Page 94: ...48 rsa auth true dsa auth true pass auth true enable true Step 3 Verify DSA download public key VSPswitch 1 config ls intflash ssh drwxr xr x 2 0 0 4096 Mar 26 13 34 drwxr xr x 20 0 0 4096 Mar 24 13 2...

Page 95: ...26 Microsoft Internet Explorer version 8 0 You cannot open two HTTP sessions from the same IP address to the same switch using the same browser To open two simultaneous sessions to the same switch yo...

Page 96: ...ord ro wr rwa user name password VSPswitch 1 config web server password rwa admin AdminUser 1234 By default the Web server is configured with the secure only option that requires you to use https ip a...

Page 97: ...Avaya Inc External Distribution 97 avaya com March 2015 Step 3 Login using the credential from step 1...

Page 98: ...e Device menu to refresh and update device information or enable polling Preference Setting Enable polling or hot swap detection Configure the frequency to poll the device Refresh Status Use this opti...

Page 99: ...earning Global MAC Filtering SMLT and SLPP IS IS Use the IS IS menu to view and configure IS IS and Shortest Path Bridging MAC SPBM IP Use the IP menu to view and configure IP routing functions for th...

Page 100: ...server Web Server Info Status on Secure only enabled RWA Username admin RWA Password Def display rows 30 Inactivity timeout 900 sec Html help tftp source dir 10 136 61 50 help VOSSv420_HELP_EDM HttpP...

Page 101: ...alidate the fingerprint VSP9000 and VOSS versions prior to 4 2 support two authentication protocols HMAC MD5 and HMAC SHA 96 for use with USM VOSS 4 2 and later versions support MD5 SHA 1 and SHA 2 Wh...

Page 102: ...ve boot To re enable SNMP access type in the following command VSPswitch config no boot config flags block snmp 8 3 Blocking SNMPv1 2 only If you wish to allow only SNMPv3 access you can disable SNMPv...

Page 103: ...fault VACM group tables provide either read only or read write Read only members can view configuration and performance information Read write members can view configuration and performance informatio...

Page 104: ...ned by the Security Name from the VACM table VSPswitch show snmp server community Community Table Index Name Security Name Transport Tag first readview second initialview To view the SNMP security nam...

Page 105: ...ew Community String To add a new community strings enter the following command VSPswitch config snmp server community name index Comm Idx secname security name Where Parameter Description Comm Idx The...

Page 106: ...ss is controlled via community strings The default read community string is public x while the default read write community string is private x where x equals the VRF instance a number from 1 to 255 T...

Page 107: ...all we have to do is change the VACM table security name from initialview to readview for the SNMP Community security name of second The end result if a user attempts to connect to an VSP switch using...

Page 108: ...first secname readview Step 2 Change the write right access default community string from private to private1234 You must first delete the default read write community string and then add the new comm...

Page 109: ...read only VACM security name of readview VSPswitch 1 config snmp server community readonly index third secname readview Step 2 Create the new read write community using an index name of forth add the...

Page 110: ...both private and enterprise private MIBs Figure 2 MIB Structure To create a new MIB view enter the following command VSPswitch config snmp server view view name subtree oid Enterprise MIBS Standard MI...

Page 111: ...B view named ro_private to exclude the Private branch enter the following Step 1 Create the new MIB view named ro_private VSPswitch 1 config snmp server view ro_private 1 3 6 1 4 8 12 2 Verify Operati...

Page 112: ...zations to protect sensitive information It is also becoming a global standard for commercial software and hardware that uses encryption or other security features Once the DES or AES encryption modul...

Page 113: ...unication with authentication MD5 or SHA and privacy DES or AES We can assign the USM group to either an existing MIB view or we could create a new MIB view and then assign it to the USM group The nex...

Page 114: ...v1v2only v1v2only VACM Group Membership Configuration Sec Model Security Name Group Name snmpv1 readview readgrp snmpv1 sBladeUser sBladeGrp snmpv1 initialview v1v2grp snmpv2c readview readgrp snmpv2...

Page 115: ...ig load encryption module DES Step 2 Add SNMPv3 authPriv User In this example we will use a user name of user1 a MD5 password of user1234 and a DES privacy password of userpriv VSPswitch 1 config snmp...

Page 116: ...20 00 HMAC_MD5 DES PRIVACY user2 0x80 00 08 E0 03 00 80 2D BE 20 00 HMAC_MD5 NO PRIVACY initial 0x80 00 08 E0 03 00 80 2D BE 20 00 NO AUTH NO PRIVACY Step 2 Verify SNMP VACM group and access configura...

Page 117: ...Priv v1v2only org readgrp snmpv2c noAuthNoPriv v1v2only org v1v2grp snmpv1 noAuthNoPriv v1v2only v1v2only v1v2only v1v2grp snmpv2c noAuthNoPriv v1v2only v1v2only v1v2only sBladeGrp snmpv1 noAuthNoPriv...

