SNMP Agents

Configuring SNMP Agent

This section describes the configurations required to work with SNMP v1, v2, and v3 managers and the configurations required for generating traps and inform messages.

Configuration SNMP Agent for Request Processing

Each network device in the network needs to be configured to enable SNMP access before it responds to SNMP queries.

SNMP v1/v2 Request Processing

SNMPv3 is backward compatible with both SNMP v1 and SNMP v2. The version that needs to be enabled depends on the management software used.

SNMP Agent provides a Community-based Security Mechanism for V1/V2 operations.

Configuration Guidelines

Community parameters need to be configured in the SNMP Agent to allow SNMPv1/v2 Manager access.

Default Configurations

There is no specific default setting available for Community Index and Community Name. The values (NETMAN or PUBLIC) are available only at the time of boot-up.

Configuration Steps

Execute the following commands in the SNMP Agent (Switch1) to allow SNMPv1/v2 access, with SNMP Manager (Host1).

To configure SNMP Agent

1. Configure the community details:
   a. Enter into the Global Configuration Mode.

Your Product# configure terminal

b. Configure the SNMP Community (with the name accediancom) and its associated parameters to establish SNMP v1/v2 access.

Your Product(config)# snmp community index com name accediancom security none

c. Exit the Global Configuration Mode.

Your Product(config)# end

2. SNMP commConfiguring unity with security name
   a. Enter into the Global Configuration Mode.

Your Product# configure terminal

b. Configure the SNMP Community and its associated parameters to establish SNMP v1/v2 access.

Your Product(config)# snmp community index com1 name accediancom1 security user1

Or

Your Product(config)# snmp community index com2 name accediancom2 security user2

c. Create and configure the parameters for the user (security name)

Your Product(config)# snmp user user1

Or

Your Product(config)# snmp user user2

d. Configure the SNMP Group.

Your Product(config)# snmp group group1 user user1 security-model v1

Or

Your Product(config)# snmp group group2 user user2 security-model v2c

e. Configure the access details for the group. A group must be created using the command snmp group command before configuring the group access details

Your Product(config)# snmp access group1 v1 read iso write iso notify iso

Or

Your Product(config)# snmp access group2 v2c read iso write iso notify iso

f. Exit the Global Configuration Mode.

Your Product(config)# end

3. Execute the following command to view the community details configured in the Switch.

Your Product# show snmp community

Community Index : NETMAN
Community Name : NETMAN
Security Name : none
Context Name :
Context EngineID: 80.00.08.1c.04.46.53
Transport Tag :
Storage Type : Non-volatile
Row Status : Active

Community Index : PUBLIC
Community Name : PUBLIC
Security Name : none
Context Name :
Context EngineID: 80.00.08.1c.04.46.53
Transport Tag :
Storage Type : Non-volatile
Row Status : Active

Community Index : com
Community Name : accediancom
Security Name : none
Context Name :
Context EngineID: 80.00.08.1c.04.46.53
Transport Tag :
Storage Type : Non-volatile
Row Status : Active

Community Index : com1
Community Name : accediancom1
Security Name : user1
Context Name :
Context EngineID: 80.00.08.1c.04.46.53
Transport Tag :
Storage Type : Non-volatile
Row Status : Active

Community Index : com2
Community Name : accediancom2
Security Name : user2
Context Name :
Context EngineID: 80.00.08.1c.04.46.53
Transport Tag :
Storage Type : Non-volatile
Row Status : Active

At Manager:

A sample retrieval of information from the SNMP Agent,
Using SNMPv1 get-next request:

# snmpwalk -v1 -c accediancom 12.0.0.1 iso

IEEE8021-PAE-MIB::dot1xPaeSystemAuthControl.0 = INTEGER: enabled(1)
IEEE8021-PAE-MIB::dot1xPaePortProtocolVersion.1 = Gauge32: 2
IEEE8021-PAE-MIB::dot1xPaePortProtocolVersion.2 = Gauge32: 2
IEEE8021-PAE-MIB::dot1xPaePortProtocolVersion.3 = Gauge32: 2
IEEE8021-PAE-MIB::dot1xPaePortProtocolVersion.4 = Gauge32: 2
IEEE8021-PAE-MIB::dot1xPaePortProtocolVersion.5 = Gauge32: 2
IEEE8021-PAE-MIB::dot1xPaePortProtocolVersion.6 = Gauge32: 2
IEEE8021-PAE-MIB::dot1xPaePortProtocolVersion.7 = Gauge32: 2

