Logging rules
Logging can be used to for error and information notification, security auditing, and network forensics.
Enable logging on the console
Enable logging to the console and restrict the severity to critical so that log messages do not affect system performance.
OS10(config)# logging console enable OS10(config)# logging console severity log-crit OS10(config)# exit OS10# write memory
Enable logging to a syslog server over TLS
Enable logging to a syslog server, and secure the connection using TLS.
OS10(config)# logging server {hostname | ipv4–address | ipv6–address} tls [port-number] [severity severity-level] [vrf {management | vrf-name] OS10(config)# exit OS10# write memory
- ipv4–address | ipv6–address—(Optional) Enter the IPv4 or IPv6 address of the logging server.
- tls port-number—(Optional) Send syslog messages using TCP, UDP, or TLS transport to a specified port on a remote logging server, from 1 to 65535.
- severity-level—(Optional) Set the logging threshold severity:
- log-emerg—System is unusable.
- log-alert—Immediate action is needed.
- log-crit—Critical conditions
- log-err—Error conditions
- log-warning—Warning conditions
- log-notice—Normal, but significant conditions (default)
- log-info—Informational messages
- log-debug—Debug messages
- vrf {management | vrf-name}—(Optional) Configure the logging server for the management or a specified VRF instance.
For more information about configuring X.509v3 PKI certificates, see the Dell SmartFabric OS10 User Guide.
Enable audit logging
To monitor user activity and configuration changes on the switch, enable the audit log. Only the sysadmin and secadmin roles can enable, view, and clear the audit log.
- Configure audit logging.
OS10(config)# logging audit enable OS10(config)# exit OS10# write memory
- View audit log.
show logging audit [reverse] [number]
- reverse —Display entries starting with the most recent events.
- number—Display the specified number of audit log entries users, from 1 to 65535.
View what logging rules are enabled
OS10# show running-configuration logging ! logging audit enable
Simple Network Management Protocol
Network management stations use simple network management protocol (SNMP) to retrieve and modify software configurations for managed objects on an agent in network devices. A managed object is a data of management information. The SNMP agent in a managed device maintains the data for managed objects in management information bases (MIBs).
OS10 supports different security models and levels in SNMP communication between SNMP managers and agents. Each security model refers to an SNMP version used in SNMP messages. SNMP versions provide different levels of security, such as user authentication and message encryption.
SNMP version 3 (SNMPv3) provides an enhanced security model for user authentication and SNMP message encryption. User authentication requires that SNMP packets come from an authorized source. Message encryption ensures that packet contents cannot be viewed by an unauthorized source.
To configure SNMPv3-specific security settings—user authentication and message encryption—use the snmp-server user command. You can generate localized keys with enhanced security for authentication and privacy (encryption) passwords.
SNMP rules
Restricted Simple Network Management Protocol (SNMP) access improves device security when SNMP is used.
Forbid read and write access to a specific SNMP community
Forbid read and write access to one or more SNMP communities so that an unauthorized entity cannot remotely manipulate the device.
OS10(config)# no snmp-server community community_string {ro | rw} OS10(config)# exit OS10# write memory
Forbid access to SNMP without ACL
If no ACL is configured, anyone with a valid SNMP community string can access the system and potentially make unnecessary changes. Define and apply an ACL so that only an authorized group of trusted stations can have access SNMP access to the system.
OS10(config)# snmp-server community name {ro | rw} acl acl-name OS10(config)# exit OS10# write memory
OS10(config)# ip access-list snmp-read-only-acl OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any OS10(config-ipv4-acl)# exit OS10(config)# snmp-server community public ro acl snmp-read-only-acl OS10(config)# exit OS10# write memory
Configure SNMP v3
SNMP v2 does not support encryption or authentication. Dell Technologies strongly recommends that you use SNMP v3 which supports secure access to SNMP resources.
- Configure SNMP engine ID.snmp-server engineID [local
engineID] [remote
ip-address {[udp-port
port-number]
remote-engineID}]
- local engineID—Enter the engine ID that identifies the local SNMP agent on the switch as an octet colon-separated number. A maximum of 27 characters.
- remote ip-address—Enter the IPv4 or IPv6 address of a remote SNMP device that accesses the local SNMP agent.
- udp-port port-number—Enter the UDP port number on the remote device, from 0 to 65535.
- remote-engineID—Enter the engine ID that identifies the SNMP agent on a remote device, 0x then by a hexadecimal string).
- Configure SNMP views.
OS10(config)# snmp-server view view-name oid-tree [included | excluded]
- view-name—Enter the name of a read-only, read/write, or notify view. A maximum of 32 characters.
- oid-tree—Enter the SNMP object ID at which the view starts in 12-octet dotted-decimal format.
- included—(Optional) Include the MIB family in the view.
- excluded—(Optional) Exclude the MIB family from the view.
- Configure SNMP groups.
OS10(config)# snmp-server group group-name v3 security-level [read view-name] [write view-name] [notify view-name]
- group-name—Enter the name of the group. A maximum of 32 alphanumeric characters.
