Transcription
Configuring SNMPThis chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Cisco 910 IndustrialRouters (hereafter referred to as the router). Understanding SNMP, page 1 Configuring SNMP, page 3 Displaying SNMP Status, page 10Understanding SNMPSNMP is an application-layer protocol that provides a message format for communication between managers andagents. The SNMP system consists of an SNMP manager, an SNMP agent, and a MIB. The SNMP manager can be partof a network management system (NMS) such as CiscoWorks. The agent and MIB reside on the router. To configureSNMP on the router, you define the relationship between the manager and the agent.The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager can get avalue from an agent or store a value into the agent. The agent gathers data from the MIB, the repository for informationabout device parameters and network data. The agent can also respond to a manager’s requests to get or set data.An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP manager to a condition onthe network. Traps can mean improper user authentication, restarts, link status (up or down), MAC address tracking,closing of a TCP connection, loss of connection to a neighbor, or other significant events.These sections contain this conceptual information: SNMP Versions, page 1 SNMP Agent Functions, page 3 SNMP Community Strings, page 3 SNMP Notifications, page 3SNMP VersionsThis software release supports these SNMP versions: SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157. SNMPv2C replaces the Party-based Administrative and Security Framework of SNMPv2Classic with thecommunity-string-based Administrative Framework of SNMPv2C while retaining the bulk retrieval and improvederror handling of SNMPv2Classic. It has these features:—SNMPv2—Version 2 of the Simple Network Management Protocol, a Draft Internet Standard, defined in RFCs1902 through 1907.—SNMPv2C—The community-string-based Administrative Framework for SNMPv2, an Experimental InternetProtocol defined in RFC 1901.Cisco Systems, Inc.1www.cisco.com
Configuring SNMP SNMPv3—Version 3 of the SNMP is an interoperable standards-based protocol defined in RFCs 2273 to 2275.SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network and includesthese security features:—Message integrity—ensuring that a packet was not tampered with in transit—Authentication—determining that the message is from a valid source—Encryption—mixing the contents of a package to prevent it from being read by an unauthorized source.Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to access theagent’s MIB is defined by an IP address access control list and password.SNMPv2C includes a bulk retrieval mechanism and more detailed error message reporting to management stations. Thebulk retrieval mechanism retrieves tables and large quantities of information, minimizing the number of round-tripsrequired. The SNMPv2C improved error-handling includes expanded error codes that distinguish different kinds of errorconditions; these conditions are reported through a single error code in SNMPv1. Error return codes in SNMPv2C reportthe error type.SNMPv3 provides for both security models and security levels. A security model is an authentication strategy set up fora user and the group within which the user resides. A security level is the permitted level of security within a securitymodel. A combination of the security level and the security model determine which security mechanism is used whenhandling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3.Table 14 identifies the characteristics of the different combinations of security models and levels.Table 14SNMP Security Models and v1noAuthNoPrivCommunity stringNoUses a community string match forauthentication.SNMPv2CnoAuthNoPrivCommunity stringNoUses a community string match forauthentication.SNMPv3noAuthNoPrivUsernameNoUses a username match for authentication.SNMPv3authNoPrivMessage Digest 5(MD5) or SecureHash Algorithm(SHA)NoProvides authentication based on theHMAC-MD5 or HMAC-SHA algorithms.SNMPv3authPriv(requires thecryptographicsoftwareimage)MD5 or SHAData EncryptionStandard (DES)or AdvancedEncryptionStandard (AES)Provides authentication based on theHMAC-MD5 or HMAC-SHA algorithms.Allows specifying the User-based SecurityModel (USM) with these encryptionalgorithms: DES 56-bit encryption in addition toauthentication based on the CBC-DES(DES-56) standard. 3DES 168-bit encryption AES 128-bit, 192-bit, or 256-bitencryptionYou must configure the SNMP agent to use the SNMP version supported by the management station. Because an agentcan communicate with multiple managers, you can configure the software to support communications using SNMPv1,SNMPv2C, or SNMPv3.2
