Network Management

last person joined: yesterday 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

Aruba CX Switches - Disable SNMP v1 and v2

This thread has been viewed 64 times
  • 1.  Aruba CX Switches - Disable SNMP v1 and v2

    Posted Jul 16, 2021 10:38 AM

    Hello everyone,

    We have Aruba 8360 Switches that are running Aruba CX version 10.06. We want to use SNMP v3 for monitoring.

    Is there any option to disable SNMP v1 and v2, so only SNNPM v3 is running?

    I know that this is possible for Aruba Switches running the Aruba-OSS operating system (e.g. Aruba 2530 Switches). There is the option >snmpv3 only< which disables v1 and v2.

    Thank you very much,
    Martin



    ------------------------------
    Martin Huschenbett
    ------------------------------


  • 2.  RE: Aruba CX Switches - Disable SNMP v1 and v2

    Posted Jul 21, 2021 11:38 AM
    I believe SNMP is disabled by default on the CX series.

    So if you only enable SNMPv3 you should be good.

    ------------------------------
    Peter Storgaard
    ------------------------------



  • 3.  RE: Aruba CX Switches - Disable SNMP v1 and v2

    Posted Jul 22, 2021 03:05 AM

    Hi Peter,

    Thank you for your reply!

    The problem is, that we cannot "only enable SNMPv3", at least there is no command/option on the switch. AFAIK we only have to possibility to either completely enable SNMP (including SNMPv1 and SNMPv2), or completely disable SNMP.

    But we only want SNMPv3 enabled.

    Thanks again!



    ------------------------------
    Martin Huschenbett
    ------------------------------



  • 4.  RE: Aruba CX Switches - Disable SNMP v1 and v2

    Posted Jul 22, 2021 05:35 AM
    I use the command
    snmp-server snmpv3-only
    on my cx 6100 switch to make sure older snmp are disabled.

    ------------------------------
    Lauri Änäkkälä
    ------------------------------



  • 5.  RE: Aruba CX Switches - Disable SNMP v1 and v2

    Posted Jul 22, 2021 06:25 AM
    Hi Lauri,

    Thank you for your response.
    Unfortunalety, on our Aruba 8360 Swichtes, the command snmp-server snmpv3-only does not exist...

    aruba-8360(config)# show version
    -----------------------------------------------------------------------------
    ArubaOS-CX
    (c) Copyright 2017-2020 Hewlett Packard Enterprise Development LP
    -----------------------------------------------------------------------------
    Version      : LL.10.06.0001
    Build Date   : 2020-11-10 10:32:03 PST
    Build ID     : ArubaOS-CX:LL.10.06.0001:55dffa340d0f:202011101711
    Build SHA    : 55dffa340d0fe49fb9088928e34b71a48e32f80e
    Active Image : primary
    
    Service OS Version : LL.01.07.0003
    BIOS Version       : LL.01.0001
    aruba-8360(config)# snmp-server
      agent-port                   Configure UDP port to reach SNMP Master Agent
      community                    The name of the community string (Default:
                                   public)
      historical-counters-monitor  Monitor historical interface counters
      host                         Configure SNMP trap or inform
      system-contact               Configure system contact
      system-description           Configure system description
      system-location              Configure system location
      trap-source                  Configure the IP address of the source interface
                                   for sending SNMP traps
      vrf                          Specify VRF to run SNMP on
    aruba-8360(config)#​


    Thanks again!



    ------------------------------
    Martin Huschenbett
    ------------------------------



  • 6.  RE: Aruba CX Switches - Disable SNMP v1 and v2

    Posted Sep 09, 2021 08:48 AM

    I'm also interested in a solution to disable SNMP v1 and v2c and use only v3 on my aruba-cx Switches (83xx and 6200F).

    vsf-vw-2og-01(config)# no snmp-server community public
    The community is not configured

    vsf-vw-2og-01(config)# do sh snmp community
    ---------------------
    SNMP communities

    ---------------------
    public

    I cannot remove the community but community still works.

    I can change community but I dont want to have snmp v1 and v2c enabled...

    Deleting custom community leads to default public community...


    Other question.... is it possible to add a ACL for snmp traffic?

    Thanks and Kind Regards

    Robert



  • 7.  RE: Aruba CX Switches - Disable SNMP v1 and v2

    Posted Sep 09, 2021 09:35 AM

    Hi Lauri,

    which Software do you use? We also have several 6100 for Management Purpose, and I do not have an option for snmpv3-only...

    kaba-bu-r02# sh system
    Vendor : Aruba
    Product Name : JL679A 6100 12G CL4 2SFP+ 139W Swch
    ArubaOS-CX Version : PL.10.06.0120

    kaba-bu-r02(config)# snmp
      snmp-server Configure SNMP
      snmpv3 Configure SNMP version 3

    kaba-bu-r02(config)# snmp-server
      agent-port Configure UDP port to reach SNMP Master Agent
      community The name of the community string (Default: public)
      historical-counters-monitor Monitor historical interface counters
      host Configure SNMP trap or inform
      system-contact Configure system contact
      system-description Configure system description
      system-location Configure system location
      trap-source Configure the IP address of the source interface for sending SNMP traps
      vrf Specify VRF to run SNMP on

    kaba-bu-r02(config)# snmp-server snmpv3-only
      Invalid input: snmpv3-only

    Perhaps the option is software dependent?



    ------------------------------
    Robert Großmann
    ------------------------------



  • 8.  RE: Aruba CX Switches - Disable SNMP v1 and v2

    Posted Sep 10, 2021 01:23 AM
    I'm on version PL.10.07.0010. Mayby they added it in 10.07.

    ------------------------------
    ----------------------
    Lauri Änäkkälä
    ----------------------
    ------------------------------



  • 9.  RE: Aruba CX Switches - Disable SNMP v1 and v2

    Posted Sep 10, 2021 08:05 AM

    yeah. I do not that point in the release notes, but yes, with 10.07 there is the option snmpv3-only

    6200-TEST(config)# snmp-server
      agent-port                   Configure UDP port to reach SNMP Master Agent
      community                    The name of the community string (Default:
                                   public)
      historical-counters-monitor  Monitor historical interface counters
      host                         Configure SNMP trap or inform
      response-source              Configure the IP address of the source interface
                                   for SNMP Responses
      snmpv3-only                  Accepts SNMPv3 messages only, SNMPv1 and SNMPv2c
                                   will be disabled
      system-contact               Configure system contact
      system-description           Configure system description
      system-location              Configure system location
      trap                         Enable an SNMP trap
      trap-source                  Configure the IP address of the source interface
                                   for sending SNMP traps
      vrf                          Specify VRF to run SNMP on
    

    Then I have to update some switches...



    ------------------------------
    Robert Großmann
    ------------------------------