12-2. Simple Network Management Protocol Simple Network Management Protocol (SNMP) is a protocol that allows the monitoring of information about and management of a network device. A Management Information Base (MIB) is a collection of variables stored on a network device. The variables can be updated by the device or queried from an external source. MIBs are structured according to the SNMP MIB module language, which is based on the Abstract Syntax Notation One (ASN.1) language. An SNMP agent runs on a network device and maintains the various MIB variables. Any update or query of the variables must be handled through the agent. An SNMP agent can also send unsolicited messages, or traps, to an SNMP manager. Traps are used to alert the manager of changing conditions on the network device. An SNMP manager is usually a network management system that queries MIB variables, can set MIB variables, and receives traps from a collection of network devices. SNMP agents can send either traps or inform requests. Traps are sent in one direction, and are unreliable. Inform requests are reliable in the sense that they must be acknowledged or be re-sent. SNMP version 1 (SNMPv1) is the original version. It is based on RFC 1157 and has only basic clear text community strings for security. Access can also be limited to the IP address of the SNMP manager. SNMP version 2 (SNMPv2) is an enhanced version, based on RFCs 1901, 1905, and 1906. It improves on bulk information retrieval and error reporting, but uses the clear-text community strings and IP addresses to provide security. SNMP version 3 (SNMPv3) is based on RFCs 2273 to 2275 and offers robust security. Data integrity and authentication can be provided through usernames, Message Digest 5 (MD5), and Security Hash Algorithm (SHA) algorithms, and encryption through Data Encryption Standard (DES). NOTE SNMP requests and responses are sent using UDP port 161. Notifications or traps are sent using UDP port 162.
Remote Monitoring (RMON) provides a view of traffic flowing through a switch port. IOS switches can also provide RMON alarms and events. RMON support provides nine management groups as defined in RFC 1757: Statistics (group 1), History (group 2), Alarms (group 3), Hosts (group 4), hostTopN (group 5), Matrix (group 6), Filter (group 7), Capture (group 8), and Event (group 9)). RMON2 support, in RFC 2021, adds two groups: UsrHistory (group 18) and ProbeConfig (group 19). When RMON is enabled, a switch collects data internally. Therefore, the RMON data cannot be viewed from the switch command-line interface (CLI) but must be polled through a network management system (NMS).
Configuration 1. | Configure the SNMP identity.
- a. Define the contact information:
COS | set system contact [contact-string]
| IOS | (global) snmp-server contact contact-string
|
The contact-string contains text information that the router can provide about the network administrator. If the string is omitted, it is cleared.
- b. Define the device location:
COS | set system location [location-string]
| IOS | (global) snmp-server location location-string
|
The location-string is text information that the router can provide about its physical location. If the string is omitted, it is cleared.
- c. (IOS only) Define the device serial number:
COS | N/A | IOS | (global) snmp-server chassis-id id-string
|
The id-string is text information that the router can provide about its own serial number. If the hardware serial number can be read by the IOS software, this number is the default chassis ID.
| 2. | Configure SNMP access.
- a. (Optional) Define SNMP views to restrict access to MIB objects:
COS | [View full width] set snmp view [-hex]{view-name}{oid-tree}[mask]  [included | excluded] [volatile | nonvolatile]
| IOS | [View full width] (global) snmp-server view view-name oid-tree {included | excluded}
|
If necessary, an SNMP manager can be limited to view only specific parts of the switch's MIB tree. You can define a view with the name view-name. The oid-tree value is the object identifier of the MIB subtree in ASN.1 format. This value is a text string with numbers or words representing the subtree, separated by periods (that is, system, cisco, system.4, 1.*.2.3). You can use wildcards (asterisks) with any component of the subtree. Viewing access of the subtree is either permitted or denied with the included and excluded keywords.
Multiple views can be defined, each applied to a different set of users or SNMP managers.
COS switches require the hex keyword and a hexadecimal view-name if the view name contains nonprintable characters. The view can be stored in either volatile or nonvolatile (preserved across power cycles) memory.
- b. Define access methods for remote users.
