You are currently viewing the content available in Vietnam. If you are looking for information for another region, please select the correct country from the top-left dropdown in the page and 'Navigate to Browse FAQs' in the Support menu.
Issue
Network Management Card 2 (NMC2) SNMPv2c interface accepts read/write requests even though SNMPv1 access is disabled.
Product Line
- Network Management Card 2 - AP9630/30CH, AP9631/31CH, AP9635/35CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Certain Audio/Video Network Management Enabled products.
Environment
- All serial numbers
- AOS v6.0.X, v6.1.X, v6.2.X
Cause
NMC2 devices support enabling access for SNMPv1 and SNMPv3 specifically. As explained in knowledge base article ID FA156193, SNMPv2 functionality is supported by the NMC's SNMPv1 interface, configuration, and settings. In the aforementioned firmware versions, disabling SNMPv1 access does not disable responses to SNMPv2c queries due to a firmware bug.
Resolution
This issue will be addressed in AOS v6.3.X and higher. Until the firmware application you require releases with AOS v6.3.X, there is an available workaround.
To prevent SNMPv2c access requests (prior to a formal firmware fix being available), it is recommended to disable all the SNMPv1 access control/communities, by setting them all to Access Type: Disabled via the command line interface (CLI), web interface or config.ini configuration file. To take it a step further, prior to disabling, the user can also change the default community strings of public and private, then disable access altogether. The user should also disable SNMPv1 access in general.
Note: SNMPv1 access is enabled by default for all access control communities.
See below for reference to the different methods of disabling SNMPv1 communities. Majority of these changes require a reboot to take effect.
- Web Interface (Configuration->Network->>SNMPv1->Access Control):
Click on the hyperlink for each Community Name and a drop down list will be available to set the access type.
- Command Line Interface (local console/Telnet/SSH) using snmp command:
Usage: snmp -- Configuration Options
snmp [-S <disable | enable>]
[-c[n] <Community>]
[-a[n] <read | write | writeplus | disable>]
[-n[n] <IP or Domain Name>]
(n = Access Control # = 1,2,3, or 4)
snmp [-S <disable | enable>]
[-c[n] <Community>]
[-a[n] <read | write | writeplus | disable>]
[-n[n] <IP or Domain Name>]
(n = Access Control # = 1,2,3, or 4)
Example for access community #1: snmp -a1 disable
- Config.ini:
Find the [NetworkSNMP] section that should look similar to below. The user only needs to refer to the SNMPv1 keywords/values as this section contains both SNMPv1/3 values.
[NetworkSNMP]
; To change the User Profile Auth Phrase, or the
; User Profile Encrypt Phrase, use the UserProfile#AuthPhrase, or
; UserProfile#EncryptPhrase keywords respectively where # is
; the number of the profile. i.e., UserProfile1EncryptPhrase=apc crypt passphrase
Access=enabled
AccessControl1Community=public
AccessControl2Community=private
AccessControl3Community=public2
AccessControl4Community=private2
AccessControl1NMS=0.0.0.0
AccessControl2NMS=0.0.0.0
AccessControl3NMS=0.0.0.0
AccessControl4NMS=0.0.0.0
AccessControl1AccessType=Read
AccessControl2AccessType=Disabled
AccessControl3AccessType=Disabled
AccessControl4AccessType=Disabled
; To change the User Profile Auth Phrase, or the
; User Profile Encrypt Phrase, use the UserProfile#AuthPhrase, or
; UserProfile#EncryptPhrase keywords respectively where # is
; the number of the profile. i.e., UserProfile1EncryptPhrase=apc crypt passphrase
Access=enabled
AccessControl1Community=public
AccessControl2Community=private
AccessControl3Community=public2
AccessControl4Community=private2
AccessControl1NMS=0.0.0.0
AccessControl2NMS=0.0.0.0
AccessControl3NMS=0.0.0.0
AccessControl4NMS=0.0.0.0
AccessControl1AccessType=Read
AccessControl2AccessType=Disabled
AccessControl3AccessType=Disabled
AccessControl4AccessType=Disabled
Set AccessControl#AccessType toDisabledfor each of the possible access configurations.
If you have any questions or concerns, please contact your local technical support team.