{"id":368,"date":"2013-08-01T13:52:44","date_gmt":"2013-08-01T21:52:44","guid":{"rendered":"https:\/\/digitalcardboard.com\/blog\/?p=368"},"modified":"2013-08-01T14:22:42","modified_gmt":"2013-08-01T22:22:42","slug":"snmpv3-configuration-for-dell-powerconnect-3500-series","status":"publish","type":"post","link":"https:\/\/digitalcardboard.com\/blog\/2013\/08\/01\/snmpv3-configuration-for-dell-powerconnect-3500-series\/","title":{"rendered":"SNMPv3 Configuration for Dell PowerConnect 3500 Series"},"content":{"rendered":"<p>So apparently <a href=\"http:\/\/www.google.com\/search?q=secure+SNMP\" target=\"_blank\">SNMP should be secured<\/a>. Disable write access if you don\u2019t need it, and use SNMPv3 instead of the other versions.<\/p>\n<p>I setup some ProCurve switches recently, and <a href=\"http:\/\/evilrouters.net\/2008\/12\/22\/snmpv3-configuration-for-procurve-5400s\/\" target=\"_blank\">evilrouters.net had a great writeup on configuring SNMPv3<\/a>. So configured me some ProCurve and went on my way.<\/p>\n<p>Then came my Dell PowerConnect 3548P. I bought it before I decided to go with ProCurve for all the switches, but since it ain\u2019t broke, let\u2019s secure it.<\/p>\n<p>Ideally, I\u2019d configure it similar to the ProCurve switches, so that I can monitor it the same with <a href=\"http:\/\/www.cacti.net\/\" target=\"_blank\">Cacti<\/a> and <a href=\"http:\/\/www.spiceworks.com\/\" target=\"_blank\">Spiceworks<\/a>. I was able to map the ProCurve commands to PowerConnect speak for most of it, but I run into a spot where the Dell documentation is <em>painfully<\/em> unclear:<\/p>\n<blockquote><p><strong>auth-sha-key<\/strong> <em>sha-des-keys<\/em> \u2014 Indicates the HMAC-SHA-96 authentication level. The user should enter a concatenated hexadecimal string of the SHA key (MSB) and the privacy key<br \/>\n(LSB). If authentication is only required, 20 bytes should be entered; if authentication and<br \/>\nprivacy are required, 36 bytes should be entered. Each byte in the hexadecimal character<br \/>\nstring is two hexadecimal digits. Each byte can be separated by a period or colon. (20 or 36 bytes)<\/p>\n<p><em><a href=\"ftp:\/\/ftp.dell.com\/Manuals\/Common\/powerconnect-3524_Reference%20Guide_en-us.pdf\" target=\"_blank\">Dell PowerConnect 3500 Series CLI Reference Guide<\/a>, p354<\/em><\/p><\/blockquote>\n<p>In ProCurve land, I enter in plaintext passwords for both authentication and privacy, and it hashes that out for me, but here in the Dell universe, I haven\u2019t the slightest idea how to make a key.<\/p>\n<p>After a few hours of head scratching, here\u2019s what I did.<\/p>\n<p>You\u2019ll need:<\/p>\n<ul>\n<li>CLI access to your switch<\/li>\n<li>A linux machine. I\u2019m using Ubuntu Server.<\/li>\n<\/ul>\n<p>Log into your switch and type:<\/p>\n<pre><code>\r\nenable\r\nshow snmp engine id<\/code><\/pre>\n<p>It\u2019ll spit out an <em>engineID<\/em>. Make note of that ID.<\/p>\n<p>On your linux machine, you\u2019ll need to install the <em>snmpkey<\/em> utility. I did it with the following:<\/p>\n<pre><code>\r\nsudo apt-get install libnet-snmp-perl libcrypt-des-perl libdigest-hmac-perl<\/code><\/pre>\n<p>Then, run the following command to generate the mysterious keys:<\/p>\n<pre><code>\r\nsnmpkey sha <em>&lt;auth_password&gt; &lt;engine_id&gt;<\/em> des <em>&lt;priv_password&gt;<\/em><\/code><\/pre>\n<p>It should return an <em>authKey<\/em> and a <em>privKey<\/em>.<\/p>\n<p>Back on your switch, move up to the config mode (type <strong>enable<\/strong> and <strong>config<\/strong>), then create a SNMPv3 group:<\/p>\n<pre><code>\r\nsnmp-server group operatorauth v3 priv <\/code><\/pre>\n<p>Then create the user and assigned it to that group:<\/p>\n<pre><code>snmp-server user snmpuser operatorauth auth-sha-key <em>&lt;authKey&gt;&lt;privKey&gt;<\/em><\/code><\/pre>\n<p>Make sure there\u2019s no space between the <em>authKey<\/em> and the <em>privKey<\/em>. This will create a user named <em>snmpuser<\/em>. And you\u2019re done!<\/p>\n<p>If you\u2019ve got <em>snmpwalk<\/em> installed on your linux server, test the connection with:<\/p>\n<pre><code>\r\nsnmpwalk -v 3 -a SHA -A <em>&lt;auth_password&gt;<\/em> -u snmpuser -l authPriv -x DES -X <em>&lt;priv_password&gt; &lt;ip_of_switch&gt;<\/em><\/code><\/pre>\n<p>With any luck, you should see a stream of OIDs.<\/p>\n<p>If anyone has a smarter way to generate the keys, please let me know in the comments!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So apparently SNMP should be secured. Disable write access if you don\u2019t need it, and use SNMPv3 instead of the other versions. I setup some ProCurve switches recently, and evilrouters.net had a great writeup on configuring SNMPv3. So configured me some ProCurve and went on my way. Then came my Dell PowerConnect 3548P. I bought [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[29],"tags":[109,111,106,110,112,107,108,105],"class_list":["post-368","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-dell","tag-hp","tag-networking","tag-powerconnect","tag-procurve","tag-switch","tag-switches","tag-troubleshooting"],"_links":{"self":[{"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/posts\/368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/comments?post=368"}],"version-history":[{"count":5,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/posts\/368\/revisions"}],"predecessor-version":[{"id":380,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/posts\/368\/revisions\/380"}],"wp:attachment":[{"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/media?parent=368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/categories?post=368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/tags?post=368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}