- (SNMPv1 or SNMPv2c only) Define community strings to allow access: COS | [View full width] set snmp community {read-only | read-write | read-write-all} [string]
| IOS | [View full width] (global) snmp-server community string [view view] [ro | rw] acc-list
|
A community string value string permits access to SNMP information on the switch. Any SNMP manager that presents a matching community string is permitted access. You can specify an optional view with the view keyword (IOS only). Access is then limited to only the MIB objects permitted by the view definition. Access is granted as read-only or read-write with the ro / read-only (default community, "public," can't read the community strings), rw / read-write (default community, "private," can write any MIB object except community strings), and read-write-all (default community, "secret," can write any MIB object) keywords. On IOS switches, optional standard IP access list acc-list can be given to further limit access only to SNMP managers with permitted IP addresses. Access can be defined for read-only and read-write SNMP modes. On COS switches, access can only be controlled to SNMP in general. You do this through the use of set ip permit commands. Refer to section "11-6: Permit Lists" for more information about the IP permit command. TIP You should strongly consider changing the default SNMP community strings on all switches. Leaving the default values active can make it easier for unauthorized people to gain access to your switch's activity and configuration. After you have changed the community strings to unique values, restrict SNMP access to only the IP addresses of the network management hosts under your control. - (SNMPv3 only) Define names for the engine IDs. To specify the local engine ID name, enter the following command(s): COS | set snmp engineid id-string
| IOS | [View full width] (global) snmp-server engineID [local id-string] | [remote ip-address udp-port port id-string]
|
SNMPv3 uses authentication and encryption based on several parameters. Each end of the SNMP trust relationship must be defined, in the form of engine ID text strings, id-string. These values are 24-character strings, but can be specified with shorter strings that are filled to the right with zeros. The local switch running SNMP must be defined with the local keyword and id-string (IOS only). - (IOS only) To specify the remote SNMP engine ID name, enter the following command: (global) snmp-server engineID remote ip-address [udp-port port] id-string
The remote SNMP engine (an SNMP instance on a remote host or management station) is defined with an ip-address and a text string name id-string. An optional UDP port to use for the remote host can be given with the udp-port keyword (default 161). NOTE If either local or remote engine ID names change after these commands are used, the authentication keys become invalid and users must be reconfigured. MD5 and SHA keys are based on user passwords and the engine IDs. - (Optional) Define a group access template for SNMP users: COS | [View full width] set snmp group [-hex] groupname user [-hex] username security-model {v1 | v2c | v3} [volatile | nonvolatile]
| IOS | [View full width] (global) snmp-server group [groupname {v1 | v2c | v3 {auth | noauth}}] [read readview] [write writeview] [notify notifyview] [access acc-list]
|
The template groupname defines the security policy to be used for groups of SNMP users. The SNMP version used by the group is set by the v1, v2c, and v3 keywords. For SNMPv3 (IOS only), the security level must also be specified as auth (packet authentication, no encryption), noauth (no packet authentication), or priv (packet authentication with encryption). On an IOS switch, you can also specify SNMP views to limit MIB access for the group, using the keywords read (view readview defines readable objects; defaults to all Internet 1.3.6.1 OID space), write (view writeview defines writeable objects; no default write access), and notify (view notifyview defines notifications that can be sent to the group; no default). You can use an optional standard IP access list acc-list to further limit SNMP access for the group. On a COS switch, an SNMP user must be defined as a member of the group. - (Optional; IOS only) Define SNMP users and access methods. For SNMPv1 or SNMPv2c, apply a user to a group by entering the following: COS | N/A | IOS | [View full width] (global) snmp-server user username groupname [remote ip-address] {v1 | v2c} [access acc-list]
|
A user username is defined to belong to the group template groupname. The IP address of the remote SNMP manager where the user belongs can be specified with the remote keyword. The version of SNMP must be specified with the v1 or v2c keywords. You can use a standard IP access with the access keyword to allow only specific source addresses for the SNMP user. For SNMPv3, apply a user to a group and security policies by entering the following: COS | N/A | IOS | [View full width] (global) snmp-server user username groupname [remote ip-address] v3 [encrypted] [auth {md5 | sha} auth-password] [access acc-list]
|
A user username is defined to belong to the group template groupname. The IP address of the remote SNMP manager where the user belongs can be specified with the remote keyword. SNMP version 3 must be specified with the v3 keyword. You can use a standard IP access list with the access keyword to allow only specific source addresses for the SNMP user. By default passwords for the user are input as text strings. If the encrypted keyword is given, passwords must be input as MD5 digests (already encrypted). An authentication password for the user is specified with the auth keyword, the type of authentication as keywords md5 (HMAC-MD5-96 Message Digest 5) or sha (HMAC-SHA-96), and a text string auth-password (up to 64 characters).
