Appendix
Configuration Commands for Cisco
The following is a sample configuration for linkup/linkdown/MAC notification traps for SNMP v2c. In the below configuration snmp server is configured as IPS, which is receiving SNMP traps.
You must execute the following commands in configuration mode.
Execute the following command to globally enable linkup and linkdown traps.
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
Execute the following command to configure IPS as an snmp-server host, which receives SNMP notifications.
snmp-server host <IPS IP Address> trap version 2c public snmp mac-notification
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
snmp-server community string ro
snmp-server community string rw
Cisco SNMP v3 configuration
The following commands show a sample configuration for configuring SNMP v3 on Cisco switch. In the below configuration snmp server is configured as IPS, which is receiving SNMP traps.
You must execute the following commands in configuration mode.
snmp-server view <Read-View Name> iso included
snmp-server view <Write-View Name> iso included
The below configuration applies when the SNMP v3 settings for Security Level is "Auth, Prev" on IPS.
snmp-server group <snmpv3 group name> v3 priv context vlan- match
snmp-server group <snmpv3 group name> v3 priv read <Read-View Name> write <Write-View Name>
snmp-server user <snmpv3 username> <snmpv3 group name> v3 auth sha/md5 <auth password> priv aes/des <128> <password>
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server host <IPS IP Address> version 3 auth/priv <snmpv3 username> snmp
The below configuration applies when the SNMP v3 settings for Security Level is "Auth, NoPrev" on IPS.
snmp-server group <snmpv3 group name> v3 auth read <Read-View Name> write <Write-View Name>
snmp-server group <snmpv3 group name> v3 auth context vlan- match prefix
snmp-server user <snmpv3 username> <snmpv3 group name> v3 auth sha/md5 <auth password>
snmp-server host <IPS IP Address> version 3 auth <snmpv3 username>
The following sample shows the command, which are executed at interface level.
switchport mode access
switchport access vlan 4
snmp trap mac-notification added
Configuring Port Security Traps
The following sample shows the commands that is executed at global set up level for configuring port security traps.
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.1.5 version 2c public port-security
The following sample shows the commands, which are executed at interface level.
switchport access vlan <default vlan>
switchport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security violation restrict
switchport port-security mac-address <dummy mac address>
Configuring Cisco ACL
The following sample shows the command for default ACL.
#show ip access-lists snmp-default-acl
Extended IP access list snmp-default-acl
10 deny ip any any
#show run int gi 1/0/7
interface GigabitEthernet1/0/7
The default ACL is pushed from IPS
ip access-group <Default-ACL>
end
The following sample shows the command for Restrict ACL.
#show ip access-lists snmp-restrict-acl
Extended IP access list snmp-restrict-acl
10 permit tcp any host <IPS-IP Address>
20 permit tcp any host <IPS-IP Address> eq 443
30 permit tcp any host <IPS-IP Address> eq www
100 deny ip any any
#show run int gi 1/0/7
interface GigabitEthernet1/0/7
The Restict ACL name is pushed from IPS.
ip access-group <restrict-ACL name>
end
The following sample shows the command for Full Access ACL.
#show ip access-lists snmp-full-access-acl
Extended IP access list snmp-full-access-acl
10 permit ip any any
#do sh runn int gi 1/0/7
interface GigabitEthernet1/0/7
The Full access ACL is pushed from IPS
ip access-group <Full-Access-ACL name>
end
Configuration Commands for Juniper
Juniper SNMP v2 Configuration
set snmp client-list listnew <IPS-IP>
set snmp community public authorization read-write
set snmp community public client-list-name listnew
set snmp trap-group global
set groups global snmp trap-group managers version v2
set groups global snmp trap-group managers targets <IPS-IP>
Juniper SNMP v3 Configuration
set snmp v3 usm local-engine user <user-name> authentication-sha authentication-key <key>
set snmp v3 usm local-engine user <user-name> privacy-aes128 privacy-key <key>
set snmp v3 vacm security-to-group security-model usm security-name <user-name> group <group name>
