SNMP
Overview
The Simple Network Management Protocol (SNMP) enables a network device to share information about itself and its activities. A complete SNMP system consists of the following parts:
- SNMP manager: A network management system that uses SNMP to poll and receive data from any number of network devices. The SNMP manager usually is an application that runs in a central location.
- SNMP agent: A process that runs on the network device being monitored. All types of data are gathered by the device itself and stored in a local database. The agent can then respond to SNMP polls and queries with information from the database, and it can send unsolicited alerts or “traps” to an SNMP manager.
In the case of Catalyst switches in the network, each switch automatically collects data about itself, its resources, and each of its interfaces. This data is stored in a Management Information Base (MIB) database in memory and is updated in real time.
To see any of the MIB data, an SNMP manager must send an SNMP poll or query to the switch. The query contains the OID of the specific variable being requested so that the agent running on the switch knows what information to return. An SNMP manager can use the following mechanisms to communicate with an SNMP agent, all over UDP port 161:
- Get request: The value of one specific MIB variable is needed.
- Get next request: The next or subsequent value following an initial get request is needed.
- Get bulk request: Whole tables or lists of values in a MIB variable are needed.
- Set request: A specific MIB variable needs to be set to a value.
SNMP polls or requests are usually sent by the SNMP manager at periodic intervals. This makes real-time monitoring difficult because changing variables will not be noticed until the next poll cycle. However, SNMP agents can send unsolicited alerts to notify the SNMP manager of real-time events at any time. Alerts can be sent using the following mechanisms over UDP port 162:
- SNMP trap: News of an event (interface state change, device failure, and so on) is sent without any acknowledgment that the trap has been received.
- Inform request: News of an event is sent to an SNMP manager, and the manager is required to acknowledge receipt by echoing the request back to the agent.
SNMP Notifications is a key feature that send from SNMP Agents although there is no request from the SNMP Manager. There are two types notification. Traps and inform requests. Traps informs the SNMP Manager about the network conditions. Inform requests are also traps but they includes request for receipt confirmation. Inform requests are more reliable than traps. However, traps are often preferred because inform request consumes more memory. There is a trade-off between reliability and resources.
Configuration
SNMPv1
Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community community- string [ ro | rw ] [ access-list-number]
Switch(config)# snmp-server host host-address community-string [ trap-type ]
The access-list tells what IP address the SNMP manager has.
The third line uses the snmp-server host command to identify the IP address of the SNMP manager where SNMP traps will be sent. By default, all types of traps are sent.
Example
Switch(config)# access-list 10 permit 192.168.3.99
Switch(config)# access-list 10 permit 192.168.100.4
Switch(config)# snmp-server community MonitorIt ro 10
Switch(config)# snmp-server host 192.168.3.99 MonitorIt
SNMPv2C
Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community string [ ro | rw ] [ access-list-number ]
Switch(config)# snmp-server host host-address [ informs ] version 2c community-string
SNMPv3
You can use the snmp-server view command to define a specific view for the users. Only the MIB variables located under the OID name given as oid-tree will be visible to the user group.
Switch(config)# snmp-server view view-name oid-tree
If no view is configured, all MIB variables are visible to the users.
Now you need to define a group which is allowed to access the view.
Switch(config)# snmp-server group group-name v3 { noauth | auth | priv } [ read read- view ] [ write write-view ] [ notify notify-view ] [ access access-list ]
If you configured a view, you can use the read, write, and notify keywords to limit access to read, write, or notification operations. If you configured an access list, you can apply it to the group with the access keyword.
The security level is defined by the noauth (no packet authentication or encryption), auth (packets are authenticated but not encrypted), or priv (packets are both authenticated and encrypted) keyword. Only the security policy is defined in the group; no passwords or keys are required yet.
Next you need to assign some usernames to the group.
Switch(config)# snmp-server user user-name group-name v3 auth {md5 | sha } auth-password priv { des | 3des | aes { 128 | 192 | 256 } priv-password [ access-list-number ]
The SNMPv3 user must also have some specifics added to its security policy.
Use the auth keyword to define either message digest 5 (MD5) authentication or the secure hash algorithm (SHA) as the packet authentication method, along with the auth-password text string that will be used in the hash computation.
The priv keyword defines the encryption method (DES, 3DES, or AES 128/192/256-bit) and the priv-password text string that will be used in the encryption algorithm.
Finally define a trap host.
Switch(config)# snmp-server host host-address [ informs ] version 3 { noauth | auth | priv } username [ trap-type ]
Example
Switch(config)# access-list 10 permit 192.168.3.99
Switch(config)# access-list 10 permit 192.168.100.4
Switch(config)# snmp-server group NetOps v3 priv
Switch(config)# snmp-server user mymonitor NetOps v3 auth sha s3cr3tauth priv aes 128 s3cr3tpr1v 10
Switch(config)# snmp-server host 192.168.3.99 informs version 3 priv mymonitor
Show Status
Router# show snmp host
Example
access-list 33 permit 192.168.1.0 0.0.0.255
snmp-server community public RW 33
snmp-server location B1
snmp-server contact [email protected]
snmp-server chassis-id 2511_AccessServer_Canadice
snmp-server enable traps snmp
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps bgp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server host 192.168.1.100 public