How to save config using SNMPv3 via SCP

Создаём пользователя на linux хосте.

useradd -d /home/scp -m -s /bin/bash -c "only for scp" scp

pass 27iK4bUy32hLm87Eew4i

Ставим утилиту, чтобы пользователь мог использовать только scp.

apt-get install scponly

usermod -s /usr/bin/scponly scp

Настраиваем маршрутизатор.

access-list 77 permit 1.1.1.1

access-list 77 permit 2.2.2.2

access-list 77 permit 3.3.3.3

snmp-server group SNMP3GRP v3 priv write SNMP3_R access 77

snmp-server user snmpadm SNMP3GRP v3 auth md5 9LADO68h245s709qP18T priv aes 128 bOJwIi5UZi449fUyrJxZa access 77

snmp-server view SNMP3_R ccCopyTable.1 included

snmp-server view SNMP3_R 1.3.6.1.4.1.9.2.9.9.0 included

Добавим возможность удаленно бутить цыску.

snmp-server system-shutdown

Возвращаемся на линуксовую машину. Проверяем отвечает ли по SNMPv3 цыска.

snmpwalk -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122

К примеру, адрес линуксовой машины - 1.1.1.1

Так можно засейвить конфиг по scp:

snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.2.15 i 4

snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.3.15 i 4

snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.4.15 i 1

snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.5.15 a 1.1.1.1

snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.6.15 s router_running-config

snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.7.15 s "scpQr41ei4f09otuhh"

snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.8.15 s "27iK4bUy32hLm87Eew4i"

snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.14.15 i 1

PBR in Extreme summit switch

* Int.X460-Core.4 # edit policy police_vlan8_pbr
entry permit_local_00 {
if {
   source-address 192.168.0.0/16;
   destination-address 192.168.0.0/16;
   } then {
     permit;
}
}

entry permit_local_01 {
if {
   source-address 192.168.0.0/16;
   destination-address 10.0.0.0/8;
   } then {
     permit;
}
}

entry permit_local_02 {
if {
   source-address 192.168.0.0/16;
   destination-address 172.168.0.0/12;
   } then {
     permit;
}
}

entry redirect_local_00 {
if {
   source-address 192.168.253.0/24;
   } then {
   redirect 10.255.255.41;
}
}


configure access-list police_vlan8_pbr vlan "VLAN8_USERS-NEW" ingress 
unconfigure access-list police_vlan8_pbr ingress

===

Policy-Based Redirection Redundancy

Multiple Next-hop Support

As discussed above, Layer 3 and Layer 2 policy-based redirect support only one next-hop for one

policy-based entry. Multiple next-hops with different priorities can be configured. A higher priority is

denoted with a higher number; for example, “priority 5” has a higher precedence than “priority 1.” When

a high priority next-hop becomes unreachable, another preconfigured next-hop, based on priority,

replaces the first. This is done by first creating a flow-redirect name that is used to hold next-hop

information. User-created flow-redirect names are not case-sensitive.

Use the following command:

create flow-redirect flow_redirect_name

To delete the flow-redirect name, use:

delete flow-redirect flow_redirect_name

Then information for each next-hop, including a defined priority, is added one by one to the new flowredirect

name. Use the following command:

configure flow-redirect flow_redirect_name add nexthop ipaddress priority number

===

An example.
We want to redirect all traffic from 10.91.0.48/28 to address 10.91.0.234

create flow-redirect redir1
configure flow-redirect redir1 add nexthop 10.91.0.234 priority 100
configure flow-redirect redir1 nexthop 10.91.0.234 ping health-check interval 60 miss 3

Create an ACL:
entry subnet1 {
if match all {
source-address 10.91.0.48/28 ;
} then {
permit;
redirect-name redir1;
}
}

configure access-list redir1 vlan "vlan_name" ingress


That will redirect traffic in this vlan only from subnet 10.91.0.48/28 to 10.91.0.234.

https://community.extremenetworks.com/extreme/topics/help_required_for_l3_policy_based_redirect_summit_x460_24t_exos_12_5-mb5hr