set snmp v3 vacm access group <group name> default-context-prefix security-model any security-level privacy read-view view-all
set snmp v3 target-address tarallow address <IPS-IP>
set snmp v3 target-address tarallow tag-list MYTAG
set snmp v3 target-address tarallow address-mask 255.255.255.255
set snmp v3 target-address tarallow target-parameters <target parameter name>
set snmp v3 target-parameters tp1 parameters message-processing-model v3
set snmp v3 target-parameters tp1 parameters security-model usm
set snmp v3 target-parameters tp1 parameters security-level privacy
set snmp v3 target-parameters tp1 parameters security-name <user-name>
set snmp v3 target-parameters tp1 notify-filter NF1
set snmp v3 notify N1 type trap
set snmp v3 notify N1 tag MYTAG
set snmp v3 notify-filter NF1 oid 1.3.6.1.6.3.1.1.5.3 include
set snmp v3 notify-filter NF1 oid 1.3.6.1.6.3.1.1.5.4 include
Configuration Commands for Dell
SNMP v2 Configuration
snmp-server view <SNMP label> iso included
snmp-server community "public" rw
snmp-server host <IPS-IP> traps version 2 "public"
SNMP V3 Configuration
snmp-server view "profiler" iso included
snmp-server filter "profiler" iso included
snmp-server group <group name> v3 auth read "profiler" write "profiler"
snmp-server group <group name> v3 priv notify "profiler" read "profiler" write "profiler"
snmp-server user <user-name> <group name> auth-md5-key <key> priv-des-key <key>
snmp-server v3-host <IPS-IP> <user name> traps priv
Configuration Commands for HP 3Com
HP 3Com SNMP v2 Configuration
snmp-agent community read public
snmp-agent sys-info version v2c
snmp-agent target-host trap address udp-domain <IPS-IP> params securityname public v2c
HP 3Com SNMP v3 Configuration
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent group v3 <Group name>
snmp-agent target-host trap address udp-domain <IPS-IP> params securityname public v3 privacy
snmp-agent usm-user v3 <user name> <Group name> cipher authentication-mode md5 <key> privacy-mode des56 <key>
snmp-agent trap enable default-route
Configuration Commands for HP
HP SNMPv2 Commands
The following is a sample configuration for MAC notification traps for SNMP v2c. In the below configuration snmp server is configured as IPS, which is receiving SNMP traps. Execute the following commands.
snmp-server community "public"
snmp-server community "private" unrestricted
snmp-server host 10.204.89.131 community "public" trap-level all
The following command shows an example for configuring linkup, linkdown, and MAC notification traps.
--Execute the following commands for enabling linkup and linkdown traps.
snmp-server enable traps link-change 5
--Execute the following command for enabling mac notification.
snmp-server enable traps mac-notify
HP SNMPv3 Commands
The following commands show a sample configuration for configuring SNMP v3 on switch. In the below configuration snmp server is configured as IPS, which is receiving SNMP traps.
Execute the following commands in configuration mode.
snmpv3 enable
snmpv3 only
snmpv3 restricted-access
snmpv3 group managerpriv user sec-model ver3
snmpv3 notify "procurve" tagvalue "procurve"
snmpv3 targetaddress "procurve" params "procurve" 10.204.xx.xxx filter all taglist "procurve"
snmpv3 params "procurve" user sec-model ver3 message-processing ver3 priv
snmpv3 community index "20" name "public" sec-name tag "procurve"
snmpv3 user
no snmpv3 user initial
The following command shows an example configuration for configuring port security trap.
snmp-server enable traps port-security
ACL Configuration for Default, Restricted, and Full Access Role
Restricted ACL, give access to DHCP server and IPS
ip access-list extended <"Remediation-ACL">
10 permit udp <Source-Address><wildcard/mask> eq <port number> <Destination-Address> <wildcard/mask> eq <port number>
20 permit tcp 0.0.0.0 255.255.255.255 10.204.xx.x 0.0.0.0 eq 443
30 permit tcp 0.0.0.0 255.255.255.255 10.204.xx.x 0.0.0.0 eq 80
exit
ip access-list extended <"Default-ACL-Name">
10 deny 0.0.0.0 255.255.255.255
exit
ip access-list extended <"Full-Access-ACL">
10 permit 0.0.0.0 255.255.255.255
exit
Configuration Commands for Alcatel-Lucent
Alcatel-Lucent SNMP V2 Configuration
The following is a sample configuration for MAC notification traps for SNMP v2c. In the below configuration snmp server is configured as IPS, which is receiving SNMP traps.
