Network Management

Hello, I'm little bit at lost with regard to SNMPv3 settings on ArubaOS-Switch 16.05 (actually I'm working with Aruba 5400R zl2 switch series but switches family is a little bit irrelevant) and device discovery from the HPE IMC 7.3 (E0605) using SNMP/SSH and Telnet templates.

Actually SNMPv3, SSH and Telnet are enabled switch side, Switch is also pingable from HPE IMC host.

I've hardened SNMP service at Switch level using suggestion taken from ArubaOS-Switch Hardening Guide for 16.04 manual (Revision 1 April 2018) at SNMPv1/2c vs. SNMPv3 chapter...so actually the Aruba 5400R zl2 owns this SNMPv3 configuration (with no SNMP Community, as you can see):

HPE5412Rzl2(config)# show snmpv3 enable

 Status and Counters - SNMP v3 Global Configuration Information

  SNMP v3 enabled : No

HPE5412Rzl2(config)# snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: ***************
Privacy protocol is DES
Enter privacy password: *****************

User 'initial' has been created
Would you like to create a user that uses SHA? [y/n] y
Enter user name: my-snmpv3-user
Authentication Protocol: SHA
Enter authentication password: *****************
Privacy protocol is DES
Enter privacy password: ******************

User creation is done.  SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] y

HPE5412Rzl2(config)# show snmpv3 enable

 Status and Counters - SNMP v3 Global Configuration Information

  SNMP v3 enabled : Yes

HPE5412Rzl2(config)# show snmpv3 user

 Status and Counters - SNMP v3 Global Configuration Information

  User Name                        Auth. Protocol   Privacy Protocol
  -------------------------------- ---------------- ----------------
  my-snmpv3-user                   SHA              CBC DES
  initial                          MD5              CBC DES

HPE5412Rzl2(config)# snmpv3 only
HPE5412Rzl2(config)# no snmp-server community public
HPE5412Rzl2(config)# show snmpv3 group

 Status and Counters - SNMP v3 Global Configuration Information

  Security Name                 Security Model Group Name
  ----------------------------- -------------- --------------------------------
  CommunityManagerReadOnly      ver1           ComManagerR
  CommunityManagerReadWrite     ver1           ComManagerRW
  CommunityOperatorReadOnly     ver1           ComOperatorR
  CommunityOperatorReadWrite    ver1           ComOperatorRW
  CommunityManagerReadOnly      ver2c          ComManagerR
  CommunityManagerReadWrite     ver2c          ComManagerRW
  CommunityOperatorReadOnly     ver2c          ComOperatorR
  CommunityOperatorReadWrite    ver2c          ComOperatorRW

HPE5412Rzl2(config)# snmpv3 group managerpriv user my-snmpv3-user sec-model ver3
HPE5412Rzl2(config)# show snmpv3 group

 Status and Counters - SNMP v3 Global Configuration Information

  Security Name                 Security Model Group Name
  ----------------------------- -------------- --------------------------------
  CommunityManagerReadOnly      ver1           ComManagerR
  CommunityManagerReadWrite     ver1           ComManagerRW
  CommunityOperatorReadOnly     ver1           ComOperatorR
  CommunityOperatorReadWrite    ver1           ComOperatorRW
  CommunityManagerReadOnly      ver2c          ComManagerR
  CommunityManagerReadWrite     ver2c          ComManagerRW
  CommunityOperatorReadOnly     ver2c          ComOperatorR
  CommunityOperatorReadWrite    ver2c          ComOperatorRW
  my-snmpv3-user                ver3           ManagerPriv

HPE5412Rzl2(config)# no snmpv3 user initial
HPE5412Rzl2(config)# show snmpv3 user

 Status and Counters - SNMP v3 Global Configuration Information

  User Name                        Auth. Protocol   Privacy Protocol
  -------------------------------- ---------------- ----------------
  my-snmpv3-user                   SHA              CBC DES

HPE5412Rzl2(config)# snmpv3 user my-snmpv3-user auth sha 17-chars-long-password priv aes 18-chars-long-password
HPE5412Rzl2(config)# show snmpv3 user

 Status and Counters - SNMP v3 Global Configuration Information

  User Name                        Auth. Protocol   Privacy Protocol
  -------------------------------- ---------------- ----------------
  my-snmpv3-user                   SHA              CFB AES-128

HPE5412Rzl2(config)# snmpv3 restricted-access
HPE5412Rzl2(config)# show snmpv3 restricted-access

 Status and Counters - SNMP v3 Global Configuration Information

  SNMP v1 and SNMP v2c messages restricted to read only : Yes

Also note that SNMPv3 User my-snmp-user's Authentication and Privacy Passwords are, respectively, 17 and 18 characters long.

Under IMC -> System -> Resource Management -> Access Parameters Template and I have added ex-novo three SNMP, Telnet and SSH templates customized with access parameters valid for the Aruba 5400R zl2 I deployed, so using SNMP, SSH and Telnet credentials. Note that I didn't remove default templates already present on SNMP and Telnet. SSH hadn't a default template.

Now the issue:

• If I test (concurrently or singularly) SNMP, SSH and Telnet accesses to the Aruba 5400R zl2 by creating a batch operation (via IMC -> Resource -> Batch Operation -> Check Access Settings) and running it immediately I always end with failure(s)
• if, instead, I test SSH and Telnet singularly by selecting the Switch and performing "Test" under Configure -> Modify SSH Settings and Modify Telnet Settings: SSH and Telnet tests do pass.
• If I test singularly by selecting the Switch and performing "Test" under Configure -> Modify SNMP Settings: SNMP test doesn't pass.

So now questions:

• How can I check if SNMPv3 settings configured above are correct?
• Do I need a SNMP Community - after all - with snmp-server community public?
• Should I re-enable by issuing no snmpv3 restricted-access (that will be a little bit counter-intuitive since we need hardened SNMPv3) given that on Initial ArubaOS Switch Configuration is explicitly advised that "restricting access to only SNMPv3 messages makes the community named “public” inaccessible to network management applications (such as autodiscovery, traffic monitoring, SNMP trap generation, and threshold setting) from operating in the ArubaOS switch. For that reason, Aruba recommends answering no to Step 8 (which is the last step of snmp enable command listed above)"?
• Batch operations use default templates? or, better said, how can I check which templates are activated with regards to verifying access credentials to SNMP, SSH and Telnet via Batch Operations?

Hi,
my experience with SNMPv3 is, it works, but if your device has various IPs and the IP of the device in IMC is different from the route to the server IMC doesn’t recognize the device.
Example
Deveice IP in IMC 192.168.0.1
But default route on the switch is
0.0.0.0 0.0.0.0 192.168.1.1
The switch response with the IP in the 192.168.1.0 subnet which IMC doesn’t recognize

You can change the response IP on the Aruba switch with
SNMP-Server respOnse-source dst-ip-of-request


HTH
Alex

That's really interesting...indeed our HPE IMC is hosted on a (routed) VLAN - I mean that that VLAN is routed by our routing Switch which hasn't a default gateway/route at all and, AFAIK, IP routing between the VLAN hosting the IMC host and one of IP Addresses associated with VLAN Subnets on the routing Switch...works as expected (ping between these hosts is OK in any direction) - and I insited to test SNMPv3 connectivity from the HPE IMC host (VLAN Id n) to Switch IP Address (VLAN Id m)...as soon I tested the SNMPv3 access through other Switch IP Address (VLAN id n) communication succeded.

Your command (snmp-server response-source dst-ip-of-request) was the solution to make it to work between different Subnets  (so between VLAN Ids).