SNMP
SNMP
- Simple Network Management Protocol is an open standard for network monitoring
- An SNMP Manager (the SNMP server) can collect and organize information from an SNMP Agent, which is SNMP software which runs on managed devices such as routers and Switch
- The SNMP Manager is commonly called an SNMP Server or NMS (Network Management System)
- The SNMP Agent is often called SNMP device
- An SNMP Manager (the SNMP server) can collect and organize information from an SNMP Agent, which is SNMP software which runs on managed devices such as routers and Switch
- You should use AES encryption for security
MIB
- The Management Information Base is a hierarchical database used by SNMP to manage and monitor network elements and devices
- It follows a tree-structure, where each object is assigned an ObjectID (OID)
- EXAMPLE: MIB (from Wikipedia)
- the OID value of sysName could be identified with:
.1.3.6.1.2.1.1.5.1.3.6.1.2.1.1.5.0
- the OID value of sysName could be identified with:
SNMPv3 Configuration
- Privilege Levels
- noauth
- NoAuthNoPriv - no security features
- Backwards compatible with SNMPv2
- NoAuthNoPriv - no security features
- auth
- AuthNoPriv - Password, no encryption
- Communication is authenticated with a password to ensure authenticity/data integrity
- No encryption (hence NoPrv)
- AuthNoPriv - Password, no encryption
- priv
- AuthPriv - Password and Encryption
- Authentication and encryption ensure confidentiality, integrity, and authenticity
- AuthPriv - Password and Encryption
- noauth
- Create a group and set permissions
config# snmp-server group <group name> v3 <noauth|auth|priv> {access <ACL name> context <VLANs> read <read view> write <write view> notify <notify view>}access- Limit access to a specific ACL
context- Identify which VLANs are accessible via SNMP
- read/write/notify (views of the MIB tree)
- Read
- What the group can read
- Write
- What the group can modify
- Notify
- Which view the group receives TRAP/INFORM messages for
- Read
- Configure a user and assign it to a group
config# snmp-server user <user name> <name of assigned group> v3 auth <md5|sha> <Auth password> priv <des|3des|aes> <encryption bit level> <Encryption password>
SNMP Out-of-Scope
This is likely out of scope, but might come up. More info: SNMP Version 3 - Server Config - Cisco
- Each SNMP server must have a unique engine ID
- The engine ID is a 10-character Hexadecimal string that identifies the server
- By default, the engine ID is built using the enterprise number and the default MAC Address of the device
- The enterprise number is assigned to the device manufacturer by the IANA
- Cisco's is 9
- The enterprise number is assigned to the device manufacturer by the IANA
- SNMP clients must be configured with a remote engine ID that matches the server's engine ID
- Alternatively, it must identify IP address of the SNMP server