We will now continue where we left off in Part 1 of this guide.
C. SNMPv3 with level AuthPriv
Configure HP Comware network device with SNMP group V3AuthPriv and username snmp1user, authentication passwd snmpauthpass and privacy passwd snmpprivpass using hash mode MD5 and encryption mode AES128
C. SNMPv3 with level AuthPriv
Configure HP Comware network device with SNMP group V3AuthPriv and username snmp1user, authentication passwd snmpauthpass and privacy passwd snmpprivpass using hash mode MD5 and encryption mode AES128
snmp-agent group v3 V3authPriv privacy
snmp-agent usm-user v3 snmp3user V3authPriv authentication-mode md5 snmpauthpass privacy-mode aes128 snmpprivpass
Verify configuration with these display commands
Group name: V3authPriv
Security model: v3 AuthPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview: <no specified>
Storage-type: nonVolatile
# display snmp-agent usm-user
User name: snmp3user
Group name: V3authPriv
Engine ID: 8000000B0320FDF1EB0ED9
Storage-type: nonVolatile
UserStatus: active # display snmp-agent group
Test the configuration using the snmpwalk tool
# snmpwalk -v 3 -u snmp3user -l authPriv -a MD5 -A snmpauthpass -x AES -X snmpprivpass 192.168.200.11 system
SNMPv2-MIB::sysDescr.0 = STRING: HP A5120-24G SI Switch Software Version 5.20, Release 1513P86
Copyright(c) 2010-2014 Hewlett-Packard Development Company, L.P.
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.25506.11.1.12
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (750582438) 86 days, 20:57:04.38
SNMPv2-MIB::sysContact.0 = STRING: ([email protected] / 04xxxxxxx)
SNMPv2-MIB::sysName.0 = STRING: HP-TEST-SWITCH-5120
SNMPv2-MIB::sysLocation.0 = STRING: HP-TEST-SWITCH-5120
SNMPv2-MIB::sysServices.0 = INTEGER: 78
If you get a response similar to the one above, this confirms SNMP version 3 with AuthPriv is working.
Restricting access to the SNMP agent
Define the ACL (Access Control List)
Restricting access to the SNMP agent
Define the ACL (Access Control List)
acl number 2000 name SNMP-Management-ACL
rule 10 remark # Network Monitoring Server #
rule 10 permit source <monitoring_server_ip> 0
!# additional rules if needed
quit
Appy the ACL to the SNMP group, in this example its V3authPriv
snmp-agent group v3 V3authPriv privacy acl 2000
Test the SNMP configuration from unauthorized hosts should give you a similar response below
# snmpwalk -v 3 -u snmp3user -l authPriv -a MD5 -A snmpauthpass -x AES -X snmpprivpass 192.168.200.11 system
Timeout: No Response from 192.168.200.11
Debugging SNMP connections
Enable console to display debugging logs
# terminal monitor
# terminal debugging
Enable SNMP debugging, below are the recommended ones
# debugging snmp agent packet header
# debugging snmp agent process txrx
Check debugging status
# display debugging
SNMP agent packet header debugging switch is on
SNMP agent process TXRX info debugging switch is on
SNMP agent process TXRX warning debugging switch is on
SNMP agent process TXRX error debugging switch is on
Sample console debugging logs
*Jan 21 08:35:20:542 2015 HP-TEST-SWITCH-5120 SNMP/7/TXRX_INFO:
receive PDU through IPv4 socket at 08:35:20 (PDU size: 64)
*Jan 21 08:35:20:544 2015 HP-TEST-SWITCH-5120 SNMP/7/HEADER:
incoming SNMPv3 packet
security model: v3
security level: noAuthNoPriv
user name:
snmpEngineID:
snmpEngineBoots: 0
snmpEngineTime: 0
*Jan 21 08:35:20:546 2015 HP-TEST-SWITCH-5120 SNMP/7/TXRX_INFO:
send PDU through IPv4 socket at 08:35:20 (PDU size: 113)
*Jan 21 08:35:20:547 2015 HP-TEST-SWITCH-5120 SNMP/7/TXRX_WARNING:
failed to read queue while receiving PDU
*Jan 21 08:35:20:559 2015 HP-TEST-SWITCH-5120 SNMP/7/TXRX_INFO:
receive PDU through IPv4 socket at 08:35:20 (PDU size: 132)
*Jan 21 08:35:20:560 2015 HP-TEST-SWITCH-5120 SNMP/7/HEADER:
incoming SNMPv3 packet
security model: v3
security level: authPriv
user name: snmp3user
snmpEngineID: 8000000B0320FDF1EB0ED9
snmpEngineBoots: 5
snmpEngineTime: 63352
*Jan 21 08:35:20:561 2015 HP-TEST-SWITCH-5120 SNMP/7/TXRX_WARNING:
failed to read queue while receiving PDU
*Jan 21 08:35:20:562 2015 HP-TEST-SWITCH-5120 SNMP/7/TXRX_INFO:
send PDU through IPv4 socket at 08:35:20 (PDU size: 273)
*Jan 21 08:35:20:573 2015 HP-TEST-SWITCH-5120 SNMP/7/TXRX_INFO:
receive PDU through IPv4 socket at 08:35:20 (PDU size: 134)
*Jan 21 08:35:20:574 2015 HP-TEST-SWITCH-5120 SNMP/7/HEADER:
incoming SNMPv3 packet
security model: v3
security level: authPriv
user name: snmp3user
snmpEngineID: 8000000B0320FDF1EB0ED9
snmpEngineBoots: 5
snmpEngineTime: 63352
I hope this guide will assist anyone working witn SNMPv3 with HP Comware 5.2.