Administrator Guide

ManualsBrandsDell ManualsserversDell Force10 MXL Blade

731

732

733

734

735

736

737

738

739

740

• Manage VLANs using SNMP

• Enabling and Disabling a Port using SNMP

• Fetch Dynamic MAC Entries using SNMP

• Deriving Interface Indices

• Monitor Port-Channels

• Troubleshooting SNMP Operation

Important Points to Remember

• Typically, 5-second timeout and 3-second retry values on an SNMP server are sucient for both LAN and WAN applications. If

you experience a timeout with these values, increase the timeout value to greater than 3 seconds, and increase the retry value to

greater than 2 seconds on your SNMP server.

• User ACLs override group ACLs.

SNMPv3 Compliance With FIPS

SNMPv3 is compliant with the Federal information processing standard (FIPS) cryptography standard. The Advanced Encryption

Standard (AES) Cipher Feedback (CFB) 128-bit encryption algorithm is in compliance with RFC 3826. SNMPv3 provides multiple

authentication and privacy options for user conguration. A subset of these options are the FIPS-approved algorithms: HMAC-

SHA1-96 for authentication and AES128-CFB for privacy. The other options are not FIPS-approved algorithms because of known

security weaknesses. The AES128-CFB privacy option is supported and is compliant with RFC 3826.

The SNMPv3 feature also uses a FIPS-validated cryptographic module for all of its cryptographic operations when the system is

congured with the fips mode enable command in Global Conguration mode. When the FIPS mode is enabled on the system,

SNMPv3 operates in a FIPS-compliant manner, and only the FIPS-approved algorithm options are available for SNMPv3 user

conguration. When the FIPS mode is disabled on the system, all options are available for SNMPv3 user conguration.

The following table describes the authentication and privacy options that can be congured when the FIPS mode is enabled or

disabled:

FIPS Mode

Privacy Options Authentication Options

Disabled des56 (DES56-CBC)

aes128 (AES128-CFB)

md5 (HMAC-MD5-96)

sha (HMAC-SHA1-96)

Enabled aes128 (AES128-CFB) sha (HMAC-SHA1-96)

To enable security for SNMP packets transferred between the server and the client, you can use the snmp-server user

username group groupname 3 auth authentication-type auth-password priv aes128 priv-password

command to specify that AES-CFB 128 encryption algorithm needs to be used.

Dell(conf)#snmp-server user snmpguy snmpmon 3 auth sha AArt61wq priv aes128 jntRR59a

In this example, for a specied user and a group, the AES128-CFB algorithm, the authentication password to enable the server to

receive packets from the host, and the privacy password to encode the message contents are congured.

SHA authentication needs to be used with the AES-CFB128 privacy algorithm only when FIPS is enabled because SHA is then the

only available authentication level. If FIPS is disabled, you can use MD5 authentication in addition to SHA authentication with the

AES-CFB128 privacy algorithm

You cannot modify the FIPS mode if SNMPv3 users are already congured and present in the system. An error message is displayed

if you attempt to change the FIPS mode by using the fips mode enable command in Global Conguration mode. You can

enable or disable FIPS mode only if SNMPv3 users are not previously set up. If previously congured users exist on the system, you

must delete the existing users before you change the FIPS mode.

Simple Network Management Protocol (SNMP)

737