SNMPv3 Configuration for Dell PowerConnect 3500 Series

So apparently SNMP should be secured. Disable write access if you don’t need it, and use SNMPv3 instead of the other versions.

I setup some ProCurve switches recently, and evilrouters.net had a great writeup on configuring SNMPv3. So configured me some ProCurve and went on my way.

Then came my Dell PowerConnect 3548P. I bought it before I decided to go with ProCurve for all the switches, but since it ain’t broke, let’s secure it.

Ideally, I’d configure it similar to the ProCurve switches, so that I can monitor it the same with Cacti and Spiceworks. I was able to map the ProCurve commands to PowerConnect speak for most of it, but I run into a spot where the Dell documentation is painfully unclear:

auth-sha-key sha-des-keys — Indicates the HMAC-SHA-96 authentication level. The user should enter a concatenated hexadecimal string of the SHA key (MSB) and the privacy key
(LSB). If authentication is only required, 20 bytes should be entered; if authentication and
privacy are required, 36 bytes should be entered. Each byte in the hexadecimal character
string is two hexadecimal digits. Each byte can be separated by a period or colon. (20 or 36 bytes)

Dell PowerConnect 3500 Series CLI Reference Guide, p354

In ProCurve land, I enter in plaintext passwords for both authentication and privacy, and it hashes that out for me, but here in the Dell universe, I haven’t the slightest idea how to make a key.

After a few hours of head scratching, here’s what I did.

You’ll need:

  • CLI access to your switch
  • A linux machine. I’m using Ubuntu Server.

Log into your switch and type:


enable
show snmp engine id

It’ll spit out an engineID. Make note of that ID.

On your linux machine, you’ll need to install the snmpkey utility. I did it with the following:


sudo apt-get install libnet-snmp-perl libcrypt-des-perl libdigest-hmac-perl

Then, run the following command to generate the mysterious keys:


snmpkey sha <auth_password> <engine_id> des <priv_password>

It should return an authKey and a privKey.

Back on your switch, move up to the config mode (type enable and config), then create a SNMPv3 group:


snmp-server group operatorauth v3 priv 

Then create the user and assigned it to that group:

snmp-server user snmpuser operatorauth auth-sha-key <authKey><privKey>

Make sure there’s no space between the authKey and the privKey. This will create a user named snmpuser. And you’re done!

If you’ve got snmpwalk installed on your linux server, test the connection with:


snmpwalk -v 3 -a SHA -A <auth_password> -u snmpuser -l authPriv -x DES -X <priv_password> <ip_of_switch>

With any luck, you should see a stream of OIDs.

If anyone has a smarter way to generate the keys, please let me know in the comments!

This entry was posted in System Administration and tagged , , , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

4 Comments