Enable SNMPv3 with enhanced security

  • 2
  • 2
  • Question
  • Updated 1 month ago
  • Answered
We are setting up some x460G2 and x440G2 units and we chose the initial option to use "enhanced security" which disables SNMP.    We only use SNMPv3 in our environment.  We followed the steps in the following link, but that isn't enough: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-up-SNMPv3-on-EXOS

Our config currently looks like this, but we clearly need something else added to get SNMPv3 working:

configure snmpv3 add user "v3admin" engine-id <ID here> authentication md5 auth-encrypted localized-key <auth PW here> privacy privacy-encrypted localized-key <priv PW here>
configure snmpv3 add group "v3group" user "v3admin" sec-model usm
configure snmpv3 add access "v3group" sec-model usm sec-level priv read-view "defaultAdminView" write-view "defaultAdminView" notify-view "defaultAdminView"
disable snmpv3 default-group
Photo of Stephen Stormont

Stephen Stormont

  • 792 Points 500 badge 2x thumb

Posted 1 month ago

  • 2
  • 2
Photo of SH

SH

  • 3,204 Points 3k badge 2x thumb
Hello Stephen,

you have to add "enable snmp access" (if needed followed by snmpv3).

Best regards
Stephan
Photo of SH

SH

  • 3,204 Points 3k badge 2x thumb
Stephen,

you can check these setting with "show management". In the answer you will find an entry like "SNMP access"

Best regards
Stephan
Photo of Stephen Stormont

Stephen Stormont

  • 792 Points 500 badge 2x thumb
Well that was easy and somewhat embarrassing.  Just to confirm, none of these other settings that this user refers to are needed, correct? https://www.virtualizationhowto.com/2015/09/enable-snmpv3-on-summit-xos-switch-configured-with-enhan...
Photo of SH

SH

  • 3,144 Points 3k badge 2x thumb
For a first step you setting are enough I think.

You should use AES and SHA (not md5) because it's more secure. 
You do not need the setting the used did in you post.

If you want a clean system you can delete all inital user and the two group public and privat like in the small black window in your last link.

You added an new user "v3admin" and a new group in your config (your first post) and this user and group is enough for the snmpv3 communication.

Best regards
Stephan
(Edited)
Photo of SH

SH

  • 3,144 Points 3k badge 2x thumb
Here is what you can do to clean up the config:

configure snmpv3 delete user "initial" 
configure snmpv3 delete user "initialmd5" 
configure snmpv3 delete user "initialsha" 
configure snmpv3 delete user "initialmd5Priv" 
configure snmpv3 delete user admin
configure snmpv3 delete user initialshaPriv
configure snmpv3 delete community "private"
configure snmpv3 delete community "public"
Photo of Stephen Stormont

Stephen Stormont

  • 792 Points 500 badge 2x thumb
Is AES256 supported by Extreme Management Center?  Devices were reporting in when I had it set to 128, but then Management Center lost contact when I upped it to AES256.
Photo of Stephen Stormont

Stephen Stormont

  • 792 Points 500 badge 2x thumb
Strange that the switch still lets you configure it even though it isn't supported.  Thanks for all of the help!