2 Replies Latest reply on Jan 23, 2014 2:54 PM by taylor.whitt

    Nortel/Avaya switches with snmpv3?

    spatterson

      We've been using NPM to monitor our nortel and avaya ers switches using snmp v1&2 for some time now with no problems... As part of our increased security initiatives we're planning to move to snmp v3.  Has anyone had any success doing this?  Our lab tests so far have been complete failures having used all the available documentation from both Avaya, Avaya communities and Solarwinds.  Syslog entries if they show anything at all just show an "unauthorized SNMP" attempt from the NPM server.

       

      Switches are ERS 5xxx and NPM 10.4.1

       

      Any help or suggestions would be greatly appreciated, trying to avoid bashing my head against the wall with tech support from either company!

        • Re: Nortel/Avaya switches with snmpv3?
          taylor.whitt

          I'm using SNMPv3 on 8610s and 4500 series and monitoring successfully with NPM 10.3.  Maybe I could help?  Are you still having problems?  I got a 5500 laying around that I could attempt to get working and write down everything I do.

            • Re: Nortel/Avaya switches with snmpv3?
              taylor.whitt

              Remember to do this is a TEST enviornment first.  I am not giving 5500 commands-but I believe they are very similar.

               

              I'm going to go over the 4500 configuration because I believe it is closer to what a 5500 is-- and I don't want to go to the warehouse right now.  We use MD5 and DES for encryption.

               

              I would start of by getting rid of any snmp configurations by typing the following.  Assume you are in the configuration prompt/(config#)

               

              snmp-server enable

              snmp-server bootstrap very-secure      ------- this removes snmp information and prepares your switch for new credentials

              show password security

               

              -- If it's disabled:

              snmp-server user (username) md5 (snmp-string/password) des (snmp-string/password) read-view (view) write-view (view) notify-view (view)

              snmp-server view (view) +1

              no snmp-server community

              snmp-server host (IP of Solarwinds) v3 auth-priv (username)

              exit

              save config

               

              -if it is enabled

               

              snmp-server user (username) md5 des read-view (view) write-view (view) notify-view (view)

              (MD5 string)

              (MD5 string)

              (DES string)

              (DES string)

              snmp-server view (view) +1

              no snmp-server community

              snmp-server host (Solarwinds IP address) v3 auth-priv (username)

              exit

              save config

               

              There are default views such as root, or nncli.  If you want to use those you can but don't type the "snmp-server view (view) +1" command.

               

              The password security in the 4500 changes how the MD5/DES strings must be entered (in some versions) and also is used to change the number of password attempts, acceptable protocols, etc.  Something to note, if you entered the "ssh secure" command, it disables Web, SNMP, and Telnet management permanently.  Type "no ssh secure" and then "snmp-server enable" to enable snmp.

               

              Username, MD5 string, and DES string is what you use in SolarWinds when you are adding a node.  Port is 161.  Only check the "Allow 64 bit counters" checkbox -just type those in and hit test/submit.

               

              I have noticed the software on the switches is a little buggy on the 5.1 code (on 4500s).  Sometimes we had to restart the switch or type the commands in again for it to take effect.  *We have since moved on to newer code.

               

              Of course this is not 100% accurate because I am on a totally different switch and don't know your code version or any details.  If you're willing to share (please don't share specific configurations of your network that could compromise it) I am willing to help.  Let me know.

              1 of 1 people found this helpful