Configuring SNMPSNMP Agent FunctionsThe SNMP agent responds to SNMP manager requests as follows: Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrievesthe value of the requested MIB variable and responds to the NMS with that value. Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS. The SNMP agentchanges the value of the MIB variable to the value requested by the NMS.The SNMP agent also sends unsolicited trap messages to notify an NMS that a significant event has occurred on theagent. Examples of trap conditions include, but are not limited to, when a port or module goes up or down, whenspanning-tree topology changes occur, and when authentication failures occur.SNMP Community StringsSNMP community strings authenticate access to MIB objects and function as embedded passwords. In order for the NMSto access the router, the community string definitions on the NMS must match at least one of the three community stringdefinitions on the router.A community string can have one of these attributes: Read-only (RO)—Gives read access to authorized management stations to all objects in the MIB except thecommunity strings, but does not allow write access Read-write (RW)—Gives read and write access to authorized management stations to all objects in the MIB, but doesnot allow access to the community stringsSNMP NotificationsSNMP allows the router to send notifications to SNMP managers when particular events occur. SNMP notifications canbe sent as traps or inform requests. In command syntax, unless there is an option in the command to select either trapsor informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specifywhether to send SNMP notifications as traps or informs.SNMPv1 does not support informs.Traps are unreliable because the receiver does not send an acknowledgment when it receives a trap, and the sendercannot determine if the trap was received. When an SNMP manager receives an inform request, it acknowledges themessage with an SNMP response protocol data unit (PDU). If the sender does not receive a response, the inform requestcan be sent again. Because they can be re-sent, informs are more likely than traps to reach their intended destination.The characteristics that make informs more reliable than traps also consume more resources in the router and in thenetwork. Unlike a trap, which is discarded as soon as it is sent, an inform request is held in memory until a response isreceived or the request times out. Traps are sent only once, but an inform might be re-sent or retried several times. Theretries increase traffic and contribute to a higher overhead on the network. Therefore, traps and informs require atrade-off between reliability and resources. If it is important that the SNMP manager receive every notification, use informrequests. If traffic on the network or memory in the router is a concern and notification is not required, use traps.Configuring SNMP Default SNMP Configuration, page 4 Configuring Community Strings, page 4 Configuring SNMP Groups and Users, page 53
Configuring SNMP Configuring SNMP Notifications, page 7 Setting the Agent Contact and Location Information, page 9 SNMP Agent Configuration Example, page 9Default SNMP ConfigurationTable 15 shows the default SNMP configuration.Table 15Default SNMP ConfigurationFeatureDefault SettingSNMP agentEnabled.SNMP trap receiverNone configured.SNMP trapsEnabled.SNMP versionIf no version keyword is present, the default is Version 1.SNMPv3 authenticationIf no keyword is entered, the default is the noauth (noAuthNoPriv) security level.SNMP notification typeIf no type is specified, all notifications are sent.Configuring Community StringsYou use the SNMP community string to define the relationship between the SNMP manager and the agent. Thecommunity string acts like a password to permit access to the agent on the router. Optionally, you can specify one ormore of these characteristics associated with the string: A MIB view, which defines the subset of all MIB objects accessible to the given community Read and write or read-only permission for the MIB objects accessible to the community4
Configuring SNMPBeginning in privileged EXEC mode, follow these steps to configure a community string on the router:CommandPurpose1.configure terminalEnter global configuration mode.2.snmp-server communitystring [view view-name] [ro rw]Configure the community string.3.snmp-server view view-nameoid-tree {included excluded} For string, specify a string that acts like a password and permitsaccess to the SNMP protocol. You can configure one or morecommunity strings of any length. (Optional) For view, specify the view record accessible to thecommunity. (Optional) Specify either read-only (ro) if you want authorizedmanagement stations to retrieve MIB objects, or specify read-write(rw) if you want authorized management stations to retrieve andmodify MIB objects. By default, the community string permitsread-only access to all objects.Create or update an SNMP view entry. For view-name, specify the name of the view. For oid-tree, specify MIB view family name with: —OID. For example, .1.3.6.1.—Object name. For example, .internet.Specify either included if MIB family name is included in the view, orexcluded if MIB family name is excluded from the view.4.exitReturn to privileged EXEC mode.5.show running-configVerify your entries.6.copy running-configstartup-config(Optional) Save your entries in the configuration file.To remove a specific community string, use the no snmp-server community string global configuration command.This example shows how to assign the string public to SNMP, to allow read-only access:Router(config)# snmp-server community public roConfiguring SNMP Groups and UsersYou can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to theSNMP group.Beginning in privileged EXEC mode, follow these steps to configure SNMP on the router:5
