Fibre Channel (SAN)

Reply
New Contributor
Posts: 2
Registered: ‎11-10-2011

Newbie Needs SNMP Help

I am a Brocade newbie and due to security concerns I need to disable SNMP functionality on one of my 5140 switches from all IP addresses. Current FabOS version is 6.3.0c. I have gone through the FabOS Administrator's guide, Forum Search, and the FabOS Command Reference, but all I really need is a sanity check from you experts on the proper syntax. I was going to use either an IpFilter command or snmpConfig command (of course if you know of a better or easier way, please let me know). Anyway, here is my current syntax for you to review and ensure that I am doing this correctly as it is in a production environment:

>ipfilter --show
>ipfilter --create NoSNMP –type ipv4
>ipfilter --addrule NoSNMP –rule  -sip * (can i use this * as a wildcard for all IP addresses?) –dp 161 –proto tcp –act deny
>ipfilter --save NoSNMP
>ipfilter --activate NoSNMP

AND/OR:

>snmpconfig --show
>snmpconfig --set snmpv3
>snmpconfig --default snmpv3
>snmpconfig --set mibcapability 0
>snmpconfig --set seclevel 3

Do the above commands require a switchDisable/switchEnable before and after?

Could you experts please verify that my syntax is correct, and annotate where it is not? Thanks a bunch in advance all.

Occasional Contributor
Posts: 12
Registered: ‎01-06-2012

Re: Newbie Needs SNMP Help

I would not consider myself an expert, but I have a little experience with messing up my ipfilter... so I'll share what I know.  The first time I created one, I made a mistake by just creating and not cloning.  The only thing we do with ours is to disallow telnet.  I created a policy that only had disallow telnet, activated it, and lost all connection ability to my mgmt because the only thing the rule said was don't allow telnet on port 23.  So, given that, I would suggest cloning your current policy, deleting any rule you don't want, and adding any new rules you want.  My thought would be more like this:

ipfilter --show

ipfilter --clone NoSNMP -from default_ipv4 (or whichever you have as active)

ipfilter --show (check out your rules)

ipfilter --delrule NoSNMP -rule 8

ipfilter --addrule NoSNMP -rule 8 -sip any -dp 161 -proto udp -act deny

ipfilter --show (verify it says what you want)

ipfilter --save NoSNMP

ipfilter --activate NoSNMP  (will make your old active rule no longer active and put in to place the one you just created)

I'm not sure what the protocol is for snmp, but rule 8 on my switch for port 161 shows udp.  I'm not a network person...

I have not had to do any switch disable to get mine to take effect.  I don't think this impacts anything other than what connects to the ports in the ipfilter rules, but I guarantee nothing on that side of things.  I've only done this before connecting servers to them, but nothing looked bad then.

The only thing I do with the snmpconfig is to change the default community strings and set what IPs to send traps to... so not really familiar with the second part you mention.  I know you can set the accesscontrol list as far as what IPs can get to the switch with SNMP, which is maybe something you can look into.  If you set that with an invalid character perhaps it will block all access?

snmpconfig --show accesscontrol

snmpconfig --set accesscontrol  (should just take you through each entry for you to input IP and r/w)

Hope that helps.  Good luck!

-Annette

Valued Contributor
Posts: 931
Registered: ‎12-30-2009

Re: Newbie Needs SNMP Help

To add to annets warning and tip, better clone and keep atleast ssh/telnet in there.

I've blocked myself out once and had the luck it happened while I was on premises.

New Contributor
Posts: 2
Registered: ‎11-10-2011

Re: Newbie Needs SNMP Help

@Annette:

Thanks for the fast response. I have just confirmed with Brocade support and you are correct. I was not too far off I guess with my original proposed syntax. I will reply back here with my results so that the community can benefit.

@Dion:

Yes that is good to know and very helpful, thank you. I currently have no other filter policies in place so I just need to be able to disable SNMP functionality...will tread lightly.

Thanks again guys!

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.