- c. (Optional; IOS only) Limit the switch operations controlled by SNMP.
- Enable use of the SNMP reload operation: COS | N/A | IOS | (global) snmp-server system-shutdown
|
By default, you cannot use SNMP to issue a reload operation to the switch. If this function is desired, you can use this command to enable reload control. - Specify the TFTP server operations controlled by SNMP: COS | N/A | IOS | (global) snmp-server tftp-server-list acc-list
|
SNMP can be used to cause the switch to save or load its configuration file to a TFTP server. You can use the standard IP access list acc-list to permit only a limited set of TFTP server IP addresses.
| 3. | (Optional) Configure SNMP notifications.
- a. Define a global list of notifications to send:
COS | set snmp trap {enable | disable} type
| IOS | [View full width] (global) snmp-server enable {traps [type] [option] | informs}
|
Notifications (both traps and informs) are enabled for the types specified. Because only one type can be given with this command, you can issue the command as many times as necessary. On an IOS switch, if the type keyword is not specified, all available notifications are enabled. In addition, if this command is not issued at least once, none of the notifications that it controls are enabled.
On an IOS switch, the possible choices for type are c2900 (notifications based on the Catalyst 2900 series), cluster (cluster management changes), config (configuration changes), entity (entity MIB changes), hsrp (HSRP state changes), vlan-membership (changes in a port's VLAN membership), and vtp (VLAN Trunking Protocol events). For the type snmp (basic router status changes), the option keyword can also be given as authentication (authentication failures), linkup (interface has come up), linkdown (interface has gone down), or coldstart (router is reinitializing). If none of these keywords are given, all of them are enabled.
On a COS switch, the possible choices for type are all (enable all trap types), auth (authentication failures), bridge (STP root and topology changes), chassis (chassis alarms), config (configuration changes), entity (entity MIB traps), entityfru (field-replaceable unit traps), envfan (fan failure), envpower (power-supply events), envshutdown (environmental shutdown), ippermit (denials from IP permit), module (switch module up/down), repeater (RFC 1516 Ethernet repeater events), stpx (STPX traps), syslog (syslog notifications), system, vmps (VLAN membership changes), or vtp (VPT events).
- b. Define recipients of notifications:
A single host (host is either IP address or host name) is specified to receive SNMP notifications (either traps or informs). The SNMP version can optionally be given as SNMPv1 (1, the default), SNMPv2c (2c), or SNMPv3 (3). If SNMPv3, a keyword can be given to select the type of security: auth (use MD5 and SHA authentication), or noauth (no authentication or privacy; the default).
The community-string keyword specifies a "password" that is shared between the SNMP agent and SNMP manager. The UDP port used can be given as port (default 162).
On an IOS switch, the possible choices for type are c2900 (notifications based on the Catalyst 2900 series), cluster (cluster management changes), config (configuration changes), entity (entity MIB changes), hsrp (HSRP state changes), vlan-membership (changes in a port's VLAN membership), and vtp (VLAN Trunking Protocol events). For the type snmp (basic switch status changes), the option keyword can also be given as authentication (authentication failures), linkup (interface has come up), linkdown (interface has gone down), or coldstart (switch is reinitializing). If none of these keywords are given, all of them are enabled.
- c. (Optional; IOS only) Tune notificattion parameters.
- Specify trap options: COS | N/A | IOS | (global) snmp-server trap-timeout seconds (global) snmp-server queue-length length
|
SNMP traps are not sent reliably, because no acknowledgement is required. Traps can be queued and re-sent only when no route to the trap recipient is present. In that case, the router waits seconds (default 30 seconds) before retransmitting the trap. In addition, 10 traps can be queued for each recipient by default. You can use the queue-length command to set the queue size to length traps each. - Specify the source address to use for notifications: COS | N/A | IOS | (global) snmp-server trap-source interface
|
SNMP traps can be sent from any available switch interface. To have the switch send all traps using a single source IP address, specify the interface to use. In this way, traps can be easily associated with the source switch.
- d. (Optional) Enable SNMP link traps on specific interfaces:
COS | set port trap mod/port {enable |)disable}
| IOS | (interface) [no] snmp trap link-status
|
IOS switches, by default, generate SNMP link traps on all interfaces when they go up or down. If this is not desired, use the no keyword to disable traps on specific interfaces. The default for COS switches is to disable traps on all ports.
| 4. | (Optional) Enable RMON support.
