A small guide that i wrote to help to configure

Nortel (now Avaya) switches SSH and SNMP

Passport ( ERS 88600)

(5500 / 5510 / 4500 / 470 / 425..)

Small switches

(5500 / 5510 / 4500 / 470 / 425..)

SNMPv1 / 2

To configure the community strings for SNMPv1 / 2:

snmp-server community public ro
snmp-server community private rw

public = read only community
private = read/write community

To disable SNMPv1 / 2 only (SNMPv3 will continue to work):

No snmp-server community ro
No snmp-server community rw

SNMPv3

To use Privacy password, SSH image must be install at the switch,
A way to check if SSH image is installed is to check if the command SSH is available at the – “conf t” mode.

To delete the SNMPv3 root user:

no snmp-server user root

To configure SNMPv3 for a switch with SSH image:

no password security
snmp-server user root read-view snmpv1Objs write-view snmpv1Objs notify-view snmpv1Objs md5 password1 des password2

configure SNMPv3 for a switch without SSH image:

no password security
snmp-server user root read-view snmpv1Objs write-view snmpv1Objs notify-view snmpv1Objs md5 password1

no password security = enables the configuration of the passwords at the configuration line
(without that command the switch will ask for the passwords)
root = username
snmpv1Objs = snmp view name (the available view names can be checked with the command –
“show snmp-server view”
md5 = Authentication protocol (can be md5 or sha96)
password1 = Authentication password
des = Privacy protocol (can be des, aes or 3des), it better to use DES because is the only
protocol that ENMS know to use for communication with the switch)
password2 = Privacy password

SSH

To reset to default all the telnet/ssh users at the switch

 default username

SSH configuration

 no password security
 ssh pass-auth
 ssh
 username root password1 rw

no password security = enables the configuration of the passwords at the configuration line
(without that command the switch will ask for the passwords)
root = username
password1 = password

To disable telnet access to the switch:

telnet-access disable

Traps and syslog

To configure sending traps and log messages to a syslog server:

logging remote address x.x.x.x
logging remote enable
snmp-server host x.x.x.x "public"

x.x.x.x – server IP address
public – server community string

Passport (ERS 8600)

if you cant’t access the switch with SSH / SNMPv3 check the log, you will find there the reason.
The command is “show log file tail”

SNMPv1 / 2

To reset all snmp to the default seting:

conf snmp-server bootstrap min-secure

To configure SNMPv1 / 2:

config snmp-v3 mib-view create root 1
config snmp-v3 community create first public ro
config snmp-v3 community create second private rw
conf snmp-v3 group-member create ro snmpv1 ro_group
conf snmp-v3 group-member create ro snmpv2c ro_group
conf snmp-v3 group-member create rw snmpv2c rw_group
conf snmp-v3 group-member create rw snmpv1 rw_group
conf snmp-v3 group-access create ro_group "" snmpv1 no
conf snmp-v3 group-access create ro_group "" snmpv2c no
conf snmp-v3 group-access create rw_group "" snmpv2c no
conf snmp-v3 group-access create rw_group "" snmpv1 no
conf snmp-v3 group-access view rw_group "" snmpv1 no read root write root notify root
conf snmp-v3 group-access view rw_group "" snmpv2c no read root write root notify root
conf snmp-v3 group-access view ro_group "" snmpv2c no read root notify root
conf snmp-v3 group-access view ro_group "" snmpv1 no read root notify root

root = username
public = read only community
private = read/write community

To disable SNMPv1 / 2:

config snmp-v3 community delete first
 config snmp-v3 community delete second

SNMPv3

The configuration was tested on Version 4.1.6.3

To reset all snmp to the default seting:

conf snmp-server bootstrap min-secure

To configure SNMPv3:

copy x.x.x.x:/p80c4163.aes /flash/p80c4163.aes
config load-encryption-module DES
config snmp-v3 mib-view create root 1
config snmp-v3 usm create root md5 auth password1 priv-prot des priv password2
config snmp-v3 group-member create root usm tech_group
config snmp-v3 group-access create tech_group "" usm authPriv
config snmp-v3 group-access view tech_group "" usm authPriv read root write root notify root

x.x.x.x = ip address of tftp server
p80c4163.aes = encryption file
root = username
md5 = Authentication protocol (can be md5 or sha96)
password1 = Authentication password
des = Privacy protocol (can be des, aes or 3des),it better to use DES because is the only
protocol that ENMS know to use for communication with the passport)
password2 = Privacy password
tech_group = group-member name