Using SNMPv2 get request:

# snmpget -v2c -c accediancom 12.0.0.1 sysName.0

SNMPv2-MIB::sysName.0 = STRING: Accedian Linux Router Ver 1.0
A sample retrieval of information from the SNMP Agent,

Using SNMPv1 get-next request:

# snmpwalk -v1 -c accediancom1 12.0.0.1 iso

iso.0.8802.1.1.1.1.1.1.0 = INTEGER: 1
iso.0.8802.1.1.1.1.1.2.1.2.1 = Gauge32: 2
iso.0.8802.1.1.1.1.1.2.1.3.1 = Hex-STRING: C0

iso.0.8802.1.1.1.1.1.2.1.4.1 = INTEGER: 2
iso.0.8802.1.1.1.1.1.2.1.5.1 = INTEGER: 2
iso.0.8802.1.1.1.1.2.1.1.1.1 = INTEGER: 8
iso.0.8802.1.1.1.1.2.1.1.2.1 = INTEGER: 7
iso.0.8802.1.1.1.1.2.1.1.3.1 = INTEGER: 0
iso.0.8802.1.1.1.1.2.1.1.4.1 = INTEGER: 0
iso.0.8802.1.1.1.1.2.1.1.5.1 = INTEGER: 1
iso.0.8802.1.1.1.1.2.1.1.6.1 = INTEGER: 3
iso.0.8802.1.1.1.1.2.1.1.7.1 = Gauge32: 60
iso.0.8802.1.1.1.1.2.1.1.8.1 = Gauge32: 30
iso.0.8802.1.1.1.1.2.1.1.9.1 = Gauge32: 30

Using SNMPv2 get request:

# snmpget -v2c -c accediancom2 12.0.0.1 sysName.0

SNMPv2-MIB::sysName.0 = STRING: Accedian Linux Router Ver 1.0

SNMP v3 Request Processing

SNMP provides complete support for User-based Security Model and View-based Access Control Model. This section explains both models with examples. Version 3 is the most secure model, as it allows packet encryption.

Configuration Guidelines

The guidelines for configuration are as follows:

1. SNMPv3 framework has three security levels: noAuthNoPriv, authNoPriv, and authPriv can be configured.

If the required security level is noAuthNoPriv, auth parameter has to be configured as none, and no need to specify group access for both authentication and privacy.

If the required security level is authNoPriv, auth parameter and group access for authentication have to be configured, and no need to specify group access for privacy.

If the required security level is authPriv, auth parameter and group access for authentication and privacy has to be configured.

2. View can be restricted for a particular sub-tree (included/excluded), while accessing read or write or notify and to specify that the same appropriate views are configured, else nothing can be accessed, as the default view is none.

Default Configurations

There is no specific default setting available for Community Index and Community Name. The values (NETMAN or PUBLIC) are available only at the time of boot-up.

Feature Default Setting
SNMP engine ID
Generally, taken from the file issnvram.txt, otherwise, it is 80.00.08.1c.04.46.53.
Group Name
iso/initial
View Name (associated with the group name)
iso: iso
initial: restricted
Sub-tree OID
1
Sub-tree Mask
1
View-type
included
Read/Write/Notify view
iso
User name
initial/templateSHA/templateMD5
Authentication Protocol (associated with the user name)
initial: none
templateSHA: SHA
templateMD5: MD5
Privacy protocol(for users)
initial : none
templateMD5: none
templateSHA: DES_CBC
Storage type
Non-volatile

Configuration Steps

The configuration steps for SNMP v3 are as follows:

Execute the following commands in the SNMP Agent (switch1) to allow SNMPv3 access with SNMP manger (Host1).

1. Configure the SNMP engine ID. SNMP engine ID is an administratively unique identifier.

Enter into the Global Configuration Mode.

Your Product# configure terminal

Configure the SNMP engine ID.

Your Product(config)# snmp engineid 80.00.08.1c.04.46.64

Create and configure the parameters for the user user3.

Your Product(config)# snmp user user3 auth SHA sha12345 priv DES des12345

Configure the SNMP Group as group3 and the associated group parameters. A group must be created using the command snmp group command before configuring the group access details.

Your Product(config)# snmp group group3 user user3 security-model v3

Configure the access details for the group group3.

Your Product(config)# snmp access group3 v3 auth read v3read write v3write notify none
Your Product(config)# snmp access group3 v3 priv read v3read write v3write notify none

Configure the parameters associated with the SNMP view.
Configure the view as v3read.

