Image of Cortney & Jeremy

SNMPv3 Configuration for ProCurve Switches

by Jeremy L. Gaddis on December 22, 2008 · 7 comments

in Networking

I found myself recently setting up new HP ProCurve 5400 switches in production. Because I’m a network guy, I like to keep an eye on them (interface counters, traps, etc.), thus setting up SNMPv3 was necessary. In addition, these devices come (“out of the box”) with a default read-write community string set to — you guessed it — “public”, open to anywhere. That had to be taken care of first.

Setting up SNMPv3:

First, let’s set some basic information so we can track this device amongst all the others:

SWITCH1# conf
SWITCH1(config)# snmp-server location S123
SWITCH1(config)# snmp-server contact jlgaddis

Next, we’ll enable SNMPv3 which, on these 5400s, also has the effect of creating an “initial” user:

SWITCH1(config)# snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: ******
Privacy protocol is DES
Enter privacy password: ******

User 'initial' is created
Would you like to create a user that uses SHA? n

User creation is done.  SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmp restrict-access'): y

What happened here is that an SNMPv3 user (with username “initial”) was automatically created for us. We were prompted for the authentication password and privacy password (note that the protocols were automatically chosen). At this point, I just entered “123456″ as I have plans to delete that user anyway. I went ahead and answered “y” to the last question, but I’ll be turning off SNMPv1 and SNMPv2 in a bit moment regardless.

Let’s configure our switch to only run SNMPv3 and go ahead a create a new SNMPv3 user as well:

SWITCH1(config)# snmpv3 only
SWITCH1(config)# snmpv3 restricted-access
SWITCH1(config)# snmpv3 user cacti auth sha AUTHPASS priv aes PRIVPASS

Here I was setting up a user so that my “graphing application” of choice, cacti, can communicate with the switch to retrieve interface statistics. Substitute your own authentication password and privacy passwords above (“AUTHPASS” and “PRIVPASS”). You can change the protocols as well, if you’d like, to MD5 and DES, respectively. I prefer to go the “high security” route whenever possible, however, so that’s what I opted for here. Be sure your management software is compatible with these settings!

Now, we need to assign our “cacti” user to a group that’s appropriate for the level of access we want it to have. I won’t describe all of the ones available (see Chapter 14 of the Management and Configuration Guide for that), but the one I want (in this case) is “operatorauth”. This group provides for “operator” level access (a.k.a. “unprivileged”) and requires authentication. We’ll also specify “sec-model ver3″ as an SNMPv3 access group should only use the ver3 security model:

SWITCH1(config)# snmpv3 group operatorauth user cacti sec-model ver3

Okay, almost there! Now we just need to allow SNMP access to the switch from the host that cacti is running on. In my case, it’s 172.30.144.17:

SWITCH1(config)# ip authorized-managers 172.30.144.17 255.255.255.255 access operator access-method snmp

You can change that, of course, to your own IP address (or whole networks — be sure to change the netmask, however). (Note: see comment below from “Newbie” as well.)

At this point, we should be good to go. We could add the device into cacti’s web interface and within a few polling cycles we’ll start to see interface traffic statistics, such as this (from another device):

Finally, there’s one more step that might be necessary, depending upon your switch’s configuration. Because my switch has a loopback address assigned to it, that’s the IP address I want to tell cacti to poll. This method will still allow the switch to be reachable if one (or more) of it’s interfaces go down (there are multiple routes to it). By default, the ProCurve 5400 will respond to SNMP requests with a source IP address of the interface that the requests were received on, and NOT a source IP matching the original destination of the requests:

SWITCH1(config)# snmp-server response-source dst-ip-of-request

…and that’s it! We can now “speak” SNMPv3 (and ONLY SNMPv3) to our switch. In addition, only the “cacti” user can access it, and only from 172.30.144.17.

That’s a helluva lot better than the default read-write “public” community string that’s accessible from anywhere, huh!?

UPDATE: I forgot the part where I deleted the “initial” user that was created automatically for us. Here’s how that’s done:

SWITCH1(config)# no snmpv3 user initial

Easy enough!

{ 5 comments… read them below or add one }

mrflash January 20, 2010 at 5:11 am

Superb guide, I’ve been using SNMP and have decided to get my 5412ZL’s set up also. Very useful

Reply

Matt Jacobs June 28, 2010 at 3:12 pm

I have a 5412zl that I have added into cacti also. Cacti is only reqading my A and B swich modules. I also have switch modules in slots K and L, but cacti does not see them. Any ideas or thoughts on adding a 5412 in cacti correclty would be much appreciated.

Thanks

Reply

Newbie June 9, 2011 at 4:00 pm

ummm I just got locked out of switches.. Just a note that adding the ip authorized-managers code disables ssh and web access to the switch. You need to add additional lines to enable those like
ip authorized-managers 10.22.3.0 255.255.255.0 access manager access-method ssh
ip authorized-managers 10.22.3.0 255.255.255.0 access manager access-method web

Also a typo in article. should be
snmpv3 group operatorauth user cacti sec-model ver3

Worked other than that. Thanks

Reply

Jeremy L. Gaddis July 14, 2011 at 2:42 am

@Newbie,

You’re correct and I apologize for leaving that out. If you use “ip authorized-managers”, you’ll need separate entries permitting telnet/SSH/web access or you will get locked out. I fixed the typo as well.

-Jeremy

Reply

Ric December 12, 2011 at 12:15 pm

You should really put that at the top :-

(Thank God for the serial console!)

Reply

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: