Configuring for Network Management Applications

Using SNMP tools to manage the switch

SNMP is a management protocol that allows an SNMP client application to retrieve device configuration and status information and to configure the device (get and set). You can manage the switch via SNMP from a network management station running an application such as PCM+. For more information on PCM+, see the HPE website at: http://www.hpe.com/networking.

From the Products menu, select Network Management. The click on PCM+ Network Management under the HPE Network Management bar.

To implement SNMP management, the switch must have an IP address configured either manually or dynamically (using DHCP or Bootp). If multiple VLANs are configured, each VLAN interface should have its own IP address. For DHCP use with multiple VLANs, see section "The Primary VLAN" in the "Static Virtual LANs (VLANs)" of the advanced traffic management guide for your switch.

NOTE: If you use the switch's Authorized IP Managers and Management VLAN features, ensure that the SNMP management station, the choice of switch port used for SNMP access to the switch, or both, are compatible with the access controls enforced by these features. Otherwise, SNMP access to the switch will be blocked.

For more information on Authorized IP Managers, see the access security guide for your switch. (The latest version of this guide is available on the HPE Networking website.) For information on the Management VLAN feature, see the section "The Secure Management VLAN" in the "Static Virtual LANs (VLANs)" chapter of the advanced traffic management guide for your switch.

SNMP management features

SNMP management features on the switch include:

SNMP version 1, version 2c, or version 3 over IP
Security via configuration of SNMP communities (SNMPv3 communities)
Security via authentication and privacy for SNMPv3 access
Event reporting via SNMP
- Version 1 traps
- RMON: groups 1, 2, 3, and 9
PCM/PCM+
Flow sampling using sFlow
Standard MIBs, such as the Bridge MIB (RFC 1493), Ethernet MAU MIB (RFC 1515), and others.

The switch SNMP agent also uses certain variables that are included in an HPE proprietary MIB (management information base) file. If you are using HPE OpenView, you can ensure that it is using the latest version of the MIB file by downloading the file to the OpenView database. To do so, go to the HPE Networking website at: http://www.hpe.com/networking.

Type a model number of your switch (For example, 8212) or product number in the Auto Search text box.

Select an appropriate product from the drop down list.

Click the Display selected button.

From the options that appear, select Software downloads.

MIBs are available with switch software in the Other category.

Click on software updates, then MIBs.

SNMPv1 and v2c access to the switch

SNMP access requires an IP address and subnet mask configured on the switch. If you are using DHCP/Bootp to configure the switch, ensure that the DHCP/Bootp process provides the IP address.

Once an IP address is configured, the main steps for configuring SNMPv1 and v2c access management features are:

Configure the appropriate SNMP communities. (See SNMPv3 communities.)
Configure the appropriate trap receivers.

In some networks, authorized IP manager addresses are not used. In this case, all management stations using the correct community name may access the switch with the View and Access levels that have been set for that community. If you want to restrict access to one or more specific nodes, you can use the switch's IP Authorized Manager feature. (See the access security guide for your switch.)


	CAUTION: For PCM/PCM+ version 1.5 or earlier (or any TopTools version), deleting the "public" community disables some network management functions (such as traffic monitoring, SNMP trap generation, and threshold setting). If network management security is a concern, and you are using the above software versions, Hewlett Packard Enterprise recommends that you change the write access for the "public" community to "Restricted."

SNMPv3 access to the switch

SNMPv3 access requires an IP address and subnet mask configured on the switch. (See "IP Configuration" on page 8-2.) If you are using DHCP/Bootp to configure the switch, ensure that the DHCP/Bootp process provides the IP address. (See "DHCP/Bootp Operation".)

Once you have configured an IP address, the main steps for configuring SNMPv3 access management features are the following:

Enable SNMPv3 for operation on the switch (see Enabling SNMPv3).
Configure the appropriate SNMP users (see SNMPv3 users).
Configure the appropriate SNMP communities (see SNMPv3 communities).
Configure the appropriate trap receivers (see SNMP notifications).

In some networks, authorized IP manager addresses are not used. In this case, all management stations using the correct User and community name may access the switch with the View and Access levels that have been set for that community. If you want to restrict access to one or more specific nodes, you can use the IP Authorized Manager feature for the switch. (See the access security guide for your switch.)

SNMP version 3 (SNMPv3) adds some new commands to the CLI for configuring SNMPv3 functions. To enable SNMMPv3 operation on the switch, use the snmpv3 enable command. An initial user entry will be generated with MD5 authentication and DES privacy.

You may (optionally) restrict access to only SNMPv3 agents by using the snmpv3 only command. To restrict write-access to only SNMPv3 agents, use the snmpv3 restricted-access command.


	CAUTION: Restricting access to only version 3 messages will make the community named “public” inaccessible to network management applications (such as autodiscovery, traffic monitoring, SNMP trap generation, and threshold setting) from operating in the switch.

Enabling and disabling switch for access from SNMPv3 agents

This includes the creation of the initial user record.

Syntax:

[no] snmpv3 enable

Enabling or disabling restrictions to access from only SNMPv3 agents

When enabled, the switch rejects all non-SNMPv3 messages.

Syntax:

[no] snmpv3 only

Enabling or disabling restrictions from all non-SNMPv3 agents to read-only access

Syntax:

[no] snmpv3 restricted-access

Viewing the operating status of SNMPv3

Syntax:

show snmpv3 enable

Viewing status of message reception of non-SNMPv3 messages

Syntax:

show snmpv3 only

Viewing status of write messages of non-SNMPv3 messages

Syntax:

show snmpv3 restricted-access

Enabling SNMPv3

The snmpv3 enable command allows the switch to:

Receive SNMPv3 messages.
Configure initial users.
Restrict non-version 3 messages to "read only" (optional).


	CAUTION: Restricting access to only version 3 messages makes the community named "public" inaccessible to network management applications (such as autodiscovery, traffic monitoring, SNMP trap generation, and threshold setting) from operating in the switch.

