| Title: | DEChub/HUBwatch/PROBEwatch CONFERENCE |
| Notice: | Firmware -2, Doc -3, Power -4, HW kits -5, firm load -6&7 |
| Moderator: | NETCAD::COLELLA�DT |
| Created: | Wed Nov 13 1991 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 4455 |
| Total number of notes: | 16761 |
One customer who has a number of DEChub 900s equipped with concentrators, 900EF switches, 900TM repeaters ans 900TM servers asked me recently whether he could implement a security policy based on SNMP communities, that would be watched by an SNMP station (MCC). The actual question behind all of this is whether and how do our modules support authentication failure traps. Could anyone sum-up what is our support for authentication failure traps in a network built from above-mentioned modules? I know that terminal servers (NAS SW) can be enabled to send authentication failure traps. In case of other modules (including hub manager) I don't know. I'd appreciate any info, a suggestion, or a pointer to where to search! Thanks a lot. Regards Petr Pavlu.
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 2428.1 | Sorry, got it in 860.* | DECPRG::PAVLUP | Tue Jun 27 1995 12:59 | 6 | |
Got it - after a closer look into the conference - in the 860.*.
Sorry, next time I'll search better...
Regards Petr.
| |||||
| 2428.2 | But I already wrote this nice reply...;-) | NETCAD::GALLAGHER | Tue Jun 27 1995 13:27 | 29 | |
Short answer is yes, our modules support SNMP Authentication Failure Traps. DEChub900 Modules (DECrepeater900TM, DECconcentrator900, DECswitch900EF, and the Hub Management Agent Module [MAM]) all contain SNMP agents. There is a MIB-II object called "snmpEnableAuthenTraps". These agent ship with this object set to 'enabled'. In order to generate traps a module needs an IP address (source) and the IP address of at least one sink (destination). Each module support a console set-up function to assign SNMP read-only and read-write communities. In addition, each module support an SNMP authentication group that can be used for tighter security. When the SNMP request message is received the SNMP community is checked. If the community does not match the read-only or read-write community then an SNMP Authentication Failure Trap is sent to all trap sinks. The above modules can be managed using their own IP address, or thru the MAM's IP address. If security is the *primary* concern then management thru the MAM should be used. You just have to: 1) give the MAM an IP address, 2) give the MAM the address of one or more trap sinks, (MCC station) 3) change the MAM's read-write community. If you want to management thru the module own IP address then do these three steps for each module. (Note: The DECserver products must be managed thru their own IP addresses.) -Shawn | |||||
| 2428.3 | And I do appreciate it...(:-) | DECPRG::PAVLUP | Tue Jun 27 1995 14:55 | 6 | |
Thanks Shawn.
I do appreciate the answer. It's very comprehensive. And it really is
nice!
Regards Petr.
| |||||