Configuring SNMP with CLI

This section provides information about configuring SNMP with CLI.

Topics in this chapter include:

  1. SNMP Configuration Overview
  2. Basic SNMP Security Configuration
  3. Configuring SNMP Components

SNMP Configuration Overview

This section describes how to configure SNMP components that apply to SNMPv1, SNMPv2c, and SNMPv3 on the 7705 SAR.

  1. Configuring SNMPv1 and SNMPv2c
  2. Configuring SNMPv3

Configuring SNMPv1 and SNMPv2c

The 7705 SAR router is based on SNMPv3. To use 7705 SAR routers with SNMPv1 and/or SNMPv2c, SNMP community strings must be configured. Three predefined access methods are available when SNMPv1 or SNMPv2c access is required. Each access method (r, rw, or rwa) is associated with an SNMPv3 access group that determines the access privileges and the scope of managed objects available. The community command is used to associate a community string with a specific access method and the required SNMP version (SNMPv1 or SNMPv2c). The access methods are:

  1. read-only — grants read-only access to the entire management structure with the exception of the security area
  2. read-write — grants read and write access to the entire management structure with the exception of the security area
  3. read-write-all — grants read and write access to the entire management structure, including security

If the predefined access groups do not meet your access requirements, then additional access groups and views can be configured. The usm-community command is used to associate an access group with an SNMPv1 or SNMPv2c community string.

SNMP trap destinations are configured in the config>log>snmp-trap-group context.

Configuring SNMPv3

The 7705 SAR implements SNMPv3. If security features other than the default views are required, the following parameters must be configured:

  1. views
  2. access groups
  3. SNMP users

Basic SNMP Security Configuration

This section provides information to configure SNMP parameters and provides examples of common configuration tasks. The minimal SNMP parameters are:

For SNMPv1 and SNMPv2c:

  1. Configure community string parameters

For SNMPv3:

  1. Configure view parameters
  2. Configure SNMP group
  3. Configure access parameters
  4. Configure user with SNMP parameters

The following displays SNMP default views, access groups, and attempts parameters.

ALU-1>config>system>security>snmp# info detail
----------------------------------------------
                view iso subtree 1
                    mask ff type included
                exit
                view “mgmt-view” subtree 1.3.6.1.2.1.2
                    mask ff type excluded
                exit
                view “mgmt-view” subtree 1.3.6.1.2.1.4
                    mask ff type included
                exit
                view no-security subtree 1.3.6.1.6.3.11.2.1
                    mask ff type included
                exit
                view no-security subtree 1.3.6.1.6.3.15.1.1
                    mask ff type included
                exit
                access group snmp-ro security-model snmpv1 security-level no-auth-
no-privacy read no-security notify no-security
                access group snmp-ro security-model snmpv2c security-level no-auth-
no-privacy read no-security notify no-security
                access group snmp-rw security-model snmpv1 security-level no-auth-
no-privacy read no-security write no-security notify no-security
                access group snmp-rw security-model snmpv2c security-level no-auth-
no-privacy read no-security write no-security notify no-security
                access group snmp-rwa security-model snmpv1 security-level no-auth-
no-privacy read iso write iso notify iso
                access group snmp-rwa security-model snmpv2c security-level no-auth-
no-privacy read iso write iso notify iso
                access group snmp-trap security-model snmpv1 security-level no-auth-
no-privacy notify iso
                access group snmp-trap security-model snmpv2c security-level no-
auth-no-privacy notify iso
                attempts 20 time 5 lockout 10

Configuring SNMP Components

Use the CLI syntax displayed below to configure the following SNMP scenarios:

  1. Configuring a Community String
  2. Configuring View Options
  3. Configuring Access Options
  4. Configuring USM Community Options
  5. Configuring Other SNMP Parameters
CLI Syntax:
config>system>security>snmp
access group group-name security-model security-model security-level security-level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3]
attempts [count] [time minutes1] [lockout minutes2]
community community-string [hash | hash2] access-permissions [version SNMP-version]
usm-community community-string [hash | hash2] group group-name
view view-name [subtree oid-value]
mask mask-value [type {included | excluded}]

Configuring a Community String

SNMPv1 and SNMPv2c community strings are used to define the relationship between an SNMP manager and agent. The community string acts like a password to permit access to the agent. The access granted with a community string is restricted to the scope of the configured group.

One or more of the following characteristics associated with the string can be specified:

  1. read-only, read-write, and read-write-all permission for the MIB objects accessible to the community
  2. assignment of a unique community string to the management router or management VPLS
  3. the SNMP version: SNMPv1, SNMPv2c, or both

Default access features are preconfigured by the agent for SNMPv1 and SNMPv2c.