Example:

SNMP version 3 enable command

SNMPv3 users


	NOTE: To create new users, most SNMPv3 management software requires an initial user record to clone. The initial user record can be downgraded and provided with fewer features, but not upgraded by adding new features. For this reason, Hewlett Packard Enterprise recommends that when you enable SNMPv3, you also create a second user with SHA authentication and DES privacy.

To use SNMPv3 on the switch, you must configure the users that will be assigned to different groups:

Configure users in the User Table with the snmpv3 user command.

To view the list of configured users, enter the show snmpv3 user command (see Adding users).
Assign users to Security Groups based on their security model with the snmpv3 group command (see Assigning users to groups (CLI)).


	CAUTION: If you add an SNMPv3 user without authentication, privacy, or both, to a group that requires either feature, the user will not be able to access the switch. Ensure that you add a user with the appropriate security level to an existing security group.

Adding users

To configure an SNMPv3 user, you must first add the user name to the list of known users with the snmpv3 user command, as shown in Adding SNMPv3 users and displaying SNMPv3 configuration.

Adding SNMPv3 users and displaying SNMPv3 configuration

SNMPv3 user commands

Syntax:

[no] snmpv3 user <user_name>
Adds or deletes a user entry for SNMPv3. Authorization and privacy are optional, but to use privacy, you must use authorization. When you delete a user, only the user_name is required.

[ auth < md5 | sha> <auth_pass> ]

With authorization, you can set either MD5 or SHA authentication. The authentication password <auth_pass> must be 6 to 32 characters and is mandatory when you configure authentication.

Default: None

[ priv < des | aes> <priv_pass> ]

With privacy, the switch supports DES (56-bit) and AES (128-bit) encryption. The privacy password <priv_pass> must be 6-32 characters in length and is mandatory when you configure privacy.

Default: DES

NOTE: Only AES 128-bit and DES 56-bit encryption are supported as privacy protocols. Other non-standard encryption algorithms, such as AES-172, AES-256, and 3-DES are not supported.

Listing Users

To display the management stations configured to access the switch with SNMPv3 and view the authentication and privacy protocols that each station uses, enter the show snmpv3 user command.

Syntax:

show snmpv3 user

Display of the management stations configured on VLAN 1 displays information about the management stations configured on VLAN 1 to access the switch.

Display of the management stations configured on VLAN 1

HP Switch# configure terminal
HP Switch(config)# vlan 1
HP Switch(vlan-1)# show snmpv3 user

Status and Counters - SNMPv3 Global Configuration Information

 User Name      Auth. Protocol   Privacy Protocol
 -----------    --------------   -----------------
 initial        MD5              CFB AES-128
 NetworkAdmin   MD5              CBC-DES

Assigning users to groups (CLI)

Next you must set the group access level for the user by assigning the user to a group. This is done with the snmpv3 group command, as shown in Example: of assigning users to groups. For more details on the MIBs access for a given group, see Group access levels.

Example: of assigning users to groups

Syntax:

[no] snmpv3 group
Assigns or removes a user to a security group for access rights to the switch. To delete an entry, all of the following three parameters must be included in the command:

group <group_name>

Identifies the group that has the privileges that will be assigned to the user. For more details, see Group access levels.

user <user_name>

Identifies the user to be added to the access group. This must match the user name added with the snmpv3 user command.

sec-model <ver1 | ver2c | ver3>

Defines which security model to use for the added user. An SNMPv3 access group should use only the ver3 security model.

Group access levels

The switch supports eight predefined group access levels, shown in Table 6-3. There are four levels for use by version 3 users and four are used for access by version 2c or version 1 management applications.

Predefined group access levels

Group name	Group access type	Group read view	Group write view
managerpriv	Ver3 Must have Authentication and Privacy	ManagerReadView	ManagerWriteView
managerauth	Ver3 Must have Authentication	ManagerReadView	ManagerWriteView
operatorauth	Ver3 Must have Authentication	OperatorReadView	DiscoveryView
operatornoauth	Ver3 No Authentication	OperatorReadView	DiscoveryView
commanagerrw	Ver2c or Ver1	ManagerReadView	ManagerWriteView
commanagerr	Ver2c or Ver1	ManagerReadView	DiscoveryView
comoperatorrw	Ver2c or Ver1	OperatorReadView	OperatorReadView
comoperatorr	Ver2c or Ver1	OperatorReadView	DiscoveryView

Each view allows you to view or modify a different set of MIBs:

Manager Read View – access to all managed objects
Manager Write View – access to all managed objects except the following:
- vacmContextTable
- vacmAccessTable
- vacmViewTreeFamilyTable
OperatorReadView – no access to the following:
- icfSecurityMIB
- hpSwitchIpTftpMode
- vacmContextTable
- vacmAccessTable
- vacmViewTreeFamilyTable
- usmUserTable
- snmpCommunityTable
Discovery View – Access limited to samplingProbe MIB.


	NOTE: All access groups and views are predefined on the switch. There is no method to modify or add groups or views to those that are predefined on the switch.

SNMPv3 communities

SNMP commuities are supported by the switch to allow management applications that use version 2c or version 1 to access the switch. The communities are mapped to Group Access Levels that are used for version 2c or version 1 support. This mapping happens automatically based on the communities access privileges, but special mappings can be added with the snmpv3 community command (see Mapping SNMPv3 communities (CLI)).

Mapping SNMPv3 communities (CLI)

SNMP commuities are supported by the switch to allow management applications that use version 2c or version 1 to access the switch. For more details, see SNMPv3 communities.

Syntax:

[no] snmpv3 community
Maps or removes a mapping of a community name to a group access level. To remove a mapping you need to specify only the index_name parameter.

index <index_name>

An index number or title for the mapping. The values of 1 to 5 are reserved and can not be mapped.

name <community_name>

The community name that is being mapped to a group access level.

sec-name <security_name>

The group level to which the community is being mapped.

tag <tag_value>

This is used to specify which target address may have access by way of this index reference.

Example:

Assigning a community to a group access level shows the assigning of the Operator community on MgrStation1 to the CommunityOperatorReadWrite group. Any other Operator has an access level of CommunityOperatorReadOnly.

Assigning a community to a group access level

SNMP community features

Use SNMP communities to restrict access to the switch by SNMP management stations by adding, editing, or deleting SNMP communities. You can configure up to five SNMP communities, each with either an operator-level or a manager-level view and either restricted or unrestricted write access.

Using SNMP requires that the switch have an IP address and subnet mask compatible with your network.


	CAUTION: For PCM/PCM+ version 1.5 or earlier (or any TopTools version), deleting the "public" community disables some network management functions (such as traffic monitoring, SNMP trap generation, and threshold setting). If network management security is a concern, and if you are using the above software versions, Hewlett Packard Enterprise recommends that you change the write access for the "public" community to "Restricted."

Viewing and configuring non-version-3 SNMP communities (Menu)

From the Main Menu, select:

2. Switch Configuration…

6. SNMP Community Names

The SNMP Communities screen (default values)
Press [A] (for Add).

If you need information on the options in each field, press [Enter] to move the cursor to the Actions line, then select the Help option. When you are finished with Help, press [E] (for Edit) to return the cursor to the parameter fields.
Enter the name you want in the Community Name field, and use the Space bar to select the appropriate value in each of the other fields. (Use the [Tab] key to move from one field to the next.)
Press [Enter], then [S] (for Save).

Listing community names and values (CLI)

This command lists the data for currently configured SNMP community names (along with trap receivers and the setting for authentication traps—see SNMP notifications).

Syntax:

show snmp-server [ <community-string> ]

Example:

Lists the data for all communities in a switch; that is, both the default "public" community name and another community named "blue-team."

Example: of the SNMP community listing with two communities

To list the data for only one community, such as the "public" community, use the above command with the community name included. For Example:

HP Switch# show snmp-server public

Configuring community names and values (CLI)

The snmp-server command enables you to add SNMP communities with either default or specific access attributes, and to delete specific communities.

Syntax:

[no] snmp-server community <community-name>
Configures a new community name.

If you do not also specify operator or manager, the switch automatically assigns the community to the operator MIB view.

If you do not specify restricted or unrestricted, the switch automatically assigns the community to restricted (read-only) access.

The no form uses only the <community-name> variable and deletes the named community from the switch.

[ operator | manager ]

Optionally assigns an access level.

At the operator level, the community can access all MIB objects except the CONFIG MIB.

At the manager level, the community can access all MIB objects.

[ restricted | unrestricted ]

Optionally assigns MIB access type.

Assigning the restricted type allows the community to read MIB variables, but not to set them.

Assigning the unrestricted type allows the community to read and set MIB variables.

Example:

To add the following communities:

Community	Access Level	Type of Access
red-team	manager (Access to all MIB objects.)	unrestricted (read/write)
blue-team	operator (Access to all MIB objects except the CONFIG MIB.)	restricted (read-only)

HP Switch(config)# snmp-server community red-team
   manager unrestricted
HP Switch(config)# snmp-server community blue-team
   operator restricted

To eliminate a previously configured community named "gold-team":

HP Switch(config) # no snmp-server community gold-team

SNMP notifications

The switches:

Fixed or “Well-Known” Traps: A switch automatically sends fixed traps (such as “coldStart”, “warmStart”, “linkDown”, and “linkUp”) to trap receivers using the public community name, which is the default. These traps can also be sent to non-public communities.
SNMPv2c informs
SNMP v3 notification process, including traps

This section describes how to configure a switch to send network security and link-change notifications to configured trap receivers.

Supported Notifications

By default, the following notifications are enabled on a switch:

Manager password changes
SNMP authentication failure
Link-change traps: when the link on a port changes from up to down (linkDown) or down to up (linkUp)
Port-security (web, MAC, or 802.1X) authentication failure
Invalid password entered in a login attempt through a direct serial, Telnet, or SSH connection
Inability to establish a connection with the RADIUS or TACACS+ authentication server
DHCP snooping events
ARP protection events

General steps for configuring SNMP notifications

Determine the versions of SNMP notifications that you want to use in your network.
If you want to use SNMPv1 and SNMPv2c traps, you must also configure a trap receiver. See the following sections and follow the required configuration procedures:
If you want to use SNMPv3 notifications (including traps), you must also configure an SNMPv3 management station. Follow the required configuration procedure in Configuring SNMPv3 notifications (CLI).
To reconfigure any of the SNMP notifications that are enabled by default to be sent to a management station (trap receiver), see Enabling Link-Change Traps (CLI).
(Optional) See the following sections to configure optional SNMP notification features and verify the current configuration:
- Configuring the source IP address for SNMP notifications (CLI)
- Viewing SNMP notification configuration (CLI)

SNMPv1 and SNMPv2c Traps

The switches support the following functionality from earlier SNMP versions (SNMPv1 and SNMPv2c):

Trap receivers: A trap receiver is a management station to which the switch sends SNMP traps and (optionally) event log messages sent from the switch. From the CLI you can configure up to ten SNMP trap receivers to receive SNMP traps from the switch.
Fixed or "Well-Known" Traps: A switch automatically sends fixed traps (such as "coldStart", "warmStart", "linkDown", and "linkUp") to trap receivers using the public community name. These traps cannot be redirected to other communities. If you change or delete the default public community name, these traps are not sent.
Thresholds: A switch automatically sends all messages created when a system threshold is reached to the network management station that configured the threshold, regardless of the trap receiver configuration.

SNMP trap receivers

Use the snmp-server host command to configure a trap receiver that can receive SNMPv1 and SNMPv2c traps, and (optionally) Event Log messages. When you configure a trap receiver, you specify its community membership, management station IP address, and (optionally) the type of Event Log messages to be sent.

If you specify a community name that does not exist—that is, has not yet been configured on the switch—the switch still accepts the trap receiver assignment. However, no traps are sent to that trap receiver until the community to which it belongs has been configured on the switch.

NOTE: To replace one community name with another for the same IP address, you must first enter the

no snmp-server host <community-name> <ipv4-address | ipv6-address>

command to delete the unwanted community name. Otherwise, if you add a new community name with an IP address that is already used with a different community name, two valid community name entries are created for the same management station.

If you do not specify the event level ([none|all|not-info|critical|debug]), the switch does not send Event Log messages as traps. However, "well-known" traps and threshold traps (if configured) are still sent.

Configuring an SNMP trap receiver (CLI)

For information about configuring SNMP trap receivers, see SNMP trap receivers.

Syntax:

snmp-server host <ipv4-addr | ipv6-addr> <community name>
Configures a destination network management station to receive SNMPv1/v2c traps and (optionally) Event Log messages sent as traps from the switch, using the specified community name and destination IPv4 or IPv6 address. You can specify up to ten trap receivers (network management stations). (The default community name is public.)

[ <none | all | not-info | critical | debug> ]

(Optional) Configures the security level of the Event Log messages you want to send as traps to a trap receiver (see Table 6-2).

The type of Event Log message that you specify applies only to Event Log messages, not to threshold traps.

For each configured event level, the switch continues to send threshold traps to all network management stations that have the appropriate threshold level configured.

If you do not specify an event level, the switch uses the default value (none) and sends no Event Log messages as traps.

[<inform>]

(Optional) Configures the switch to send SNMPv2 inform requests when certain events occur. For more information, see Enabling SNMPv2c informs (CLI).

Security levels for Event Log messages sent as traps

Security Level	Action
None (default)	Sends no Event Log messages.
All	Sends all Event Log messages.
Not-Info	Sends all Event Log messages that are not for information only.
Critical	Sends only Event Log messages for critical error conditions.
Debug	Sends only Event Log messages needed to troubleshoot network- and switch-level problems.

Example:

To configure a trap receiver in a community named "red-team" with an IP address of 10.28.227.130 to receive only "critical" event log messages, you can enter the following command:

HP Switch(config)# snmp-server host 10.28.227.130 red-team critical

SNMPv2c informs

On a switch enabled for SNMPv2c, you can use the snmp-server host inform command (Enabling SNMPv2c informs (CLI)) to send inform requests when certain events occur. When an SNMP Manager receives an inform request, it can send an SNMP response back to the sending agent on the switch to let the agent know that the inform request reached its destination.

If the sending agent on the switch does not receive an SNMP response back from the SNMP Manager within the timeout period, the inform request may be resent, based on the retry count value.

When you enable SNMPv2c inform requests to be sent, you must specify the IP address and community name of the management station that will receive the inform notification.

Enabling SNMPv2c informs (CLI)

For information about enabling SNMPv2c informs, see SNMPv2c informs.

Syntax:

[no] snmp-server host <ipv4-addr | ipv6-addr> <community name> inform [ retries <count> ] [ timeout <interval> ]
Enables (or disables) the inform option for SNMPv2c on the switch and allows you to configure options for sending SNMP inform requests.

retries

Maximum number of times to resend an inform request if no SNMP response is received.

(Default: 3)

timeout

Number of seconds to wait for an acknowledgement before resending the inform request.

(Default: 15 seconds)


	NOTE: The `retries` and `timeout` values are not used to send trap requests.

To verify the configuration of SNMPv2c informs, enter the show snmp-server command, as shown in Display of SNMPv2c inform configuration (note indication of inform Notify Type in bold below):

Display of SNMPv2c inform configuration

HP Switch(config)# show snmp-server

 SNMP Communities

  Community Name   MIB View Write Access
  ---------------- -------- ------------ public          Manager  Unrestricted

 Trap Receivers

  Link-Change Traps Enabled on Ports [All] : All
  ...
  Address               Community       Events Sent Notify Type Retry Timeout
  --------------------- --------------- ----------- ----------- ----- --------
  15.28.333.456         guest           All         inform      3     15

 Excluded MIBs

 Snmp Response Pdu Source-IP Information

  Selection Policy   : Default rfc1517

 Trap Pdu Source-IP Information 
  Selection Policy   : Configured IP 
  Ip Address        : 10.10.10.10

Configuring SNMPv3 notifications (CLI)

The SNMPv3 notification process allows messages that are passed via SNMP between the switch and a network management station to be authenticated and encrypted.

Enable SNMPv3 operation on the switch by entering the snmpv3 enable command (See "SNMP Version 3 Commands" on page N-7).

When SNMPv3 is enabled, the switch supports:
- Reception of SNMPv3 notification messages (traps and informs)
- Configuration of initial users
- (Optional) Restriction of non-SNMPv3 messages to "read only"
Configure SNMPv3 users by entering the snmpv3 user command (see SNMPv3 users). Each SNMPv3 user configuration is entered in the User Table.
Assign SNMPv3 users to security groups according to their level of access privilege by entering the snmpv3 group command (see Assigning users to groups (CLI)).

Define the name of an SNMPv3 notification configuration by entering the snmpv3 notify command.

Syntax:

[no]snmpv3 notify <notify_name> tagvalue <tag_name>
Associates the name of an SNMPv3 notification configuration with a tag name used (internally) in SNMPv3 commands. To delete a notification-to-tag mapping, enter no snmpv3 notify notify_name.

notify <notify_name>

Specifies the name of an SNMPv3 notification configuration.

tagvalue <tag_name>

Specifies the name of a tag value used in other SNMPv3 commands, such as snmpv3 targetaddress params taglist tag_name in Step 5.

Configure the target address of the SNMPv3 management station to which SNMPv3 informs and traps are sent by entering the snmpv3 targetaddress command.

Syntax:

[no] snmpv3 targetaddress <ipv4-addr | ipv6-addr> <name>
Configures the IPv4 or IPv6 address, name, and configuration filename of the SNMPv3 management station to which notification messages are sent.

params <parms_name>

Name of the SNMPv3 station's parameters file.

The parameters filename configured with params params_name must match the params params_name value entered with the snmpv3 params command in Step 6.

taglist <tag_name> [ tag_name ]
…

Specifies the SNMPv3 notifications (identified by one or more tag_name values) to be sent to the IP address of the SNMPv3 management station.

You can enter more than one tag_name value. Each tag_name value must be already associated with the name of an SNMPv3 notification configuration entered with the snmpv3 notify command in Step 4.

Use a blank space to separate tag_name values.

You can enter up to 103 characters in tag_name entries following the taglist keyword.

[ filter <none | debug | all | not-info | critical> ]

(Optional) Configures the type of messages sent to a management station.

(Default: none.)

[ udp-port <port> ]

(Optional) Specifies the UDP port to use.

(Default: 162.)

[ port-mask <mask> ]

(Optional) Specifies a range of UDP ports. (Default: 0.)

[ addr-mask <mask> ]

(Optional) Specifies a range of IP addresses as destinations for notification messages.

(Default: 0.)

[ retries <value> ]

(Optional) Number of times a notification is retransmitted if no response is received. Range: 1-255.

(Default: 3.)

[ timeout <value> ]

(Optional) Time (in millisecond increments) allowed to receive a response from the target before notification packets are retransmitted. Range: 0-2147483647.

[Default: 1500 (15 seconds).]

[ max-msg-size <size> ]

(Optional) Maximum number of bytes supported in a notification message to the specified target. (Default: 1472)

Create a configuration record for the target address with the snmpv3 params command.

Syntax:

[no] snmpv3 params <params_name> user <user_name>
Applies the configuration parameters and IP address of an SNMPv3 management station (from the params params_name value configured with the snmpv3 targetaddress command in Step 5) to a specified SNMPv3 user (from the user user_name value configured with the snmpv3 user command in Step 2).

If you enter the snmpv3 params user command, you must also configure a security model ( sec-model) and message processing algorithm ( msg-processing).

<sec-model [ ver1 | ver2c | ver3> ]

Configures the security model used for SNMPv3 notification messages sent to the management station configured with the snmpv3 targetaddress command in Step 5.

If you configure the security model as ver3, you must also configure the message processing value as ver3.

msg-processing <ver1 | ver2c | ver3> [ noaut | auth | priv ]

Configures the algorithm used to process messages sent to the SNMPv3 target address.

If you configure the message processing value as ver3 and the security model as ver3, you must also configure a security services level ( noauth, auth, or priv).

Example:

An Example: of how to configure SNMPv3 notification is shown here:

Example: of an SNMPv3 notification configuration

Network security notifications

By default, a switch is enabled to send the SNMP notifications listed in Supported Notifications when a network security event (For example, authentication failure) occurs. However, before security notifications can be sent, you must first configure one or more trap receivers or SNMPv3 management stations as described in:

You can manage the default configuration of the switch to disable and re-enable notifications to be sent for the following types of security events:

ARP protection events
Inability to establish a connection with the RADIUS or TACACS+ authentication server
DHCP snooping events
Dynamic IP Lockdown hardware resources consumed
Link change notification
Invalid password entered in a login attempt through a direct serial, Telnet, or SSH connection
Manager password changes
Port-security (web, MAC, or802.1X) authentication failure
SNMP authentication failure
Running configuration changes

Enabling or disabling notification/traps for network security failures and other security events (CLI)

For more information, see Network security notifications.

Syntax:

[no] snmp-server enable traps [ snmp-auth | password-change-mgr | login-failure-mgr | port-security | auth-server-fail | dhcp-snooping | arp-protect | running-config-change ]
Enables or disables sending one of the security notification types listed below to configured trap receivers. (Unless otherwise stated, all of the following notifications are enabled in the default configuration.)

The notification sends a trap:

arp-protect

If ARP packets are received with an invalid source or destination MAC address, an invalid IP address, or an invalid IP-to-MAC binding.

auth-server-fail

If the connection with a RADIUS or TACACS+ authentication server fails.

dhcp-snooping

If DHCP packets are received from an untrusted source or if DHCP packets contain an invalid IP-to-MAC binding.

dhcpv6-snooping Set the traps for DHCPv6 snooping.

dyn-ip-lockdown

If the switch is out of hardware resources needed to program a dynamic IP lockdown rule

dyn-ipv6-lockdown Enable traps for Dynamic IPv6 lockdown..

link-change <port-list>

When the link state on a port changes from up to down, or the reverse.

login-failure-mgr

For a failed login with a manager password.

password-change-mgr

When a manager password is reset.

mac-notify Globally enables the generation of SNMP trap notifications upon MAC address table changes.

nd-snooping Set the trap for nd snooping

port-security

For a failed authentication attempt through a web, MAC, or 801.X authentication session.

running-config-change

When changes to the running configuration file are made.

snmp-authentication [ extended | standard ]

For a failed authentication attempt via SNMP.

(Default: extended.)

Startup-config-change Sends a trap when changes to the startup configuration file are made. See “Enabling SNMP Traps on Startup Configuration Changes” on page 6–34. (Default: Disabled)

To determine the specific cause of a security event, check the Event Log in the console interface to see why a trap was sent. For more information, see "Using the Event Log for Troubleshooting Switch Problems".

Viewing the current configuration for network security notifications (CLI)

Enter the show snmp-server traps command, as shown in Display of configured network security notifications. Note that command output is a subset of the information displayed with the show snmp-server command in Display of SNMP notification configuration.

Display of configured network security notifications

HP Switch(config)# show snmp-server traps

 Trap Receivers

  Link-Change Traps Enabled on Ports [All] : A1-A24

  Traps Category                  Current Status
  ------------------------------  --------------------------
  SNMP Authentication           : Extended
  Password change               : Enabled
  Login failures                : Enabled
  Port-Security                 : Enabled
  Authorization Server Contact  : Enabled
  DHCP Snooping                 : Enabled
  Dynamic ARP Protection        : Enabled
  Dynamic IP Lockdown           : Enabled


  Address                Community  Events Sent Notify Type Retry Timeout
  ---------------------- ---------- ----------- ----------- ----- -------
  15.255.5.225           public     All         trap          3   15
  2001:0db8:0000:0001
    :0000:0000:0000:0121 user_1     All         trap          3   15

  Excluded MIBs

Enabling Link-Change Traps (CLI)

By default, a switch is enabled to send a trap when the link state on a port changes from up to down (linkDown) or down to up (linkUp). To reconfigure the switch to send link-change traps to configured trap receivers, enter the snmp-server enable traps link-change command.

Syntax:

[no] snmp-server enable traps link-change <port-list> [ all ]

Enables or disables the switch to send a link-change trap to configured trap receivers when the link state on a port goes from up to down or down to up.

Enter all to enable or disable link-change traps on all ports on the switch.

Readable interface names in traps

The SNMP trap notification messages for linkup and linkdown events on an interface includes IfDesc and IfAlias var-bind information.

Source IP address for SNMP notifications

The switch uses an interface IP address as the source IP address in IP headers when sending SNMP notifications (traps and informs) or responses to SNMP requests.

For multi-netted interfaces, the source IP address is the IP address of the outbound interface of the SNMP reply, which may differ from the destination IP address in the IP header of the received request. For security reasons, it may be desirable to send an SNMP reply with the IP address of the destination interface (or a specified IP address) on which the corresponding SNMP request was received.

To configure the switch to use the source IP address on which an SNMP request was received in SNMP notification/traps and replies, enter the snmp-server response-source (“Syntax:”) and snmp-server trap-source (“Syntax:”) commands.

Configuring the source IP address for SNMP notifications (CLI)

For more information, see Source IP address for SNMP notifications.

Syntax:

[no] snmp-server response-source [ dst-ip-of-request [ ipv4-addr | ipv6-addr ] | loopback <0-7> ]

Specifies the source IP address of the SNMP response PDU. The default SNMP response PDU uses the IP address of the active interface from which the SNMP response was sent as the source IP address.

The no form of the command resets the switch to the default behavior (compliant with rfc-1517).

(Default: Interface IP address)

dst-ip-of-request

Destination IP address of the SNMP request PDU that is used as the source IP address in an SNMP response PDU.

[ ipv4-addr | ipv6-addr ]

User-defined interface IP address that is used as the source IP address in an SNMP response PDU. Both IPv4 and IPv6 addresses are supported.

loopback <0-7>

IP address configured for the specified loopback interface that is used as the source IP address in an SNMP response PDU. If multiple loopback IP addresses are configured, the lowest alphanumeric address is used.

To use the IP address of the destination interface on which an SNMP request was received as the source IP address in the IP header of SNMP traps and replies, enter the following command:

HP Switch(config)# snmp-server response-source dst-ip-of-request

Syntax:

[no] snmp-server trap-source [ ipv4-addr | loopback <0-7> ]

Specifies the source IP address to be used for a trap PDU. To configure the switch to use a specified source IP address in generated trap PDUs, enter the snmp-server trap-source command.

The no form of the command resets the switch to the default behavior (compliant with rfc-1517).

(Default: Use the interface IP address in generated trap PDUs)

ipv4-addr

User-defined interface IPv4 address that is used as the source IP address in generated traps. IPv6 addresses are not supported.

loopback <0-7>

P address configured for the specified loopback interface that is used as the source IP address in a generated trap PDU. If multiple loopback IP addresses are configured, the lowest alphanumeric address is used.

NOTE: When you use the snmp-server response-source and snmp-server trap-source commands, note the following behavior:

The snmp-server response-source and snmp-server trap-source commands configure the source IP address for IPv4 interfaces only.
You must manually configure the snmp-server response-source value if you wish to change the default user-defined interface IP address that is used as the source IP address in SNMP traps (RFC 1517).
The values configured with the snmp-server response-source and snmp-server trap-source commands are applied globally to all interfaces that are sending SNMP responses or SNMP trap PDUs.
Only the source IP address field in the IP header of the SNMP response PDU can be changed.
Only the source IP address field in the IP header and the SNMPv1 Agent Address field of the SNMP trap PDU can be changed.

Verifying the configuration of the interface IP address used as the source IP address in IP headers for SNMP replies and traps sent from the switch (CLI)

Enter the show snmp-server command to display the SNMP policy configuration, as shown in Display of source IP address configuration.

Display of source IP address configuration

HP Switch(config)# show snmp-server
 
 SNMP Communities
  
  Community Name   MIB View Write Access
  ---------------- -------- ------------
  public           Manager  Unrestricted

 Trap Receivers
  Link-Change Traps Enabled on Ports [All] : All

  ...

 Excluded MIBs
 Snmp Response Pdu Source-IP Information
  Selection Policy : dstIpOfRequest 
      

 Trap Pdu Source-IP Information
  Selection Policy : Configured IP

dstIpOfRequest: The destination IP address of the interface on which an SNMP request is received i s used as the source IP address in SNMP replies.

Viewing SNMP notification configuration (CLI)

Syntax:

show snmp-server

Displays the currently configured notification settings for versions SNMPv1 and SNMPv2c traps, including SNMP communities, trap receivers, link-change traps, and network security notifications.

Example:

In the following Example:, the show snmp-server command output shows that the switch has been configured to send SNMP traps and notifications to management stations that belong to the "public," "red-team," and "blue-team" communities.

Display of SNMP notification configuration

Advanced management: RMON

The switch supports RMON (remote monitoring) on all connected network segments. This allows for troubleshooting and optimizing your network.

The following RMON groups are supported:

Ethernet Statistics (except the numbers of packets of different frame sizes)
Alarm
History (of the supported Ethernet statistics)
Event

The RMON agent automatically runs in the switch. Use the RMON management station on your network to enable or disable specific RMON traps and events. Note that you can access the Ethernet statistics, Alarm, and Event groups from the HPE Switch Manager network management software. For more information on PCM+, see the HPE Networking web site at http://www.hpe.com/networking.

From the Products menu, select Network Management. Then click on PCM+ Network Management under the Network Management bar.

CLI-configured sFlow with multiple instances

sFlow can also be configured via the CLI for up to three distinct sFlow instances: once enabled, an sFlow receiver/destination can be independently configured for full flow-sampling and counter-polling. CLI-configured sFlow instances may be saved to the startup configuration to persist across a switch reboot.

