01-25-2012 08:39 AM
I am a Brocade newbie and due to security concerns I need to disable SNMP functionality on one of my 5140 switches from all IP addresses. Current FabOS version is 6.3.0c. I have gone through the FabOS Administrator's guide, Forum Search, and the FabOS Command Reference, but all I really need is a sanity check from you experts on the proper syntax. I was going to use either an IpFilter command or snmpConfig command (of course if you know of a better or easier way, please let me know). Anyway, here is my current syntax for you to review and ensure that I am doing this correctly as it is in a production environment:
>ipfilter --create NoSNMP –type ipv4
>ipfilter --addrule NoSNMP –rule -sip * (can i use this * as a wildcard for all IP addresses?) –dp 161 –proto tcp –act deny
>ipfilter --save NoSNMP
>ipfilter --activate NoSNMP
>snmpconfig --set snmpv3
>snmpconfig --default snmpv3
>snmpconfig --set mibcapability 0
>snmpconfig --set seclevel 3
Do the above commands require a switchDisable/switchEnable before and after?
Could you experts please verify that my syntax is correct, and annotate where it is not? Thanks a bunch in advance all.
01-25-2012 09:37 AM
I would not consider myself an expert, but I have a little experience with messing up my ipfilter... so I'll share what I know. The first time I created one, I made a mistake by just creating and not cloning. The only thing we do with ours is to disallow telnet. I created a policy that only had disallow telnet, activated it, and lost all connection ability to my mgmt because the only thing the rule said was don't allow telnet on port 23. So, given that, I would suggest cloning your current policy, deleting any rule you don't want, and adding any new rules you want. My thought would be more like this:
ipfilter --clone NoSNMP -from default_ipv4 (or whichever you have as active)
ipfilter --show (check out your rules)
ipfilter --delrule NoSNMP -rule 8
ipfilter --addrule NoSNMP -rule 8 -sip any -dp 161 -proto udp -act deny
ipfilter --show (verify it says what you want)
ipfilter --save NoSNMP
ipfilter --activate NoSNMP (will make your old active rule no longer active and put in to place the one you just created)
I'm not sure what the protocol is for snmp, but rule 8 on my switch for port 161 shows udp. I'm not a network person...
I have not had to do any switch disable to get mine to take effect. I don't think this impacts anything other than what connects to the ports in the ipfilter rules, but I guarantee nothing on that side of things. I've only done this before connecting servers to them, but nothing looked bad then.
The only thing I do with the snmpconfig is to change the default community strings and set what IPs to send traps to... so not really familiar with the second part you mention. I know you can set the accesscontrol list as far as what IPs can get to the switch with SNMP, which is maybe something you can look into. If you set that with an invalid character perhaps it will block all access?
snmpconfig --show accesscontrol
snmpconfig --set accesscontrol (should just take you through each entry for you to input IP and r/w)
Hope that helps. Good luck!
01-25-2012 10:29 AM
Thanks for the fast response. I have just confirmed with Brocade support and you are correct. I was not too far off I guess with my original proposed syntax. I will reply back here with my results so that the community can benefit.
Yes that is good to know and very helpful, thank you. I currently have no other filter policies in place so I just need to be able to disable SNMP functionality...will tread lightly.
Thanks again guys!