Use the following CLI syntax to configure community options:

CLI Syntax:
config>system>security>snmp
community community-string [hash | hash2] access-permissions [version SNMP-version]

The following example displays community string command usage:

Example:
config>system>security# snmp
config>system>security>snmp# community private hash2 rwa version both
config>system>security>snmp# community public hash2 r version v2c

The following example displays the SNMP community configuration:

ALU-1>config>system>security>snmp# info
-------------------------------------------------------
     community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both
     community "Lla.RtAyRW2" hash2 r version v2c
-------------------------------------------------------
ALU-1>config>system>security>snmp#

Configuring View Options

Use the following CLI syntax to configure view options:

CLI Syntax:
config>system>security>snmp
view view-name subtree oid-value
mask mask-value [type {included | excluded}]

The following example displays view command usage:

Example:
config>system>security>snmp# view testview subtree 1
config>system>security>snmp>view$ mask ff type included
config>system>security>snmp>view$ exit
config>system>security>snmp# view testview subtree
1.3.6.1.2
config>system>security>snmp>view$ mask ff type excluded
config>system>security>snmp>view$ exit

The following example displays the view configuration:

ALU-1>config>system>security>snmp# info
----------------------------------------------
                view "testview" subtree 1
                    mask ff
                exit
                view testview subtree 1.3.6.1.2
                    mask ff type excluded
                exit
                community "private" rwa version both
                community "public" r version v2c
----------------------------------------------
ALU-1>config>system>security>snmp#

Configuring Access Options

The access command creates an association between a user group, a security model, and the views that the user group can access. Access must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2c. An access group is defined by a unique combination of the group name, security model, and security level.

Use the following CLI syntax to configure access features:

CLI Syntax:
config>system>security>snmp
access group group-name security-model security-model security-level security-level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3]

The following example displays access command usage:

Example:
ALU-1>config>system>security>snmp# access group
testgroup security-model usm security-level auth-no-privacy read testview write testview notify testview

The following example displays the access configuration with the view configurations.

ALU-1>config>system>security>snmp# info
----------------------------------------------
    view “testview” subtree 1
                    mask ff
                exit
                view “testview” subtree 1.3.6.1.2
                    mask ff type excluded
                exit
                access group “testgroup” security-model usm security-level auth-no
-privacy read “testview” write “testview” notify “testview”
                community "public" r version both
----------------------------------------------

Use the following CLI syntax to configure user group and authentication parameters:

CLI Syntax:
config>system>security# user user-name
access [ftp] [snmp] [console]
snmp
authentication [none] | [[hash]{md5 key | sha key} privacy {none | des-key key}]
group group-name

The following example displays user security command usage:

Example:
ALU-1>config>system>security# user testuser
config>system>security>user$ access snmp
config>system>security>user# snmp
config>system>security>user>snmp# authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
config>system>security>user>snmp# group testgroup
config>system>security>user>snmp# exit
config>system>security>user# exit

The following example displays the user’s SNMP configuration.

ALU-1>config>system>security# info
----------------------------------------------
    user "testuser"
        access snmp
        snmp
            authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
            group testgroup
        exit
    exit
...
----------------------------------------------
ALU-1>config>system>security#

Configuring USM Community Options

User-based security model (USM) community strings associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group.

By default, the 7705 SAR OS implementation of SNMP uses SNMPv3. To implement SNMPv1 and SNMPv2c, USM community strings must be explicitly configured.

Use the following CLI syntax to configure USM community options:

CLI Syntax:
config>system>security>snmp
usm-community community-string [hash | hash2] group group-name

The following example displays USM community string command usage. Note that the group testgroup was configured in the config>system>security>snmp>access CLI context.

Example:
config>system>security>snmp# usm-community "test" hash2 group "testgroup"

The following example displays the SNMP community configuration:

ALU-1>config>system>security>snmp# info
----------------------------------------------
                view testview subtree 1
                    mask ff
                exit
                view testview subtree 1.3.6.1.2
                    mask ff type excluded
                exit
                access group testgroup security-model usm security-level auth-no
-privacy read testview write testview notify testview
                community "private" hash2 rwa version both
                community "public" hash r version v2c
                usm-community "test" group "testgroup"
----------------------------------------------
ALU-1>config>system>security>snmp#

Configuring Other SNMP Parameters

Use the following CLI syntax to modify the system SNMP options:

CLI Syntax:
config>system>snmp
engineID engine-id
general-port port
packet-size bytes
no shutdown

The following example displays the system SNMP default values:

ALU-104>config>system>snmp# info detail
----------------------------------------------
            shutdown
            engineID "0000xxxx000000000xxxxx00"
            packet-size 1500
            general-port 161
----------------------------------------------
ALU-104>config>system>snmp#