SNMP settings EcoRouter Documentation / SNMP settings
- Simple Network Management Protocol
- Enabling and disabling SNMP service
- Administration group configuring
- SNMP views configuring
- Asynchronous messages sending configuring
- SNMPv3
Simple Network Management Protocol
SNMP (Simple Network Management Protocol) is a standard Internet protocol for controlling devices in IP networks based on TCP / UDP architectures. With the SNMP protocol, network device management software can access information that is stored on managed devices (for example, on a switch). On managed devices, SNMP stores information about the device on which it is running in a database called MIB.
SNMP is one of the protocols that implement the concept of Internet Standard Management Framework.
Within the framework of this concept, a system consisting of three main elements is built for network management:
- The SNMP manager manages and monitors the network activity of the devices. It is often called the Network Management System (NMS);
- SNMP agent - software that runs on a managed device, or on a device connected to the management interface of a managed device. Gathers data from the managed device and sends it to the SNMP manager;
- Management Information Base (MIB) is a database that is used to manage devices on the network. It has a tree structure in which information about hosts is stored. The MIB elements have symbolic names and the corresponding numeric values - OID (of the format N.N.N ... .N).
The EcoRouter supports SNMPv1, SNMPv2c and SNMPv3.
Enabling and disabling SNMP service
In the configuration mode use the snmp-server enable snmp (mgmt | vr <VR_NAME | default>) command to enable CNMP-service.
When enabling SNMP-service which port will be assigned to it:
mgmt sets for management-port;
vr sets for virtual router's port.
If this parameter is omitted the SNMP-service will be assigned to a management-port.
ecorouter(config)#snmp-server enable snmp vr virt1
SNMP being enabled on virtual router, incoming traffic to UDP-prot 161 via security profile to be allowed (read more in an appropriate section).
To switch SNMP to another router first SNMP disable it and then enable again specifying a needed virtual router.
See an example of a security profile configuring and switching a service onto another virtual router:
ecorouter(config)#security-profile 2
ecorouter(config-security-profile)#rule 0 permit udp any any eq 161
ecorouter(config-security-profile)#ex
ecorouter(config)#virtual-router virt2
ecorouter(config-vr)#ex
ecorouter(config)#security vr virt2 2
ecorouter(config)#no snmp-server enable
ecorouter(config)#snmp-server enable snmp vr virt2
In the configuration mode use the no snmp-server enable snmp command to disable SNMP-service.
ecorouter(config)#no snmp-server enable snmp
Use the snmp restart <bgp | isis | ldp | mrib | ospf | pim | rib | vrrp> command to re-enable a spicified protocol to SNMP.
ecorouter(config)#snmp restart bgp
Administration group configuring
An administration group in SNMP is called community. It consists of one or several agents and managers. One host with an installed agent can belong to several communities. In this case the agent will recieve requests only from control devices which belongs to these communities. A message exchange security between agents and manager is provided by community's name or community-strong transmition in the message body in plain text.
In the configuration mode use the snmp-server community command to create community. The command's syntax is following: snmp-server community <COMMUNITY-NAME> ( (view VIEW-NAME (ro | rw) ) | (group GROUP-NAME) | (ro | rw)).
Parameter | Description |
|---|---|
<COMMUNITY-NAME> | Community name or community-string. Maximum length is 32 symbols |
view <VIEW-NAME> | Specify a view name which defines MIB subtree accessible for this community. The view must be created in advance by command snmp-server view |
ro | Read only access. A default value |
rw | Access for read and write if allowed |
ecorouter(config)#snmp-server community MyComm view MyView1 version v2c rw
It is impossible to specify the view and the grooup for the community in the same time. If neither view nor group is specified and the only community name is specified this community will be granted an access from any network to all MIBs available.
In the configuration mode use the no snmp-server community <COMMUNITY-NAME> command to delete community.
SNMP views configuring
Views are intended for MIB-tree objects access limitation. In configuration mode use the snmp-server view commend to create and configure view. The command's syntax is following: snmp-server view <VIEW-NAME> <OID-TREE> (included | excluded).
Parameter | Description |
|---|---|
<VIEW-NAME> | View name. Maximum length is 32 symbols |
<OID-TREE> | MIB subtree ID which must be included into a view or excluded from it. A string of numbers separated by points, for example 1.3.6.2.4, may be specified by name |
included | Include a subtree into SNMP view |
excluded | Exclude a subtree from SNMP view |
ecorouter(config)#snmp-server view myView3 1.3.6.1.6.3.18 excluded
Use the same command to include a subtree into the existing view (or to exclude from it).
In the configuration mode use the no snmp-server view <VIEW-NAME> command to delete view.
Asynchronous messages sending configuring
When transferring information in general between managers and agents the following scenarios are used:
- a manager sends request to an agent and recieves a response;
- a message which requires a reciept notification (inform) is sent to a manager (by an agent or another manager);
- an agent sends an information about itself to a manager without any his request and response (trap).