Configuring SNMPCommandPurpose1.configure terminalEnter global configuration mode.2.snmp-server groupgroupname {v1 v2c v3{auth noauth priv}} [readreadview] [write writeview]Configure a new SNMP group on the remote device. For groupname, specify the name of the group. Specify a security model:—v1 is the least secure of the possible security models.—v2c is the second least secure model. It allows transmission ofinforms and integers twice the normal width.—v3, the most secure, requires you to select an authentication level:auth—Enables the Message Digest 5 (MD5) and the Secure HashAlgorithm (SHA) packet authentication.noauth—Enables the noAuthNoPriv security level. This is thedefault if no keyword is specified.priv—Enables Data Encryption Standard (DES) packetencryption (also called privacy).3.snmp-server user usernamegroupname {v1 v2c v3[auth {md5 sha}auth-password]} [priv {des aes } priv-password] (Optional) Enter read readview with a string (not to exceed 64characters) that is the name of the view in which you can only view thecontents of the agent. Default read view is v1default. (Optional) Enter write writeview with a string (not to exceed 64characters) that is the name of the view in which you enter data andconfigure the contents of the agent. Default write view is none.Add a new user for an SNMP group. The username is the name of the user on the host that connects to theagent. The groupname is the name of the group to which the user isassociated. Enter the SNMP version number (v1, v2c, or v3). If you enter v3, youhave an additional option:— auth—An authentication level setting session that can be either theHMAC-MD5-96 (md5) or the HMAC-SHA-96 (sha) authenticationlevel and requires a password string auth-password (not toexceed 64 characters).If you enter v3, you can also configure a private (priv) encryptionalgorithm and password string priv-password (not less than 8alphanumeric characters and not to exceed 64 characters).—priv specifies the User-based Security Model (USM).—des specifies the use of the 56-bit DES algorithm.—aes specifies the use of the AES algorithm. You must select either128-bit, 192-bit, or 256-bit encryption.6
Configuring SNMPCommandPurpose4.exitReturn to privileged EXEC mode.5.show running-configVerify your entries.Note: To display SNMPv3 information about auth noauth priv modeconfiguration, you must enter the show snmp user privileged EXECcommand.6.copy running-configstartup-config(Optional) Save your entries in the configuration file.This example shows how to configure an snmp group with the name grp1:Router(config) # snmp-server group grp1 v3 priv read view1 write view1This example shows how to configure an snmp user user1:Router(config) # snmp-server user user1 grp1 v3 auth md5 12345678 priv des 12345678Configuring SNMP NotificationsA trap manager is a management station that receives and processes traps. Traps are system alerts that the routergenerates when certain events occur. The following notification types are supported on the router: snmp authentication snmp linkdown snmp linkupBy default, no trap manager is defined, and no traps are sent.You can enable any or all of these traps and configure a trap manager to receive them. To enable the sending of SNMPinform notifications, use the snmp-server enable traps global configuration command combined with the snmp-serverhost host-addr informs global configuration command.Beginning in privileged EXEC mode, follow these steps to configure the router to send traps or informs to a host:CommandPurpose1.configure terminalEnter global configuration mode.2.snmp-server user usernamegroupname {v1 v2c v3 [auth {md5 sha} auth-password]} [priv {des aes }priv-password]Configure an SNMP user.3.snmp-server group groupname {v1 v2c v3 {auth noauth priv}} [readreadview] [write writeview]Configure an SNMP group.7
Configuring SNMP4.CommandPurposesnmp-server host host-addr[informs traps] [version {1 2c 3{auth noauth priv}}]community-string [udp-port port]Specify the recipient of an SNMP trap operation. For host-addr, specify the name or Internet address of thehost (the targeted recipient). (Optional) Enter informs to send SNMP informs to the host. (Optional) Enter traps (the default) to send SNMP traps to thehost. (Optional) Specify the SNMP version (1, 2c, or 3). Default isversion 1. SNMPv1 does not support informs. (Optional) For Version 3, select authentication level auth,noauth, or priv.Note: The priv keyword is available only when the cryptographicsoftware image is installed.5.snmp-server inform [retries retries][timeout timeout] For community-string, when version 1 or version 2c isspecified, enter the password-like community string sent withthe notification operation. When version 3 is specified, enterthe SNMPv3 username. (Optional) For port, specify the UDP port of the notificationhost. Default is port 162.(Optional) Specify SNMP inform request options.For retries, specify the retry count for informs. Default is 3. Validrange is from 0 to 100.For timeout, specify the timeout for informs in seconds. Default is15 seconds. Valid range is from 0 to 4294967 seconds.6.snmp-server enable traps[notification-types]Enable the router to send traps or informs and specify the type ofnotifications to be sent. The following notification types aresupported on the router: snmp authentication snmp linkdown snmp linkupBy default, all supported notification types are enabled.7.exitReturn to privileged EXEC mode.8.show running-configVerify your entries.Note9.copy running-config startup-configTo display SNMPv3 information about auth noauth priv mode configuration, you must enter the show snmpuser privileged EXEC command.(Optional) Save your entries in the configuration file.The snmp-server host command specifies which hosts receive the notifications. The snmp-server enable trapcommand globally enables the mechanism for the specified notification (for traps and informs). To enable a host toreceive an inform, you must configure an snmp-server host informs command for the host and globally enable informsby using the snmp-server enable traps command.8