To delete the SNMPv3 root user:

config snmp-v3 mib-view delete root 1
config snmp-v3 usm delete root
config snmp-v3 group-access delete tech_group "" usm authPriv

root = username
tech_group = group-member name

To allow SNMP at the access-policy:

use that lines only if there is an access policy and because of that you can’t connect to the switch with device manager

conf sys access-policy policy X service snmpv3 enable
conf sys access-policy policy X snmp-group-add ro_group snmpv1
conf sys access-policy policy X snmp-group-add rw_group snmpv1
conf sys access-policy policy X snmp-group-add ro_group snmpv2c
conf sys access-policy policy X snmp-group-add rw_group snmpv2c

X = access policy number

SSH

To configure SSH:

config bootconfig flags sshd true
save bootconfig
! now need to boot the system with the boot command !!!
copy x.x.x.x:/p80c4163.aes /flash/p80c4163.aes
config load-encryption-module 3DES
config sys set ssh enable false
config sys set ssh action rsa-keygen 1024
 y
config sys set ssh action dsa-keygen 1024
 y
config sys set ssh dsa-auth true
config sys set ssh max-sessions 4
config sys set ssh pass-auth true
config sys set ssh port 22
config sys set ssh rsa-auth true
config sys set ssh timeout 60
config sys set ssh version v2only
config sys set ssh enable true
config sys set ssh info

x.x.x.x = ip address of tftp server
p80c4163.aes = encryption file
y = if there is already a key stored at the switch, the switch will ask – “Are you sure? ( y / n )”

To disable telnet access:

config bootconfig flags telnetd false
save boot

Traps

To configure snmp traps:

It’s Snmp v1/2 traps Image may be NSFW.
Clik here to view.

 config snmp-v3 target-addr create station1 x.x.x.x:162 TparamV2 taglist trapTag

x.x.x.x – server IP address

OID

OID of Nortel switches to monitor switches componnents

Replys are at ASCII
Ports- (x= port index- can be check with Device manager)
1.3.6.1.2.1.2.2.1.2.x – description
1.3.6.1.2.1.2.2.1.7.x – admin status (1= UP, 2= DOWN)
1.3.6.1.2.1.2.2.1.8.x – current status (1= UP, 2= DOWN)

FAN – slot 1
1.3.6.1.4.1.2272.1.4.7.1.1.1.1 – ID
1.3.6.1.4.1.2272.1.4.7.1.1.2.1 – State ( 2=up, 3 = down)
1.3.6.1.4.1.2272.1.4.7.1.1.3.1 – Temprature

FAN – slot 2
1.3.6.1.4.1.2272.1.4.7.1.1.1.2 – ID
1.3.6.1.4.1.2272.1.4.7.1.1.2.2 – State ( 2=up, 3 = down)
1.3.6.1.4.1.2272.1.4.7.1.1.3.2 – Temprature

Power suplly 1
1.3.6.1.4.1.2272.1.4.8.2.1.6.1 – Description
1.3.6.1.4.1.2272.1.4.8.1.1.2.1 – State ( 3=up, 4 = down)

Power suplly 2
1.3.6.1.4.1.2272.1.4.8.2.1.6.2 – Description
1.3.6.1.4.1.2272.1.4.8.1.1.2.2 – State ( 3=up, 4 = down)

Power suplly 3
1.3.6.1.4.1.2272.1.4.8.2.1.6.3 – Description
1.3.6.1.4.1.2272.1.4.8.1.1.2.3 – State ( 3=up, 4 = down)

CPU (and memory on CPU module)
1.3.6.1.4.1.2272.1.100.1.2.0 – Temperature
1.3.6.1.4.1.2272.1.1.20.0 – Primary CPU Percent
1.3.6.1.4.1.2272.1.1.44.0 – Secondary CPU Percent
1.3.6.1.4.1.2272.1.1.46.0 – Memory total
1.3.6.1.4.1.2272.1.1.47.0 – Memory used
1.3.6.1.4.1.2272.1.1.48.0 – Memory free
1.3.6.1.4.1.2272.1.1.21.0 – Primary Switch Fabric Percent
1.3.6.1.4.1.2272.1.1.45.0 – Secondary Switch Fabric Percent
1.3.6.1.4.1.2272.1.1.13.0 – Prinary Buffer Percent
1.3.6.1.4.1.2272.1.1.41.0 – Secondary Buffer Percent

By: Sharon Saadon

The post Image may be NSFW.
Clik here to view.Nortel SNMP SNMPv3 and SSH appeared first on SharonTools.