Configuring sFlow (CLI)

The following sFlow commands allow you to configure sFlow instances via the CLI. For more information, see Advanced management: RMON.

Syntax:

[no]sflow <receiver-instance> destination <ip-address> [ <udp-port-num> ]
Enables an sFlow receiver/destination. The receiver-instance number must be a 1, 2, or 3.

By default, the udp destination port number is 6343.

To disable an sFlow receiver/destination, enter no sflow receiver-instance.

Syntax:

sflow <receiver-instance> sampling <port-list> <sampling rate>
Once an sFlow receiver/destination has been enabled, this command enables flow sampling for that instance. The receiver-instance number is 1, 2, or 3, and the sampling rate is the allowable non-zero skipcount for the specified port or ports.

To disable flow-sampling for the specified port-list, repeat the above command with a sampling rate of 0.

Syntax:

sflow <receiver-instance> polling <port-list> <polling interval>
Once an sFlow receiver/destination has been enabled, this command enables counter polling for that instance. The receiver-instance number is 1, 2, or 3, and the polling interval may be set to an allowable non-zero value to enable polling on the specified port or ports.

To disable counter-polling for the specified port-list, repeat the above command with a polling interval of 0.


	NOTE: Under the multiple instance implementation, sFlow can be configured via the CLI or via SNMP. However, CLI-owned sFlow configurations cannot be modified via SNMP, whereas SNMP-owned instances can be disabled via the CLI using the `no sflow <receiver-instance>` command.

Viewing sFlow Configuration and Status (CLI)

The following sFlow commands allow you to display sFlow configuration and status via the CLI. Viewing sFlow destination information is an Example: of sflow agent information.

Syntax:

show sflow agent
Displays sFlow agent information. The agent address is normally the IP address of the first VLAN configured.

The show sflow agent command displays read-only switch agent information. The version information shows the sFlow version, MIB support, and software versions; the agent address is typically the IP address of the first VLAN configured on the switch.

Viewing sflow agent information

HP Switch# show sflow agent

  Version          1.3;HP;XX.11.40
  Agent Address    10.0.10.228

Syntax:

show sflow <receiver instance> destination
Displays information about the management station to which the sFlow sampling-polling data is sent.

The show sflow instance destination command includes information about the management-station's destination address, receiver port, and owner, as shown in Viewing sFlow destination information.

Viewing sFlow destination information

HP Switch# show sflow 2 destination

  Destination Instance        2
  sflow                       Enabled
  Datagrams Sent              221
  Destination Address         10.0.10.41
  Receiver Port               6343
  Owner                       Administrator, CLI-owned, Instance 2
  Timeout (seconds)           99995530
  Max Datagram Size           1400
  Datagram Version Support    5

Note the following details:

Destination Address remains blank unless it has been configured.
Datagrams Sent shows the number of datagrams sent by the switch agent to the management station since the switch agent was last enabled.
Timeout displays the number of seconds remaining before the switch agent will automatically disable sFlow (this is set by the management station and decrements with time).
Max Datagram Size shows the currently set value (typically a default value, but this can also be set by the management station).

Syntax:

show sflow <receiver instance> sampling-polling <port-list/range>
Displays status information about sFlow sampling and polling.

The show sflow instance sampling-polling [port-list] command displays information about sFlow sampling and polling on the switch, as shown in Example: of viewing sFlow sampling and polling information. You can specify a list or range of ports for which to view sampling information.

Example: of viewing sFlow sampling and polling information


	NOTE: The sampling and polling instances (noted in parentheses) coupled to a specific receiver instance are assigned dynamically, and so the instance numbers may not always match. The key thing to note is whether sampling or polling is enabled on a port, and the sampling rates or polling intervals for the receiver instance configured on each port.

prev		next
Restrictions	home	Configuring UDLD Verify before forwarding


	NOTE: Only AES 128-bit and DES 56-bit encryption are supported as privacy protocols. Other non-standard encryption algorithms, such as AES-172, AES-256, and 3-DES are not supported.

`group <group_name>`	Identifies the group that has the privileges that will be assigned to the user. For more details, see Group access levels.
`user <user_name>`	Identifies the user to be added to the access group. This must match the user name added with the `snmpv3 user` command.
`sec-model` <ver1 \| ver2c \| ver3>	Defines which security model to use for the added user. An SNMPv3 access group should use only the ver3 security model.

`index <index_name>`	An index number or title for the mapping. The values of 1 to 5 are reserved and can not be mapped.
`name <community_name>`	The community name that is being mapped to a group access level.
`sec-name <security_name>`	The group level to which the community is being mapped.
`tag <tag_value>`	This is used to specify which target address may have access by way of this index reference.

[ operator \| manager ]	Optionally assigns an access level. At the `operator` level, the community can access all MIB objects except the CONFIG MIB. At the `manager` level, the community can access all MIB objects.
[ restricted \| unrestricted ]	Optionally assigns MIB access type. Assigning the `restricted` type allows the community to read MIB variables, but not to set them. Assigning the `unrestricted` type allows the community to read and set MIB variables.

`notify <notify_name>`	Specifies the name of an SNMPv3 notification configuration.
`tagvalue <tag_name>`	Specifies the name of a tag value used in other SNMPv3 commands, such as `snmpv3 targetaddress params taglist tag_name` in Step 5.