Configuring SNMPTo remove the specified host from receiving traps, use the no snmp-server host host global configuration command.The no snmp-server host command with no keywords disables traps, but not informs, to the host. To disable informs,use the no snmp-server host informs global configuration command. To disable a specific trap type, use the nosnmp-server enable traps notification-types global configuration command.This example shows how to enable the router to send all SNMP notification types:Router(config)# snmp-server enable traps snmpThis example shows how to configure the host 192.168.1.0 to receive SNMPv2c traps:Router(config)# snmp-server host 192.168.1.0 traps version 2c publicSetting the Agent Contact and Location InformationBeginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so thatthese descriptions can be accessed through the configuration file:CommandPurpose1.configure terminalEnter global configuration mode.2.snmp-server contact textSet the system contact string.For example:snmp-server contact SystemOperator3.snmp-server location textSet the system location string.For example:snmp-server location Building34.exitReturn to privileged EXEC mode.5.show running-configVerify your entries.6.copy running-config startup-config(Optional) Save your entries in the configuration file.SNMP Agent Configuration ExampleThe following example shows how to configure the SNMP agent:Router# configure terminalRouter(config)# snmp-serverRouter(config)# snmp-serverRouter(config)# snmp-serverRouter(config)# snmp-serverRouter(config)#Router(config)# snmp-serverRouter(config)# snmp-serverRouter(config)# snmp-serverRouter(config)# snmp-serverRouter(config)# snmp-serverRouter(config)#Router(config)# snmp-serverRouter(config)# snmp-serverRouter(config)# snmp-serverRouter(config)# exitcommunity public rocommunity private rwcontact SystemOperatorlocation Building3view view1view view1view view1group grp1user user1.1.3.6.1 included.1.3.6.1.6.3.15 excluded.1.3.6.1.6.3.16 excludedv3 priv read view1 write view1grp1 v3 auth md5 12345678 priv des 12345678enable traps snmp authenticationhost 192.168.1.0 traps version 2c publichost 192.168.1.1 traps version 3 priv user19
Configuring SNMPDisplaying SNMP StatusTo display SNMP input and output statistics, including the number of illegal community string entries, errors, andrequested variables, use the show snmp privileged EXEC command. You also can use the other privileged EXECcommands in Table 16 to display SNMP information.Table 16Commands for Displaying SNMP InformationFeatureDefault Settingshow snmpDisplays SNMP statistics.show snmp communityDisplays all SNMP community access strings.show snmp contactDisplays SNMP contact information.show snmp groupDisplays SNMP group information.show snmp hostDisplays information configured for SNMP notification operation.show snmp locationDisplays SNMP location information.show snmp mibDisplay a list of the MIB module OIDs registered on the system.show snmp userDisplays information on each SNMP user name in the SNMP users table.Note: You must use this command to display SNMPv3 configurationinformation for auth noauth priv mode. This information is not displayedin the show running-config output.show snmp viewDisplays the SNMP view configuration.You can use the following commands in user mode as well to display SNMP status: show snmp show snmp contact show snmp locationThis example shows the SNMP server statistics:Router# show snmp1 SNMP packets input0 Bad SNMP version errors0 Unknown community name0 Illegal operation for community name supplied0 Encoding errors11 Number of requested variables0 Number of altered variables0 Get-request PDUs15 Get-next PDUs0 Set-request PDUs1 SNMP packets output0 Too big errors (Maximum packet size 1500)0 No such name errors0 Bad values errors0 General errors25 Response PDUs0 Trap PDUsSNMP global trap: disabledSNMP informs: disabledSNMP agent enabled10
Configuring SNMPThis example shows the SNMP community:Router# show snmp communityCommunity name: publicCommunity Index: publicCommunity SecurityName: publicstorage-type: nonvolatileactiveCommunity name: privateCommunity Index: privateCommunity SecurityName: privatestorage-type: nonvolatileactiveThis example shows the SNMP group:Router# show snmp groupgroupname: kp grpreadview : kp viewrow status: activesecurity model:v3 authwriteview: kp viewThis example shows the SNMP host:Router# show snmp hostNotification host: 172.18.60.61 udp-port: 162user: publicsecurity model: v2ctype: informNotification host: 172.18.60.61 udp-port: 150user: kpusersecurity model: v3 privtype: trapThis example shows the SNMP user:Router# show snmp userUser name: kp userEngine ID: 800000090300006440F0D281storage-type: nonvolatileactiveAuthentication Protocol: NonePrivacy Protocol: NoneGroup-name: kp grpThis example shows the SNMP views:Router# show snmp viewsv1default .iso - included permanent activev1default .iso.org.dod.internet - included permanent activev1default B - excluded permanent activev1default IB - excluded permanent activeview1 .1.3.6 - included permanent active11
Configuring SNMP12
SNMP trap receiver None configured. SNMP traps Enabled. SNMP version If no version keyword is present, the default is Version 1. SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security level. SNMP notification