Your Product(config)# snmp view v3read 1.3.6.1.2.1.17.7.1.4.5.1 mask 1.1.1.1.1.1.1.1.1.1.1.1 included nonvolatile

Configure the view as v3write.

Your Product(config)# snmp view v3write 1.3.6.1.2.1.17.7.1.4.5.1 mask 1.1.1.1.1.1.1.1.1.1.1.1 included nonvolatile

Exit from the Global Configuration Model.

Your Product(config)# end

2. Execute the following command to view the engine ID configured in the SNMP Agent.

Your Product# show snmp engineid
EngineId: 80.00.08.1c.04.46.64

3. Execute the following command to view the user details configured.

Your Product# show snmp user

Engine ID : 80.00.08.1c.04.46.64
User : user3
Authentication Protocol : SHA
Privacy Protocol : DES_CBC
Storage Type : Non-volatile
Row Status : Active

Engine ID : 80.00.08.1c.04.46.64
User : templateMD5
Authentication Protocol : MD5
Privacy Protocol : None
Storage Type : Non-volatile
Row Status : Active

Engine ID : 80.00.08.1c.04.46.64
User : templateSHA
Authentication Protocol : SHA
Privacy Protocol : DES_CBC
Storage Type : Non-volatile
Row Status : Active

4. Execute the following command to view the groups configured in the SNMP Agent.

Your Product# show snmp group

Security Model : v1
Security Name : none
Group Name : iso
Storage Type : Non-volatile
Row Status : Active

Security Model : v2c
Security Name : none
Group Name : iso
Storage Type : Non-volatile
Row Status : Active

Security Model : v3
Security Name : user3
Group Name : group3
Storage Type : Non-volatile
Row Status : Active

Security Model : v3
Security Name : initial
Group Name : initial
Storage Type : Non-volatile
Row Status : Active

Security Model : v3
Security Name : templateMD5
Group Name : initial
Storage Type : Non-volatile
Row Status : Active

Security Model : v3
Security Name : templateSHA
Group Name : initial
Storage Type : Non-volatile
Row Status : Active

5. Execute the following command to view the SNMP Group Access details for the groups in the SNMP Agent.

Your Product# show snmp group access

Group Name : iso
Read View : iso
Write View : iso
Notify View : iso
Storage Type : Non-volatile
Row Status : Active

Group Name : group3
Read View : v3read

Group Name : initial
Read View : restricted
Write View : restricted
Notify View : restricted
Storage Type : Non-volatile
Row Status : Active

Group Name : initial
Read View : iso
Write View : iso
Notify View : iso
Storage Type : Non-volatile
Row Status : Active

Group Name : initial
Read View : iso
Write View : iso
Notify View : iso
Storage Type : Non-volatile
Row Status : Active

6. Execute the following command to view the configured SNMP view.

Your Product# show snmp viewtree

View Name : iso
Subtree OID : 1
Subtree Mask : 1
View Type : Included
Storage Type : Non-volatile
Row Status : Active

View Name : v3read
Subtree OID : 1.3.6.1.2.1.17.7.1.4.5.1
Subtree Mask : 1.1.1.1.1.1.1.1.1.1.1.1
View Type : Included
Storage Type : Non-volatile
Row Status : Active

View Name : v3write
CHAPTER 4: CONFIGURING SNMP AGENT
21/69 Project Altran strictly restricted
Subtree OID : 1.3.6.1.2.1.17.7.1.4.5.1
Subtree Mask : 1.1.1.1.1.1.1.1.1.1.1.1
View Type : Included
Storage Type : Non-volatile
Row Status : Active

View Name : restricted
Subtree OID : 1
Subtree Mask : 1
View Type : Included
Storage Type : Non-volatile
Row Status : Active

At Manager:

A sample retrieval of information from the SNMP Agent using SNMPv3 walk.

# snmpwalk -v 3 -u user3 -a sha -A "sha12345" -x des -X "des12345" -l AuthNoPriv -n default 12.0.0.1 1

Q-BRIDGE-MIB::dot1qPvid.1 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.1 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.2 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.3 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.4 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.5 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.6 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.7 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.8 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPvid.9 = Gauge32: 1
Q-BRIDGE-MIB::dot1qPortVlanEntry.7.22 = INTEGER: 2
Q-BRIDGE-MIB::dot1qPortVlanEntry.7.23 = INTEGER: 2
Q-BRIDGE-MIB::dot1qPortVlanEntry.7.24 = INTEGER: 2

In the above example, only the specified sub-tree entities are retrieved.