Dell Z9000 Configuration Manual page 781
10/25/40/50/100gbe throughput
Hide thumbs
Also See for Z9000:
- Configuration manual (932 pages) ,
- Installing (52 pages) ,
- Manual (48 pages)
Table of Contents
Advertisement
The SNMPv3 feature also uses a FIPS-validated cryptographic module for all of its cryptographic
operations when the system is configured with the fips mode enable command in Global
Configuration mode. When the FIPS mode is enabled on the system, SNMPv3 operates in a FIPS-
compliant manner, and only the FIPS-approved algorithm options are available for SNMPv3 user
configuration. When the FIPS mode is disabled on the system, all options are available for SNMPv3 user
configuration.
The following table describes the authentication and privacy options that can be configured when the
FIPS mode is enabled or disabled:
FIPS Mode
Disabled
Enabled
To enable security for SNMP packets transferred between the server and the client, you can use the
snmp-server user username group groupname 3 auth authentication-type auth-
password priv aes128 priv-password command to specify that AES-CFB 128 encryption
algorithm needs to be used.
Dell(conf)#snmp-server user snmpguy snmpmon 3 auth sha AArt61wq priv aes128
jntRR59a
In this example, for a specified user and a group, the AES128-CFB algorithm, the authentication password
to enable the server to receive packets from the host, and the privacy password to encode the message
contents are configured.
SHA authentication needs to be used with the AES-CFB128 privacy algorithm only when FIPS is enabled
because SHA is then the only available authentication level. If FIPS is disabled, you can use MD5
authentication in addition to SHA authentication with the AES-CFB128 privacy algorithm
You cannot modify the FIPS mode if SNMPv3 users are already configured and present in the system. An
error message is displayed if you attempt to change the FIPS mode by using the fips mode enable
command in Global Configuration mode. You can enable or disable FIPS mode only if SNMPv3 users are
not previously set up. If previously configured users exist on the system, you must delete the existing
users before you change the FIPS mode.
Keep the following points in mind when you configure the AES128-CFB algorithm for SNMPv3:
1.
SNMPv3 authentication provides only the sha option when the FIPS mode is enabled.
2.
SNMPv3 privacy provides only the aes128 privacy option when the FIPS mode is enabled.
3.
If you attempt to enable or disable FIPS mode and if any SNMPv3 users are previously configured, an
error message is displayed stating you must delete all of the SNMP users before changing the FIPS
mode.
4.
A message is logged indicating whether FIPS mode is enabled for SNMPv3. This message is
generated only when the first SNMPv3 user is configured because you can modify the FIPS mode
only when users are not previously configured. This log message is provided to assist your system
security auditing procedures.
Simple Network Management Protocol (SNMP)
Privacy Options
des56
(DES56-CBC)
aes128 (AES128-CFB)
aes128 (AES128-CFB)
Authentication Options
md5 (HMAC-MD5-96)
sha (HMAC-SHA1-96)
sha (HMAC-SHA1-96)
781
Advertisement
Table of Contents
Troubleshooting
