snmpv3 is more secure but, as pointed out, can be accessed by anyone who has the credentials. To help tighten this up, you can use the "ip authorized-managers" command to lock things down. You can tighten it up to a single IP address or list of addresses, or can allow a management subnet's users to all log
CORE(config)# ip authorized-managers 172.26.81.0 255.255.255.0 access manage
This allows all users in my management subnet to log in - this is also where my AirWave server lives. If I wanted to limit it to the AirWave server, I'd set the IP address to "172.26.81.110 255.255.255.255" and retain the rest.
AOX-CX is a bit more challenging, as it requires a control plane ACL:
access-list ip AUTHORIZED-MANAGERS
10 comment JUMP STATION
10 permit any 172.26.81.10/32 any
20 comment IT MANAGER
20 permit any 172.26.81.11/32 any
30 comment NETWORK ADMIN
30 permit any 172.26.81.12/32 any
40 comment AIRWAVE SERVER
40 permit any 172.26.81.110/32 any
Apply it to the control plane with these commands:
apply access-list ip AUTHORIZED-MANAGERS control-plane vrf default
apply access-list ip AUTHORIZED-MANAGERS control-plane vrf mgmt
------------------------------
Timothy Leadbetter
ACMP, ACSP, ACCA
CWNA, CWDP
ECSE-Design
Owner/Consultant
The WiFi Fixer
CA
------------------------------
Original Message:
Sent: Apr 04, 2021 12:21 PM
From: Shawn Southern
Subject: Aruba Switch 2920 SNMP 161 Problem
You'll need to refer to the Management & Configuration Guide for your switch model & OS version.
Here's an SNMPv3 example, since SNMP v1 & v2c have practically no security ("snmpv3 enable" will start a bit of a wizard and create a user using old/weak encryption, so we'll delete that):
snmp-server contact "email of admin contact" location "Location of device"snmpv3 enableno snmpv3 user "initial"snmpv3 onlysnmpv3 restricted-accesssnmpv3 group managerpriv user "snmpusername" sec-model ver3snmpv3 user "snmpusername" plaintext auth sha PutAuthPassphraseHere priv aes PutPrivPassphraseHere
Be sure to replace "email of admin contact", "Location of device", "snmpusername", "PutAuthPassphraseHere" and "PutPrivPassphraseHere" with the appropriate information.
Keep in mind as well that this configuration does not restrict the source of SNMP connections.
------------------------------
Shawn Southern
Original Message:
Sent: Mar 04, 2021 01:05 PM
From: JAVIER AGUILAR
Subject: Aruba Switch 2920 SNMP 161 Problem
Hello community,
Im trying to monitor the switches Aruba 2920 models and only get snmptrap on port 162 but the snmpget on port 161 is disable, is posible to enable on port 161? and what are the commands?
hope your comments.
Regards.
------------------------------
JAVIER AGUILAR
------------------------------