- a. (Optional) Collect RMON statistics:
COS | set snmp rmon {enable | disable}
| IOS | (interface) rmon collection stats index [owner name]
|
On a COS switch, RMON statistics are collected for all Ethernet, Fast Ethernet, Gigabit Ethernet, and EtherChannel ports. An IOS switch, however, collects RMON statistics only on the configured interfaces. Statistics are gathered in "collections," each uniquely identified by a collection number or index (1 to 65535). An optional owner name (text string) can be given to associate a username with the collection.
- b. (Optional; IOS only) Collect RMON history statistics:
COS | N/A | IOS | [View full width] (interface) rmon collection history index [owner name] [buckets nbuckets] [interval seconds]
|
An IOS switch can collect history statistics on the configured interfaces. Statistics are gathered in "collections," each uniquely identified by a collection number or index (1 to 65535). An optional owner name (text string) can be given to associate a username with the collection. The buckets keyword defines the number of collection buckets to be used (default 50). The interval keyword specifies the number of seconds (default 1800 seconds) during the polling cycle.
- c. (Optional; IOS only) Define an RMON alarm:
COS | N/A | IOS | [View full width] (global) rmon alarm number object interval {delta | absolute} rising-threshold rise [event] falling-threshold fall [event] [owner string]
|
An alarm indexed by number (1 to 65535) is configured to monitor a specific MIB variable object. The object is given as a dotted-decimal value, in the form of entry.integer.instance. The interval field specifies the number of seconds (1 to 4294967295) that the alarm will monitor the object. The delta keyword watches a change between MIB variables, whereas absolute watches a MIB variable directly. You can configure the alarm to test the object against a rising-threshold and a falling-threshold, where rise and fall are the threshold values that trigger the alarm. The event field specifies an event number in an event table to trigger for the rising and falling thresholds. An optional owner text string can be given, as the owner of the alarm.
- d. (Optional; IOS only) Define an RMON event:
COS | N/A | IOS | [View full width] (global) rmon event number [description string] [owner name] [trap community] [log]
|
An RMON event is identified by an arbitrary number (1 to 65535). The description keyword gives the event a descriptive string (text string). An optional event owner can be assigned as name (text string). If the trap keyword is given, an SNMP trap is generated with the community string (text string). The log keyword causes the event to generate an RMON log entry on the switch.
|
SNMP Example A switch is configured for SNMP, using community public for read-only access, and community noc-team for read-write access. SNMP access is limited to any host in the 172.30.0.0 network for read-only, and to network management hosts 172.30.5.91 and 172.30.5.95 for read-write access. (This is possible with access lists on an IOS switch. However, the COS switch is limited to IP permit statements for all types of SNMP access. Specific hosts will have to be added to the IP permit list.) SNMP traps are sent to an SNMP agent machine at 172.30.5.93, using community string nms. All possible traps are sent, except for switch configuration change traps. Also SNMP link up/down traps are disabled for port 3/1: COS | set system contact John Doe, Network Operations set system location Building A, closet 123 set snmp community read-only public set snmp community read-write noc-team set snmp trap 172.30.5.93 nms set snmp trap enable all set snmp trap disable config set ip permit 172.30.5.91 set ip permit 172.30.5.95 set ip permit enable snmp set port trap 3/1 disable
| IOS | [View full width] (global) snmp-server contact John Doe, Network Operations (global) snmp-server location Building A, closet 123 (global) snmp-server community public ro 5 (global) snmp-server community noc-team rw 6 (global) snmp-server host 172.30.5.93 traps nms (global) snmp-server enable traps (global) no snmp-server enable config (global) access-list 5 permit 172.30.0.0 0.0.255.255 (global) access-list 6 permit host 172.30.5.91 (global) access-list 6 permit host 172.30.5.95 (global) interface gig 3/1 (interface) no snmp trap link-status
|
Displaying Information About SNMP Table 12-3 lists some switch commands that you can use to display helpful information about SNMP. Table 12-3. Switch Commands to Display SNMP InformationDisplay Function | Switch OS | Command |
|---|
SNMP configuration | COS | show snmp
| IOS | (exec) show snmp
| RMON collections | COS | N/A | IOS | [View full width] (exec) show rmon [alarms | events | history | statistics]
|
|
