The focus of this short article is to document the steps in locking down the Lucent SNMP Module from its default security settings. It is important to note, Lucent says that you should not remove the public community string from the snmpd.cnf file. Doing so, will break the integration of the Lucent DNS/DHCP server subagents and the SNMP Emanate Master agent. It appears that the sub-agents have been hard-coded somehow with the 'public' readonly community string.

The Lucent SNMP configuration files are located in the $QIPHOME/snmp/conf directory. For the purposes of this short article, we'll only delve into the snmpd.cnf file in that directory.

Change the current snmpCommunityEntry for 'public' to read:

snmpCommunityEntry t0000000 public public localSnmpID - LocalHost nonVolatile

Add a new entry to the snmpCommunityEntry table that reads:

snmpCommunityEntry t0000001 d1ffstr1ng d1ffstr1ng localSnmpID - NMSServer \nonVolatile

Where the index is unique (t0000001) and the community string is different and more complex.

Add two (2) additional entries to the vacmAccessEntry table:

vacmAccessEntry group1 - snmpv1 noAuthNoPriv exact All All All nonVolatile
vacmAccessEntry group1 - snmpv2c noAuthNoPriv exact All All All nonVolatile

Add two (2) additional entries to the vacmSecurityToGroupEntry table:

vacmSecurityToGroupEntry snmpv1 d1ffstr1ng group1 nonVolatile
vacmSecurityToGroupEntry snmpv2c d1ffstr1ng group1 nonVolatile

And, finally, the part of the configuration that effectively locks down the communities is the configuration of the entries in the snmpTargetAddrEntry table. The following entries lock 'public' to the LocalHost or IP address. This allows the Lucent sub-agents to continue working. While the other entry locks 'd1ffstr1ng' community string down to the unicast address of the NMSServer:

snmpTargetAddrEntry 31 snmpUDPDomain 100 3 NMSServer \
v1ExampleParams nonVolatile 2048
snmpTargetAddrEntry 32 snmpUDPDomain 100 3 LocalHost \
v1ExampleParams nonVolatile 2048