How do you change the default SNMP Community string on an Enterasys C3?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
How do you change the default SNMP Community string on an Enterasys C3?
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,618 Points 2k badge 2x thumb
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,618 Points 2k badge 2x thumb
this article is geared towards the modular products but is similar to the stacks.  If I run across the stack version I will attach it.

 How to configure SNMP v3 on S/N/K/7100 Series
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,618 Points 2k badge 2x thumb
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb
I forgot to add a description so here is some more information on what is going on.

I've been asked to change the default SNMP (public by default) community strings on my Enterasys C2/C3 switches.  When I type "clear snmp community public", I can' no longer see the switch in my management software (which is to be expected).  However, when i type "set snmp community whatever" and try to reattach with my management software, it will not allow me.

Now,  if I go back and "set snmp community public", I can connect via my management software using either the public string or the whatever string.

I've also noticed if I do "show config snmp" after running "clear snmp community public", I see that exact command in the config.  Normally if I run show config after running a clear command, I don't see the clear command listed in the config.  Not sure if this has anything to do with it, just trying to give as much information as I can.

Any assistance would be greatly appreciated.
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,608 Points 2k badge 2x thumb
The cli normally shows only non default settings.  Snmp has some basic settings that are visible as a clue that they should be changed.  So  "clear snmp community public" would be non default.

What management software are you using and is it configured with the "whatever" in place of public?
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb
I'm using Spiceworks Network Monitoring for testing purposes at the moment.  I have configured to use the "whatever" in place of public. 
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi Robert,

you can use
show snmp access
to check the configured SNMP access methods.

Erik
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,618 Points 2k badge 2x thumb
I found the securestack article for using the USM / snmp v3.

How to configure SNMP version 3 on Securestack switches
Photo of Paulo Silva

Paulo Silva

  • 480 Points 250 badge 2x thumb
Hi Robert.

I use this "script" and test by snmpwalk.

Clear snmp default
clear snmp access ro security-model v1

clear snmp access ro security-model v2c

clear snmp access public security-model v1

clear snmp access public security-model v2c

clear snmp access public security-model usm

clear snmp community public

clear snmp group ro ro secu v1

clear snmp group public public sec v1

clear snmp group ro ro security-model v2c

clear snmp group public public security-model v2c

clear snmp group public public security-model usm 

clear snmp user public



Configure snmpv3

set snmp group <group_name> user <user> security-model usm

set snmp user <user> authentication sha <secret> encryption des privacy <secret> nonvolatile

set snmp access <access_name> security-model usm privacy exact read All notify All write All nonvolatile

 Test snmpwalk

snmpwalk -v 3 -a SHA -A <secret> -u <user> -x des -X <secret> -l authPriv <host>
Photo of Rich Upshaw

Rich Upshaw

  • 1,140 Points 1k badge 2x thumb
ABC Series are a bit different than the others in terms of clearing out default snmp configuration and I've found that the little nuances are tricky as well.  Normally, when I start working with the C's, I clear out everything and then put in my own snmp v3 config:
clear snmp access ro security-model v1
clear snmp access ro security-model v2c 
clear snmp access public security-model v1 
clear snmp access public security-model v2c
clear snmp access public security-model usm
clear snmp group ro ro security-model v1
clear snmp group ro ro security-model v2c
clear snmp group public public security-model v1
clear snmp group public public security-model v2c
clear snmp user public

Then:
set snmp group <groupname> user <username> security-model usm
set snmp access <groupname> security-model usm privacy exact read All write All notify All nonvolatile set snmp user <username> authentication md5 <authpassword> encryption des privacy <privacypassword>
That's it in a nutshell.  You can change around your authentication algorithm and privacy encryption to match your nms.
Photo of Rich Upshaw

Rich Upshaw

  • 1,140 Points 1k badge 2x thumb
One more thing:  You need to specify an interface to communicate over via snmp for the C series such as a loopback or an interface VLAN.


set snmp interface vlan 510
Photo of Jason Parker

Jason Parker, Employee

  • 2,908 Points 2k badge 2x thumb
On the securestacks you will have 2 SNMP community lines by default
1. Set snmp community public
2. set snmp community :3fb03022e4966512343b511c263dcf1240739359ec6cad7d8c6277007e7e0657521e0641967b150156 ( which is also public)
After you cleared them and want to set one it back
To basically return to the default setting for community name public
Set snmp community public
Or You want a new community name then:use
Set snmp community abc123
Your done

Now basically use the commands after "then" by Rich, but there is one gotcha and that is the last command with the set
Snmp user abc123 Authentication md5 xxx
It will give you an error every time

That is because you need to know the encryption of your md5 and des password and most likely do not know it so use the command
set snmp user abc123 authentication md5 Sneakernet privacy Sneakernet it will encypt both Sneakernet passwords for you
This can be seen with the command
Show config snmp
****
A note of interest for SNMPV3 configuration
You will not need a snmp community if you are using USM which is actually SNMpv3
Jason
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi,

C3 (and the other EOS devices) need an SNMP user and group for SNMPv1/v2c as well, not just for SNMPv3. Thus it is not sufficient to configure only a new community string. If you really want to use SNMPv1 (with community WHATEVER), you could do it as follows:
set snmp access WHATEVER security-model v1 exact read All write All notify All nonvolatile
set snmp group WHATEVER user WHATEVER security-model v1
set snmp community WHATEVER
You can replace v1 with v2c to use SNMP version 2 with community string.

I recommend to always use SNMPv3 instead of v1 or v2c.

Erik
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb
First off, thanks all for the advice and help.  I think I have it figured out because of all of the above responses.  One thing I'm confused about when using v1 and v2:  Does the group and user name have to match the community string?  If so, why does the EOS hash the community string in the "show config snmp" output, but leaves the group name and user name plain text?