Categories
System Administration

SNMPv3 Configuration for Dell PowerConnect 3500 Series

So apparently SNMP should be secured. Disable write access if you don’t need it, and use SNMPv3 instead of the other versions.

I setup some ProCurve switches recently, and evilrouters.net had a great writeup on configuring SNMPv3. So configured me some ProCurve and went on my way.

Then came my Dell PowerConnect 3548P. I bought it before I decided to go with ProCurve for all the switches, but since it ain’t broke, let’s secure it.

Ideally, I’d configure it similar to the ProCurve switches, so that I can monitor it the same with Cacti and Spiceworks. I was able to map the ProCurve commands to PowerConnect speak for most of it, but I run into a spot where the Dell documentation is painfully unclear:

auth-sha-key sha-des-keys — Indicates the HMAC-SHA-96 authentication level. The user should enter a concatenated hexadecimal string of the SHA key (MSB) and the privacy key
(LSB). If authentication is only required, 20 bytes should be entered; if authentication and
privacy are required, 36 bytes should be entered. Each byte in the hexadecimal character
string is two hexadecimal digits. Each byte can be separated by a period or colon. (20 or 36 bytes)

Dell PowerConnect 3500 Series CLI Reference Guide, p354

In ProCurve land, I enter in plaintext passwords for both authentication and privacy, and it hashes that out for me, but here in the Dell universe, I haven’t the slightest idea how to make a key.

After a few hours of head scratching, here’s what I did.

You’ll need:

  • CLI access to your switch
  • A linux machine. I’m using Ubuntu Server.

Log into your switch and type:


enable
show snmp engine id

It’ll spit out an engineID. Make note of that ID.

On your linux machine, you’ll need to install the snmpkey utility. I did it with the following:


sudo apt-get install libnet-snmp-perl libcrypt-des-perl libdigest-hmac-perl

Then, run the following command to generate the mysterious keys:


snmpkey sha <auth_password> <engine_id> des <priv_password>

It should return an authKey and a privKey.

Back on your switch, move up to the config mode (type enable and config), then create a SNMPv3 group:


snmp-server group operatorauth v3 priv 

Then create the user and assigned it to that group:

snmp-server user snmpuser operatorauth auth-sha-key <authKey><privKey>

Make sure there’s no space between the authKey and the privKey. This will create a user named snmpuser. And you’re done!

If you’ve got snmpwalk installed on your linux server, test the connection with:


snmpwalk -v 3 -a SHA -A <auth_password> -u snmpuser -l authPriv -x DES -X <priv_password> <ip_of_switch>

With any luck, you should see a stream of OIDs.

If anyone has a smarter way to generate the keys, please let me know in the comments!