`params <parms_name>`	Name of the SNMPv3 station's parameters file. The parameters filename configured with `params params_name` must match the `params params_name` value entered with the `snmpv3 params` command in Step 6.
`taglist <tag_name>` [ tag_name ] …	Specifies the SNMPv3 notifications (identified by one or more `tag_name` values) to be sent to the IP address of the SNMPv3 management station. You can enter more than one `tag_name` value. Each `tag_name` value must be already associated with the name of an SNMPv3 notification configuration entered with the `snmpv3 notify` command in Step 4. Use a blank space to separate `tag_name` values. You can enter up to 103 characters in `tag_name` entries following the `taglist` keyword.
[ `filter` `<none` \| `debug` \| `all` \| `not-info` \| `critical>` ]	(Optional) Configures the type of messages sent to a management station. (Default: none.)
[ `udp-port` <`port`> ]	(Optional) Specifies the UDP port to use. (Default: 162.)
[ `port-mask` <`mask`> ]	(Optional) Specifies a range of UDP ports. (Default: 0.)
[ `addr-mask` <`mask`> ]	(Optional) Specifies a range of IP addresses as destinations for notification messages. (Default: 0.)
[ `retries` <`value`> ]	(Optional) Number of times a notification is retransmitted if no response is received. Range: 1-255. (Default: 3.)
[ `timeout` <`value`> ]	(Optional) Time (in millisecond increments) allowed to receive a response from the target before notification packets are retransmitted. Range: 0-2147483647. [Default: 1500 (15 seconds).]
[ `max-msg-size` <`size`> ]	(Optional) Maximum number of bytes supported in a notification message to the specified target. (Default: 1472)

`arp-protect`	If ARP packets are received with an invalid source or destination MAC address, an invalid IP address, or an invalid IP-to-MAC binding.
`auth-server-fail`	If the connection with a RADIUS or TACACS+ authentication server fails.
`dhcp-snooping`	If DHCP packets are received from an untrusted source or if DHCP packets contain an invalid IP-to-MAC binding.
`dhcpv6-snooping`	Set the traps for DHCPv6 snooping.
`dyn-ip-lockdown`	If the switch is out of hardware resources needed to program a dynamic IP lockdown rule
`dyn-ipv6-lockdown`	Enable traps for Dynamic IPv6 lockdown..
`link-change <port-list>`	When the link state on a port changes from up to down, or the reverse.
`login-failure-mgr`	For a failed login with a manager password.
`password-change-mgr`	When a manager password is reset.
`mac-notify`	Globally enables the generation of SNMP trap notifications upon MAC address table changes.
`nd-snooping`	Set the trap for nd snooping
`port-security`	For a failed authentication attempt through a web, MAC, or 801.X authentication session.
`running-config-change`	When changes to the running configuration file are made.
`snmp-authentication` [ extended \| standard ]	For a failed authentication attempt via SNMP. (Default: extended.)
`Startup-config-change`	Sends a trap when changes to the startup configuration file are made. See “Enabling SNMP Traps on Startup Configuration Changes” on page 6–34. (Default: Disabled)

`dst-ip-of-request`	Destination IP address of the SNMP request PDU that is used as the source IP address in an SNMP response PDU.
[ `ipv4-addr` \| `ipv6-addr` ]	User-defined interface IP address that is used as the source IP address in an SNMP response PDU. Both IPv4 and IPv6 addresses are supported.
`loopback <0-7>`	IP address configured for the specified loopback interface that is used as the source IP address in an SNMP response PDU. If multiple loopback IP addresses are configured, the lowest alphanumeric address is used.

`ipv4-addr`	User-defined interface IPv4 address that is used as the source IP address in generated traps. IPv6 addresses are not supported.
`loopback <0-7>`	P address configured for the specified loopback interface that is used as the source IP address in a generated trap PDU. If multiple loopback IP addresses are configured, the lowest alphanumeric address is used.

​Configuring for Network Management Applications

Using SNMP tools to manage the switch

SNMP management features

SNMPv1 and v2c access to the switch

SNMPv3 access to the switch

Enabling and disabling switch for access from SNMPv3 agents

​Syntax:

Enabling or disabling restrictions to access from only SNMPv3 agents

​Syntax:

Enabling or disabling restrictions from all non-SNMPv3 agents to read-only access

​Syntax:

Viewing the operating status of SNMPv3

​Syntax:

Viewing status of message reception of non-SNMPv3 messages

​Syntax:

Viewing status of write messages of non-SNMPv3 messages

​Syntax:

Enabling SNMPv3

​Example:

SNMPv3 users

Adding users

SNMPv3 user commands

​Syntax:

Listing Users

​Syntax:

Assigning users to groups (CLI)

​Syntax:

Group access levels

SNMPv3 communities

Mapping SNMPv3 communities (CLI)

​Syntax:

​Example:

SNMP community features

Viewing and configuring non-version-3 SNMP communities (Menu)

Listing community names and values (CLI)

​Syntax:

​Example:

Configuring community names and values (CLI)

​Syntax:

​Example:

SNMP notifications

Supported Notifications

General steps for configuring SNMP notifications

SNMPv1 and SNMPv2c Traps

SNMP trap receivers

Configuring an SNMP trap receiver (CLI)

​Syntax:

​Example:

SNMPv2c informs

Enabling SNMPv2c informs (CLI)

​Syntax:

Configuring SNMPv3 notifications (CLI)

​Syntax:

​Syntax:

​Syntax:

​Example:

Network security notifications

Enabling or disabling notification/traps for network security failures and other security events (CLI)

​Syntax:

Viewing the current configuration for network security notifications (CLI)

Enabling Link-Change Traps (CLI)

​Syntax:

Readable interface names in traps

Source IP address for SNMP notifications

Configuring the source IP address for SNMP notifications (CLI)

​Syntax:

​Syntax:

Verifying the configuration of the interface IP address used as the source IP address in IP headers for SNMP replies and traps sent from the switch (CLI)

Viewing SNMP notification configuration (CLI)

​Syntax:

​Example:

Advanced management: RMON

CLI-configured sFlow with multiple instances

Configuring sFlow (CLI)

​Syntax:

​Syntax:

​Syntax:

Viewing sFlow Configuration and Status (CLI)

​Syntax:

​Syntax:

Configuring for Network Management Applications

Syntax:

Syntax:

Syntax:

Syntax:

Syntax:

Syntax:

Example:

Syntax:

Syntax:

Syntax:

Syntax:

Example:

Syntax:

Example:

Syntax:

Example:

Syntax:

Example:

Syntax:

Syntax:

Syntax:

Syntax:

Example:

Syntax:

Syntax:

Syntax:

Syntax:

Syntax:

Example:

Syntax:

Syntax:

Syntax:

Syntax:

Syntax:

Syntax: