So apparently SNMP should be secured. Disable write access if you don’t need it, and use SNMPv3 instead of the other versions.
I setup some ProCurve switches recently, and evilrouters.net had a great writeup on configuring SNMPv3. So configured me some ProCurve and went on my way.
Then came my Dell PowerConnect 3548P. I bought it before I decided to go with ProCurve for all the switches, but since it ain’t broke, let’s secure it.
Ideally, I’d configure it similar to the ProCurve switches, so that I can monitor it the same with Cacti and Spiceworks. I was able to map the ProCurve commands to PowerConnect speak for most of it, but I run into a spot where the Dell documentation is painfully unclear:
auth-sha-key sha-des-keys — Indicates the HMAC-SHA-96 authentication level. The user should enter a concatenated hexadecimal string of the SHA key (MSB) and the privacy key
(LSB). If authentication is only required, 20 bytes should be entered; if authentication and
privacy are required, 36 bytes should be entered. Each byte in the hexadecimal character
string is two hexadecimal digits. Each byte can be separated by a period or colon. (20 or 36 bytes)
In ProCurve land, I enter in plaintext passwords for both authentication and privacy, and it hashes that out for me, but here in the Dell universe, I haven’t the slightest idea how to make a key.
After a few hours of head scratching, here’s what I did.
You’ll need:
- CLI access to your switch
- A linux machine. I’m using Ubuntu Server.
Log into your switch and type:
enable
show snmp engine idIt’ll spit out an engineID. Make note of that ID.
On your linux machine, you’ll need to install the snmpkey utility. I did it with the following:
sudo apt-get install libnet-snmp-perl libcrypt-des-perl libdigest-hmac-perlThen, run the following command to generate the mysterious keys:
snmpkey sha <auth_password> <engine_id> des <priv_password>It should return an authKey and a privKey.
Back on your switch, move up to the config mode (type enable and config), then create a SNMPv3 group:
snmp-server group operatorauth v3 priv Then create the user and assigned it to that group:
snmp-server user snmpuser operatorauth auth-sha-key <authKey><privKey>Make sure there’s no space between the authKey and the privKey. This will create a user named snmpuser. And you’re done!
If you’ve got snmpwalk installed on your linux server, test the connection with:
snmpwalk -v 3 -a SHA -A <auth_password> -u snmpuser -l authPriv -x DES -X <priv_password> <ip_of_switch>With any luck, you should see a stream of OIDs.
If anyone has a smarter way to generate the keys, please let me know in the comments!
4 replies on “SNMPv3 Configuration for Dell PowerConnect 3500 Series”
Thanks to your post, I figured out how I needed to configure SNMPv3 on my PowerConnect 6248.
Not sure if it works for your switch, but using the commands below I didn’t needed to generate the key’s up in front, but I could make up my own keys.
Ramon Bruin
snmp-server engineID local default
snmp-server group v3 priv write Default
snmp-server user auth-sha priv-des
Seems the page deleted the fields enclosed by <
Correct syntax:
snmp-server engineID local default
snmp-server group *groupname* v3 priv write Default
snmp-server user *username* *groupname* auth-sha *auth pass* priv-des *priv pass*
Thanks for figuring that out! I’ll have to try it the next time I need to run through this config.
Please be advised that a Powerconnect 6200 and Powerconnect 3500 have very different CLI’s – so what works on a 6200 will often not work in the same way on a PCT3500 / PCT5500.