snmp-user password juniper123 read-only all no auth
snmp community map public user
user secure password juniper123 read-write all no auth
snmp community map private user secure
snmp security no security
snmp station 10.96.xx.x secure v2 enable
Alcatel-Lucent SNMP V3 Configuration
aaa authentication snmp local
user snmpv3user password juniper123 md5+des read-write all
user snmpv3user password juniper123 md5+des read-write all priv-password fjf
snmp community map "public" user "snmpv2user" on
snmp security authentication set
snmp station 10.10.10.10 162 "snmpv3user" v3 enable
Configuration Commands for Arista
Arista SNMP V2 Configuration
snmp-server community public rw
snmp-server host 10.96.xx.xx version 2c public
snmp-server enable traps snmp authentication
snmp-server enable traps snmp link-down
snmp-server enable traps snmp link-up
Arista SNMP V3 Configuration
SNMP V3: AuthNoPriv: Arista
Command for configuring the Switch: tacacs-switch(config)#snmp-server user authnoprivsha TEST_GROUP v3 auth sha Psec
tacacs-switch(config)#show running-config | include snmp
snmp-server engineID local xxxxx
snmp-server local-interface Management1
snmp-server view all-items iso included
snmp-server group TEST_GROUP v3 auth write all-items
snmp-server user <user-name>authnoprivsha TEST_GROUP v3 localized xxxx auth sha 6dasda
snmp-server host 10.96.xx.xx version 3 auth <user-name>authnoprivsha
snmp-server enable traps snmp authentication
snmp-server enable traps snmp link-down
snmp-server enable traps snmp link-up
SNMP V3: AuthPriv: Arista
tacacs-switch#sho running-config | include snmp
snmp-server engineID local xxxxxx
snmp-server local-interface Management1
snmp-server view all-items iso included
snmp-server group TEST_GROUP v3 priv write all-items
snmp-server user <user-name>md5 TEST_GROUP v3 localized xxxxx auth md5 cxc priv des 3adada
snmp-server user <user-name>md5aes TEST_GROUP v3 localized xxxxx auth md5 7dada priv aes c4dsdf
snmp-server user <user-name>shaaes TEST_GROUP v3 localized xxxxx auth sha 49da priv aes 3dasd
snmp-server user <user-name>shades TEST_GROUP v3 localized xxxx auth sha 6das priv des af95
snmp-server host 10.96.xx.xx version 3 priv md5
snmp-server enable traps snmp authentication
snmp-server enable traps snmp link-down
snmp-server enable traps snmp link-up
Configuring ACL
ACL Configuration for Default, Restricted, and Full Access Role
#show running-config
ip access-list <FullAccess_ACL>
1 permit ip any host 10.x.x.x
3 permit icmp any host 10.100.x.x
4 deny ip any host 0.0.0.0
!
ip access-list <RestrictedAccess_ACL>
1 permit ip any host 10.200.200.200
2 permit ip any host 10.100.100.100
3 permit icmp deny host x.x.x.x
4 deny ip any host 0.0.0.0
!
ip access-list <BlockAllTraffic_ACL>
1 deny ip any host 0.0.0.0
Configuration Commands for Huawei
Huawei SNMP V2 Configuration
snmp-agent
snmp-agent local-engineid casdasd
snmp-agent community read cipher xxxx
snmp-agent community write cipher xxxx
snmp-agent community complexity-check disable
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 192.168.xx.xx params securityname cipher xxx
snmp-agent mib-view included allexthgmp iso
snmp-agent mib-view excluded allextrmon rmon
snmp-agent notification-log enable
snmp-agent notification-log global-ageout 12
snmp-agent trap enable
Huawei SNMP V3
[Huawei]display current-configuration | include snmp
snmp-agent
snmp-agent local-engineid xxxx
snmp-agent sys-info version v3
snmp-agent group v3 snmpv3group authentication
snmp-agent group v3 snmpv3group privacy read-view isoview write-view isoview notify-view isoview
snmp-agent target-host trap address udp-domain 192.168.xx.xx params securityname snmpv3user v3 privacy
snmp-agent mib-view included isoview iso
snmp-agent mib-view excluded allextrmon rmon
snmp-agent usm-user v3 snmpv3user
snmp-agent usm-user v3 snmpv3user group snmpv3group
snmp-agent usm-user v3 snmpv3user authentication-mode md5 cipher xxx
snmp-agent usm-user v3 snmpv3user privacy-mode aes128 cipher xxx
snmp-agent notification-log enable
snmp-agent notification-log global-ageout 12
snmp-agent trap enable
Configuring ACL
ACL Configuration for Default, Restricted, and Full Access Role
----------------------------------------------------------------
display acl all
(In Restricted ACL, give access to DHCP server and IPS)
Advanced ACL restrictedAccess 3997, 3 rules
rule 1 permit tcp destination <IPS_IP> <wildcard> destination-port eq 443
rule 2 permit udp destination-port eq bootpc
rule 3 permit udp destination-port eq 80
Advanced ACL fullAccess 3998, 1 rule
rule 1 permit ip destination 0.0.0.0 <wildcard>
Advanced ACL defaultAccess 3996, 1 rule
rule 1 deny ip destination 0.0.0.0 <wildcard>