Page 118: ...Avaya Inc External Distribution 118 avaya com March 2015 v1v2only 1 3 6 1 6 3 16 v1v2only 1 3 6 1 6 3 18...

Page 119: ...m timeout value retries value mms value filter filter profile name Where Variable Value ipv4 ipv6 addr Specifies either an IPv4 or IPv6 address security name security name 1 32 specifies the security...

Page 120: ...p receiver with an target address of 192 168 50 100 using the default notification tag trapTag for SNMPv1 traps VSPswitch 1 config snmp server host 192 168 50 100 v1 readview VSPswitch 1 config snmp s...

Page 121: ...v3 authNoPriv operator Step 2 Verify SNMP trap receiver VSPswitch 1 config show snmp server host Target Address Configuration Target Name TDomain TAddress TMask 4f99cb74d471bada1dc572fa85a1fe51 ipv4 1...

Page 122: ...me MP Model Security Name Sec Level 4f99cb74d471bada1dc572fa85a1fe51 usm operator authNoPriv TparamV1 snmpv1 readview noAuthNoPriv TparamV2 snmpv2c readview noAuthNoPriv c0c5053151fc2c2528f09ef8dea9ae...

Page 123: ...that matches this entry should be permitted to enter the device or denied access Service Indicates the protocol to which this entry should be applied Choices are telnet snmp tftp ftp http rlogin and o...

Page 124: ...r netmask precedence Set access policy precedence rlogin Enable rlogin snmp group Add snmpV3 group under this access policy snmpv3 Enable snmp ssh Enable ssh telnet Enable telnet tftp Enable tftp user...

Page 125: ...ies the access level of the trusted host as one of the following ro readOnly rw readWrite rwa readWriteAll accessstrict Enables or disables strict access criteria for remote users If unchecked a user...

Page 126: ...s policy 1 65535 snmpv3 In regards to the SNMP group name use the following command to display the SNMP VACM group access configuration The default SNMPv1 and SNMPv2c read group name is readgrp while...

Page 127: ...nd HTTP The default SNMPv1 and SNMPv2c VACM read group name is readgrp while the default read write group is v1v2grp For this example we will simple use these VACM groups This can be verified using AC...

Page 128: ...s policy 3 snmp group readgrp snmpv1 VSPswitch 1 config access policy 3 snmp group readgrp snmpv2c Step 4 Setup policy 4 to allow for read write to network 172 30 20 0 24 for telnet and HTTP services...

Page 129: ...snmpv3 access policy 2 snmp group v1v2grp snmpv1 access policy 2 snmp group v1v2grp snmpv2c access policy 3 access policy 3 name policy3 network 172 0 0 0 8 access policy 3 snmpv3 access policy 3 snmp...

Page 130: ...cyEnable true Mode allow Service snmpv3 Precedence 10 NetAddrType ipv4 NetAddr 0 0 0 0 NetMask 0 0 0 0 TrustedHostAddr 172 30 20 21 TrustedHostUserName none AccessLevel readOnly AccessStrict false Usa...

Page 131: ...TrustedHostUserName none AccessLevel readWriteAll AccessStrict true Usage 7597 Step 3 Verify Access Policy Configuration VSPswitch 1 show access policy snmp group snmpv3 groups Policy 1 snmpv3 groups...

Page 132: ...cess policy 3 o Limit Telnet access only to network 172 30 0 0 16 Step 1 Add SNMPv3 user VSPswitch 1 config load encryption module DES VSPswitch 1 config snmp server user user1 group group_1 md5 user1...

Page 133: ...wa VSPswitch 1 config access policy 3 access strict VSPswitch 1 config access policy 3 ssh telnet Step 4 Enable access policies globally VSPswitch 1 config access policy If SNMPv3 access is denied eve...

Page 134: ...cess policy 2 access strict access policy 2 snmpv3 access policy 2 snmp group group_1 usm access policy 3 access policy 3 name policy3 network 172 30 0 0 16 accesslevel rwa access policy 3 access stri...

Page 135: ...0 0 0 0 NetMask 0 0 0 0 TrustedHostAddr 172 30 20 21 TrustedHostUserName none AccessLevel readWriteAll AccessStrict true Usage 0 Id 3 Name policy3 PolicyEnable true Mode allow Service telnet ssh Prece...

Page 136: ...com March 2015 Step 3 Add SNMPv3 user VSPswitch 1 show access policy snmp group snmpv3 groups Policy 1 snmpv3 groups Group Name Snmp Model Policy 2 snmpv3 groups Group Name Snmp Model group_1 usm Pol...

Page 137: ...ya Inc and are registered in the United States and other countries All trademarks identified by TM or SM are registered marks trademarks and service marks respectively of Avaya Inc All other trademark...

Reviews:

No comments