Simple Network Management Protocol (SNMP), an application layer protocol, facilitates the exchange of management information among network devices, such as nodes and routers. It comprises part of the TCP/IP suite. System administrators can remotely manage network performance, find and solve network problems, and plan for network growth by using SNMP.
Instead of defining a large set of commands, SNMP places all operations in a get-request, get-next-request, get-bulk-request, and set-request format. For example, an SNMP manager can get a value from an SNMP agent or store a value in that SNMP agent. The SNMP manager can comprise part of a network management system (NMS), and the SNMP agent can reside on a networking device such as a router.
SNMP comprises of three parts—SNMP manager, SNMP agent, and MIBs. You can compile the Cisco MIB with your network management software.
A network that uses SNMP requires three key components—managed devices, agents, and network management software (NMS).
The NMS uses the Cisco MIB variables to set device variables and to poll devices on the internetwork for specific information. The results of a poll can get graphed and analyzed to help you troubleshoot internetwork problems, increase network performance, verify the configuration of devices, and monitor traffic loads.
The SNMP agent gathers data from the MIB, which is the repository for information about device parameters and network data. The SNMP agent also can send traps (notifications) of certain events, to the SNMP manager.
SNMP Basic Commands
Managed devices get monitored and controlled by using four basic SNMP commands: read, write, trap, and traversal operations.
•NMS uses the read command to monitor managed devices. The NMS examines different variables that are maintained by managed devices.
•NMS uses the write command to control managed devices. The NMS changes the values of variables stored within managed devices.
•Managed devices use the trap command to asynchronously report events to the NMS. When certain types of events occur, a managed device sends a trap to the NMS.
•NMS uses traversal operations to determine which variables a managed device supports and to sequentially gather information in variable tables, such as a routing table.
SNMP Versioning
- SNMPv1 was the first version of SNMP which is defined in RFCs 1155 and 1157
- SNMPv2c is a sub-version of SNMPv2. It is defined in RFC 1901, RFC 1905, RFC 1906, RFC2578. One advantage over previous versions is the Inform command. Unlike Traps, which are simply received by a manager, Informs are positively acknowledged with a response message. If a manager does not reply to an Inform, the SNMP agent will resend the Inform.
- SNMPv3 provides the following security features:
- Authentication—Verifying that the request comes from a genuine source.
- Privacy—Encrypting data.
- Authorization—Verifying that the user allows the requested operation.
- Access control—Verifying that the user has access to the objects that are requested.
SNMPv3 prevents packets from being exposed on the network. Instead of using community strings like SNMP v1 and v2, SNMP v3 uses SNMP users.
SNMP Community Strings and Users
Although SNMP community strings provide no security, the strings authenticate access to MIB objects and function as embedded passwords. You configure SNMP community strings for SNMP v1 and v2c only.
SNMP v3 does not use community strings. It uses SNMP users that serve the same purpose as community strings but provide security because encryption or authentication is configured.
No default community string or user exists.
SNMPv2c Configuration:
- Enable SNMP aggent on the managed device
snmp-server community string [view view-name] [ro | rw] [number]
- Community string acts like a password and permits access to the SNMP protocol.
- [view-name] (Optional) Name of a previously defined view. The view defines the objects available to the community.
- The read-write (rw) string allows the management station to make changes to the managed device, as opposed to the read-only (ro) string.
- [number] (Optional) Integer from 1 to 99 that specifies an access list of IP addresses that are allowed to use the community string to gain access to the SNMP agent
- Set interfaces index persist
snmp-server ifindex persist
- SNMP interface index (IfIndex) values are not being the same between reloads by default. You can change that using the above command.
- Set system location string
snmp-server location text
- text is a string that describes the system location information.
- Set system contact
snmp-server contact text
- text string that describes the system contact information.
- Allow the NMS to reload the managed device
snmp-server system-shutdown
- Specifies the FTP server list with acceptable addresses to download/upload the router’s configuration when instructed via SNMP
snmp-server tftp-server-list [number]
- [number] Integer from 1 to 99 that specifies an access list
- Create or update a view entry
snmp-server view view-name oid-tree {included | excluded}
- view-name - Label for the view record that you are updating or creating. The name is used to reference the record.
- oid-tree Object identifier of the ASN.1 subtree to be included or excluded from the view. To identify the subtree, specify a text string consisting of numbers, such as 1.3.6.2.4, or a word, such as system. Replace a single subidentifier with the asterisk (*) wildcard to specify a subtree family; for example 1.3.*.4.
- SNMP traps and informs
snmp-server enable trapsAdditionally SNMPv2 allows sending notifications as informs, which differ from traps in that
they require acknowledgement from the NMS. Informs are kept in router local queue until they are acknowledged or timeout has expired. Informs make SNMP reliable even though the transport protocol is still UDP.
snmp-server host host-addr [traps | informs] community-string [udp-port port] [notification-type]
- traps - (Optional) Sends SNMP traps to this host. This is the default.
- informs - (Optional) Sends SNMP informs to this host.
- community-string - community string sent with the notification operation
- udp-port - (Optional) UDP port of the host to use. The default is 162
- notification-type - (Optional) type of notification to be sent to the host. If no type is specified, all notifications are sent. Example of notification-type : bgp, hdrp, syslog, snmp, etc.
- show commands
R1#show snmp
Chassis: 4294967295
Contact: John Doe
Location: test lab
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
0 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP logging: enabled
Logging to 10.1.1.2.162, 0/10, 0 sent, 0 dropped.
SNMP Manager-role output packets
0 Get-request PDUs
0 Get-next PDUs
0 Get-bulk PDUs
0 Set-request PDUs
0 Inform-request PDUs
0 Timeouts
0 Drops
SNMP Manager-role input packets
0 Inform request PDUs
0 Trap PDUs
0 Response PDUs
0 Responses with errors
SNMP informs: enabled
Informs in flight 0/25 (current/max)
Logging to 10.1.1.2.162
0 sent, 0 in-flight, 0 retries, 0 failed, 0 dropped
R1#show snmp community
Community name: ILMI
Community Index: cisco0
Community SecurityName: ILMI
storage-type: read-only active
Community name: TEST-RO
Community Index: cisco1
Community SecurityName: TEST-RO
storage-type: nonvolatile active access-list: 10
Community name: TEST-RW
Community Index: cisco4
Community SecurityName: TEST-RW
storage-type: nonvolatile active
R1#show snmp host
Notification host: 10.1.1.2 udp-port: 162 type: inform
user: TEST-RW security model: v2c
Notification host: 10.1.1.2 udp-port: 162 type: trap
user: TEST-RO security model: v1
- snmpwalk command
No comments:
Post a Comment