Message Processing; Snmpv3 Security - Extreme Networks ExtremeWare XOS Guide Manual
Concepts guide
Hide thumbs
Also See for ExtremeWare XOS Guide:
- Command reference manual (2024 pages) ,
- Manual (496 pages) ,
- Command reference manual (970 pages)
Table of Contents
Advertisement
Managing the Switch
The access control subsystem provides the ability to configure whether access to a managed object in a
local MIB is allowed for a remote principal. The access control scheme allows you to define access
policies based on MIB views, groups, and multiple security levels.
In addition, the SNMPv3 target and notification MIBs provide a more procedural approach for
generating and filtering of notifications.
SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile storage.
Objects defined as permanent cannot be deleted.
NOTE
In SNMPv3, many objects can be identified by a human-readable string or by a string of hexadecimal octets. In
many commands, you can use either a character string, or a colon-separated string of hexadecimal octets to specify
objects. To indicate hexadecimal octets, use the keyword hex in the command.
Message Processing
A particular network manager may require messages that conform to a particular version of SNMP. The
choice of the SNMPv1, SNMPv2c, or SNMPv3 MP model can be configured for each network manager
as its target address is configured. The selection of the MP model is configured with the
mp-model
keyword in the following command:
configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user [[hex
<hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1
| snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}
SNMPv3 Security
In SNMPv3 the User-Based Security Model (USM) for SNMP was introduced. USM deals with security
related aspects like authentication, encryption of SNMP messages, and defining users and their various
access security levels. This standard also encompasses protection against message delay and message
replay.
USM Timeliness Mechanisms
An Extreme Networks switch has one SNMPv3 engine, identified by its snmpEngineID. The first four
octets are fixed to 80:00:07:7C, which represents the Extreme Networks vendor ID. By default, the
additional octets for the snmpEngineID are generated from the device MAC address.
Every SNMPv3 engine necessarily maintains two objects: SNMPEngineBoots, which is the number of
reboots the agent has experienced and SNMPEngineTime, which is the local time since the engine reboot.
The engine has a local copy of these objects and the latestReceivedEngineTime for every authoritative
engine it wants to communicate with. Comparing these objects with the values received in messages
and then applying certain rules to decide upon the message validity accomplish protection against
message delay or message replay.
In a chassis, the
is generated using the MAC address of the MSM with which the switch
snmpEngineID
boots first.
The snmpEngineID can be configured from the command line, but once the
is changed,
snmpEngineID
default users will be reverted back to their original passwords/keys, and non-default users will be reset
86
ExtremeWare XOS 11.3 Concepts Guide
Advertisement
Chapters
Table of Contents
Troubleshooting