- v3 security-level—SNMPv3 provides optional user authentication and encryption for SNMP messages, which are configured with the snmp-server user command.
- security-level—(SNMPv3 only) Configure the security level for SNMPv3 users:
- auth—Authenticate users in SNMP messages.
- noauth—Do not authenticate users or encrypt SNMP messages; send messages in plain text.
- priv—Authenticate users and encrypt or decrypt SNMP messages.
- access acl-name—(Optional) Enter the name of an IPv4 or IPv6 access list to filter SNMP requests received on the switch. A maximum of 16 characters.
- read view-name—(Optional) Enter the name of a read-only view. A maximum of 32 characters maximum.
- write view-name—(Optional) Enter the name of a read/write view. A maximum of 32 characters maximum.
- notify view-name—(Optional) Enter the name of a notification view. A maximum of 32 characters maximum.
- Configure SNMP users.
OS10(config)# snmp-server user user-namegroup-namesecurity-model localized auth sha auth-password priv aes priv-password OS10(config)# exit OS10# write memory
- user-name—Enter the name of the user. A maximum of 32 alphanumeric characters.
- group-name—Enter the name of the group to which the user belongs. A maximum of 32 alphanumeric characters.
- security-model—Enter an SNMP version that sets the security level for SNMP messages:
- 3—Dell Technologies recommends using SNMPv3 which provides user authentication and encryption for SNMP messages. SNMPv1 may be not be supported on future SmartFabric OS10 versions.
- auth—(SNMPv3 only) Include a user authentication key for SNMPv3 messages sent to the user:
- sha—Generate an authentication key using the SHA algorithm.
- auth-password—Enter the encrypted string.
- priv—Configure encryption for SNMPv3 messages sent to the user:
- aes—Encrypt messages using AES 128-bit algorithm.
- priv-password—Enter the encrypted string.
- localized—Generate an SNMPv3 authentication and/or privacy key in localized key format.
Configure SNMP traps
Use the following configuration to enable SNMP traps:
- Enable SNMP traps on the system.
OS10(config)# snmp-server enable traps [notification-type] [notification-option]
- notification-typenotification-option — Enter an SNMP notification type, and optionally, a notification option for the type.
Table 1. Notification types and optionsNotification types and options Notification type Notification option entity — Enable entity change traps. None envmon — Enable SNMP environmental monitor traps. - fan — Enable fan traps.
- power-supply — Enable power-supply traps.
- temperature — Enable temperature traps.
lldp — Enable LLDP state change traps. - rem-tables-change — Enable the lldpRemTablesChange trap.
snmp — Enable SNMP traps. - authentication — Enable authentication traps.
- coldstart — Enable coldstart traps when you power on the switch and the SNMP agent initializes.
- linkdown — Enable link-down traps.
- linkup — Enable link-up traps.
- warmstart — Enable warmstart traps when the switch reloads and the SNMP agent reinitializes.
- notification-typenotification-option — Enter an SNMP notification type, and optionally, a notification option for the type.
- Configure a host to receive SNMP notifications.
snmp-server host {ipv4–address | ipv6–address} {informs version version-number | traps version version-number | version version-number} [snmpv3-security-level] [community-name] [udp-port port-number] [dom | entity | envmon | lldp | snmp]
- ipv4–address | ipv6–address — Enter the IPv4 or IPv6 address of the SNMP host.
- informs — Send inform messages to the SNMP host.
- traps — Send trap messages to the SNMP host.
- version
version-number — Enter the SNMP security model used to send traps or informs to the SNMP host. Dell Technologies recommends using
3. For SNMPv3 traps and informs, enter the security level:
- noauth — (SNMPv3 only) Send SNMPv3 traps without user authentication and privacy encryption.
- auth — (Recommended) Include a user authentication key for SNMPv3 messages sent to the host:
- md5 — Generate an authentication key using the Message Digest Algorithm (MD5) algorithm.
- sha — Generate an authentication key using the Secure Hash Algorithm (SHA) algorithm.
- auth-password — Enter a text string used to generate the authentication key that identifies the user. A maximum of 32 alphanumeric characters. For an encrypted password, enter the encrypted string instead of plain text.
- priv — (SNMPv3 only) Configure encryption for SNMPv3 messages sent to the host:
- aes — Encrypt messages using an AES 128-bit algorithm.
- des — Encrypt messages using a DES 56-bit algorithm.
- priv-password — Enter a text string used to generate the privacy key used in encrypted messages. A maximum of 32 alphanumeric characters. For an encrypted password, you can enter the encrypted string instead of plain text.
- community-name — (Optional) Enter an SNMPv1 or SNMPv2c community string name or an SNMPv3 username.
- udp-port port-number — (Optional) Enter the UDP port number on the SNMP host, from 0 to 65535.
- dom | entity | envmon | lldp | snmp — Enter one or more types of traps and notifications to send to the SNMP host — digital optical monitor, entity change, environment monitor, or LLDP state change traps, or SNMP-type notifications.
Check what SNMP rules are running
OS10# show running-configuration snmp ! snmp-server community public ro acl snmp-read-only-acl