4. SNMP

This chapter provides information to configure SNMP.

Topics in this chapter include:

  1. SNMP Overview
  2. SNMP Versions
  3. Configuration Notes
  4. Configuring SNMP with CLI
  5. SNMP Command Reference

4.1. SNMP Overview

4.1.1. SNMP Architecture

The Service Assurance Manager (SAM) consists of two elements: managers and agents. The manager is the entity through which network management tasks are facilitated. An agent is a software module integrated into the operating system of the managed device that communicates with the network manager. Managed devices, such as bridges, hubs, routers, and network servers can contain managed objects. A managed object can be a configuration attribute, performance statistic, or control action that is directly related to the operation of a device.

Managed devices collect and store management information and use Simple Network Management Protocol (SNMP). SNMP is an application-layer protocol that provides a message format to facilitate communication between SNMP managers and agents. SNMP provides a standard framework to monitor and manage devices in a network from a central location.

An SNMP manager controls and monitors the activities of network hosts that use SNMP. An SNMP manager can obtain (get) a value from an SNMP agent or store (set) a value in the agent. The manager uses definitions in the management information base (MIB) to perform operations on the managed device such as retrieving values from variables or blocks of data, replying to requests, and processing traps.

Between the SNMP agent and the SNMP manager, the following actions can occur.

  1. The manager can get information from the agent.
  2. The manager can set the value of a MIB object that is controlled by an agent.
  3. The agent can send traps to notify the manager of significant events that occur on the managed device (for example, the 7705 SAR router).

SNMP is supported on network hosts using the IPv4 and IPv6 protocols.

4.1.2. Management Information Base

A MIB is a formal specifications document with definitions of management information used to remotely monitor, configure, and control a managed device or network system. The agent’s management information consists of a set of network objects that can be managed with SNMP. Object identifiers are unique object names that are organized in a hierarchical tree structure. The main branches are defined by the Internet Engineering Task Force (IETF). When requested, the Internet Assigned Numbers Authority (IANA) assigns a unique branch for use by a private organization or company. The branch assigned to the 7705 SAR is 1.3.6.1.4.1.6527.

The SNMP agent provides management information to support a collection of IETF specified MIBs and a number of MIBs defined to manage device parameters and network data unique to the 7705 SAR.

4.1.3. SNMP Versions

The agent supports multiple versions of the SNMP protocol.

  1. SNMP Version 1 (SNMPv1) is the original Internet-standard network management framework.
    SNMPv1 provides access control for communities and uses a community string match for authentication.
  2. SNMPv2c uses a community string match for authentication.
  3. SNMP Version 3 (SNMPv3) provides access control for users. In SNMPv3, User-based Security Model (USM) defines the user authentication and encryption features. The View Access Control MIB (VACM) defines the user access control features. The SNMP-COMMUNITY-MIB is used to associate SNMPv1/SNMPv2c community strings with SNMPv3 VACM access control.
    SNMPv3 uses a user name match for authentication.

4.1.4. Management Information Access Control

By default, the 7705 SAR implementation of SNMP uses SNMPv3. SNMPv3 incorporates security model and security level features. A security model is the authentication type for the group and the security level is the permitted level of security within a security model. The combination of the security level and security model determines which security mechanism handles an SNMP packet.

To implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. These access groups are standard read-only, read-write, and read-write-all access groups and views that can simply be assigned community strings. In order to implement SNMP with security features, security models, security levels, and USM communities must be explicitly configured. Optionally, additional views that specify more specific OIDs (MIB objects in the subtree) can be configured.

Access to the management information in an SNMPv1/SNMPv2c agent is controlled by the inclusion of a community name string in the SNMP request. The community defines the subset of the agent’s managed objects that can be accessed by the requester. It also defines what type of access is allowed: read-only or read-write.

The use of community strings provide minimal security and context checking for both agents and managers that receive requests and initiate trap operations. A community string is a text string that acts like a password to permit access to the agent on the 7705 SAR router.

The 7705 SAR implementation of SNMP has defined three levels of community-named access:

  1. read-only permission — grants only read access to objects in the MIB, except security objects
  2. read-write permission — grants read and write access to all objects in the MIB, except security objects
  3. read-write-all permission — grants read and write access to all objects in the MIB, including security objects

4.1.5. User-Based Security Model Community Strings

User-based security model (USM) community strings associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group.

4.1.6. Views

Views control the access to a managed object. The total MIB of a 7705 SAR router can be viewed as a hierarchical tree. When a view is created, either the entire tree or a portion of the tree can be specified and made available to a user to manage the objects contained in the subtree. Object identifiers (OIDs) uniquely identify managed objects. A view defines the type of operations allowed, such as read, write, or notify.

OIDs are organized in a hierarchical tree with specific values assigned to different organizations. A view defines a subset of the agent’s managed objects controlled by the access rules associated with that view.

Predefined views are available that are particularly useful when configuring SNMPv1 and SNMPv2c.

The SNMP agent associates SNMPv1 and SNMPv2c community strings with an SNMPv3 view.

4.1.7. Access Groups

Access groups associate a user group and a security model with the views the group can access. An access group is defined by a unique combination of a group name, security model (SNMPv1, SNMPv2c, or SNMPv3), and security level (no-authorization-no privacy, authorization-no-privacy, or privacy).

An access group, is a template that defines a combination of access privileges and views. A group can be associated with one or more network users to control their access privileges and views.

Additional access parameters must be explicitly configured if the preconfigured access groups and views for SNMPv1 and SNMPv2c do not meet your security requirements.

4.1.8. Users

By default, authentication and encryption parameters are not configured. Authentication parameters that a user must use in order to be validated by the 7705 SAR can be modified. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered with.

User access and authentication privileges must be explicitly configured. In a user configuration, a user is associated with an access group, which is a collection of users who have common access privileges and views.

4.2. SNMP Versions

SNMPv1 and SNMPv2c do not provide security, authentication, or encryption. Without authentication, an unauthorized user could perform SNMP network management functions and eavesdrop on management information as it passes from system to system. Many SNMPv1 and SNMPv2c implementations are restricted read-only access, which, in turn, reduces the effectiveness of a network monitor in which network control applications cannot be supported.

To implement SNMPv3, an authentication and encryption method must be assigned to a user in order to be validated by the 7705 SAR. SNMP authentication allows the router to validate the managing node that issued the SNMP message and determine if the message was tampered with.

4.3. Configuration Notes

This section describes SNMP configuration guidelines and caveats.

  1. To avoid management systems attempting to manage a partially booted system, SNMP will remain in a shutdown state if the configuration file fails to complete during system startup. While shut down, SNMP gets and sets are not processed. However, notifications are issued if an SNMP trap group has been configured.
    In order to enable SNMP, the portions of the configuration that failed to load must be initialized properly. Start SNMP with the config>system>snmp>no shutdown command.
  2. Use caution when changing the SNMP engine ID. If the SNMP engine ID is changed in the config>system>snmp>engineID engine-id context, the current configuration must be saved and a reboot must be executed. If the configuration is not saved and the system is not rebooted, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID.

4.3.1. Reference Sources

For information on supported IETF drafts and standards as well as standard and proprietary MIBS, refer to Standards and Protocol Support.