Use the snmp-server enable traps command to enable trap messages sending.
ecorouter(config)#snmp-server enable traps
Use the no snmp-server enable traps command to disable trap messages sending.
ecorouter(config)#no snmp-server enable traps
Specify the host's address and settings to send trap messages to a manager or NMS. Use the snmp-server host command to specify it. The command's syntax is following:
snmp-server host <A.B.C.D|HOSTNAME> (traps ( | version (1 | 2c)) | informs) <COMMUNITY-STRING> (| udp-port <1-1024>)
Parameter | Description |
|---|---|
A.B.C.D | Server IP |
HOSTNAME | Server's DNS name |
traps | Send trap messages (without Отправлять сообщения типа trap (без уведомления). Default value |
informs | Отправлять сообщения типа inform (с уведомлением) |
version | SNMP version. Possible value: 1 or2c |
<COMMUNITY-STRING> | A community-string signifies which community messages are sent from. Maximum length is 32 symbols |
| A port which listens to a server. Value range from 1 to 1024, defailt value is 162 |
ecorouter (config)#snmp-server host 192.168.0.1 traps version 1 MyCommPass
If the inform type messages specified in parameters the version parameter is not set because it have only the v2c value.
Use the no snmp-server host command to delete manager's record or NMS.
ecorouter(config)#no snmp-server host < A.B.C.D | HOSTNAME >
SNMPv3
SNMPv3 is the next stage of SNMP protocol development. It is fully compatible with previous versions. The differences are following:
- the concept of "manager" and "agent" is replaced by "entity, "manager" and "agent" rest as roles;
- an access restrictions, data protection and user authentication servicies become available (see RFC 3411-3415).
SNMPv3 supports three security levels:
- noAuthNoPriv - no authentication, no data confidelity;
- authNoPriv - authentication without data confidelity;
- authPriv - authentication and encrypting, maximum protection level.
User operations
In the configuration mode use the snmp-server user <USERNAME> [group <GROUPNAME>] [encrypted] [auth (md5 | sha ) <AUTH-PASSWORD> [priv (des | aes) <PRIV-PASSWORD>]] command to create user. The command parameteres described in the table below.
| Parameter | Description |
|---|---|
USERNAME | User's name |
GROUPNAME | Group's name |
encrypted | This parameter's presence means further password (passwords) is already encrypted and the hashing should not apply to it |
auth (md5 | sha) | Hashing algorithm for an authentication password selection. If the parameter priv (des | aes) presents, the password for messages encrypting will be hashed on a selected algorithm (md5 or sha) |
AUTH-PASSWORD | Authentication password |
priv (des | aes) | An encrypting algorythm based on <PRIV-PASSWORD> selection. The selection is available only if the auth parameter is used |
PRIV-PASSWORD | Password for session messages encrypting |
A user can be included into one group or not inluded into any group.
Use the no snmp-server user <USERNAME> [group <GROUPNAME>] [auth (md5 | sha ) <AUTH-PASSWORD> [priv (des | aes) <PRIV-PASSWORD>]] command to delete user.
Group operations
In the configuration mode use the snmp-server group <GROUPNAME> v3 <auth | noauth | priv> [read <VIEW-NAME>] [write <VIEW-NAME>] command to create group.
Parameter | Description |
|---|---|
GROUPNAME | Group's name |
| v1 | v2c | v3 | SNMP versions |
auth | noauth | priv | Depending on this parameter in sessions corresponding to the selected security model users will be granted a specific access. The auth value means an autentified user will be granted this group's view access, noauth - unauthentified user will be granted this group's view access, priv - user using an authentication and encrypting will be granted this group's view access |
VIEW-NAME | View's name wicj defines MIB subtree available to this group for reading or writing correspondingly. The view must be created in advance by the snmp-server view command |
To edit group use the same command as for create it.
Each group can be configured for each SNMP version separately. For SNMPv3 the group can have different settings depending of security level.
ecorouter(config)#snmp-server group test v1 read view1 write view2
ecorouter(config)#snmp-server group test v2c read view3
ecorouter(config)#snmp-server group test v3 auth read view4 write view5
ecorouter(config)#snmp-server group test v3 priv write view6
Use the command to delete group no snmp-server group <GROUPNAME> ((v1 | v2c | v3 (auth | noauth | priv)) (read VIEW-NAME | ) (write VIEW-NAME |) |).
Show commands
In administration mode use the show snmp user [<USERNAME>] command to display an information about SNMP users. If the parameter <USERNAME> specified an information about the selected user will be displayed.
ecorouter#show snmp user MyUsEr
User name: MyUsEr
Group name: Gr1
Authentication: md5
Privacy: DES
The show snmp user command's execution result is information about all SNMP users. See the example:
ecorouter#show snmp user
User name: MYSNMPUSER
Authentication: No
Privacy: No
User name: MyUsEr
Group name: Gr1
Authentication: md5
Privacy: DES
In the administration mode use the show snmp group [<GROUPNAME>] command to display an information about SNMP groups. If the parameter <GROUPNAME> specified an information about the selected group will be displayed.
ecorouter#show snmp group 2
Group name: 2
Authentication: No
The show snmp group command's execution result is information about all SNMP groups. If the group has individual settings for different protocol versions they will be shown separately. See the example:
ecorouter#show snmp group
Group name: test
Security level: no Authentication
Snmp version: 1
Read view: view1
Write view: view2
Group name: test
Security level: no Authentication
Snmp version: 2c
Read view: view3
Group name: test
Security level: Authentication
Snmp version: 3
Read view: view4
Write view: view5
Group name: test
Security level: Authentication and Privacy
Snmp version: 3
Write view: view6