Simple Network Management Protocol

When you look at the names of some of the variables used, "Simple" doesn't seem to quite describe this network-management protocol. Yet SNMP is simple in principle, though the details can become quite complex. SNMP is the protocol used by network-management systems (NMS).

SNMP operates at the application layer, over TCP or UDP over IP. An SNMP manager (a software package on the NMS station) works with SNMP agents (also software packages) deployed on devices in the network. Both managers and agents use a Management Information Base, or MIB. Each MIB contains data objects (often also called MIBs) that are used to track activities and make configuration changes on some devices. MIBs are listed in hierarchical order, with dots separating levels (much like the dotted notation in fully qualified domain names).

SNMP hosts are organized into communities, and the community string serves as an identifier (an extremely weak sort of password, not unlike a Windows workgroup name). One other aspect of community names is worth mentioning here: The default community name is public and is very well known to hackers. Remember, this is a network-management protocolit is used to configure and gather data from networking devices. That makes it very useful to hackers willing to work through the naming hierarchy to the message they want (and their scripts can be used by less capable hackers who really make a hash of things). Do not use public as your community string! Furthermore, be more creative than some network managers, and do not use private , either. Use a string that, like a strong password, is not subject to a dictionary attack (it uses letters and numbers and special characters , without a partial dictionary word sequence).

Members of the community can use traps ( unsolicited informational messages) or gets ( requests for information) and sets (command messages). SNMP messages can use UDP or TCP; gets and sets use port 161, while traps use port 162. Informational messages (traps and the replies to gets) require only a read-only capability, but issuing sets requires both read and write capability. Cisco takes advantage of this in its recommended configurations in SAFE.

Configuring SNMP

The SAFE Blueprint recommends using two separate SNMP communities, one a read-only community and one with read-write capability (if you must have a read-write capabilityit might not be necessary). Again, routers and switches have slightly different commands.

Router

You designate the community string and its type with this command:

 
 snmp-server community  string  {rorw}  number  

The string is the (hopefully well- constructed ) community name, and the number used in this command is the number of the standard access list that identifies the acceptable host addresses (hosts that are allowed to access the community). Such a command and its associated access list might look like this:

 
 snmp-server community yhG2b@&sm! ro 42 access-list 42 permit 172.28.42.12 access-list 42 permit 172.18.42.10 access-list 42 deny any log 
Switch

The switch SNMP commands look like the "switch versions" of the router commands:

 
 set snmp-server community yhG2b@&sm! ro set ip permit enable snmp set ip permit 172.28.42.12 snmp 

One difference between the router and switch versions of the snmp-server command is that the switch using the Catalyst OS has a third possibility:

  • read-only Read-only access to all MIB objects, but not the community string

  • read-write Read and write access to all MIB objects, but not the community string

  • read-write-all Read and write access to all MIB objects, including the community strings

Practicality

You might note in the sample configurations in Appendix A of the SMR SAFE Blueprint that the SNMP servers are also the logging servers. That is not a requirement, by any means, but it is a good economy of resources: Logging servers and SNMP servers should both be carefully protected and monitored . By having two of each, you gain redundancy; by placing both functions in those two hosts, you don't have an excessive number of devices to configure, protect, and monitor. Remember, the SAFE Blueprint is intended to be practical.

SNMP Versions

SNMP has reached version 3. The original version (usually just called SNMP) is rarely seen now, for good reason. SNMP did an adequate job, but SNMPv2 offered more advanced monitoring and configuring capabilities. Unfortunately, security features were not added until SNMPv3, which also includes a new message format. SNMPv3 is backward compatible with SNMPv2 (so that messages can be exchanged). However, it is strongly recommended that networks transition to SNMPv3 because it includes authentication between devices and message security.



CSI Exam Cram 2 (Exam 642-541)
CCSP CSI Exam Cram 2 (Exam Cram 642-541)
ISBN: 0789730243
EAN: 2147483647
Year: 2002
Pages: 177
Authors: Annlee Hines

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net