Friday, 15 November 2019

Cisco SNMP Configuration | What is Simple Network Management Protocol

Cisco SNMP Configuration | What is Simple Network Management Protocol

This chapter explain the operation of SNMP. It also describes how to configure SNMP on Cisco Router to collect messages on a small to medium-sized network management device.

What is Simple Network Management Protocol (SNMP)

SNMP (Simple Network Management Protocol) was developed to allow administrators to manage nodes, such as servers, workstations, routers, switches and security devices, in an IP network. It allows network administrators to manage network performance , detect and resolve network problems, and plan for network growth.
SNMP is an application layer protocol that provides a message format for communication between administrators and agents. The SNMP system consists of three elements:

  • SNMP Manager
  • SNMP agents (managed node)
  • Administration Information Base (MIB)

To configure SNMP on a network device, it is first necessary to define the relationship between the administrator and the agent.
The SNMP Manager is part of a network management system (NMS) and runs SNMP management software.

The SNMP administrator can collect information from an SNMP agent using a “get” action and can change the setting with “set”. In addition, SNMP agents can forward information directly to an NMS through traps.
The SNMP agent and the MIB reside on the network device clients. The network devices that must be managed have an SMNP agent software module. MIBs store data about the device's operation and are designed to be available to authenticated remote users. The SNMP agent is responsible for providing access to the local MIB that reflects the resources and activity of the objects.
SNMP uses UDP port number 162 to retrieve and send administration information.

SNMP OPERATION

SNMP agents that reside on managed devices collect and store information about the devices and their operation. The agent stores this information locally in the MIB. The SNMP administrator then uses the SNMP agent to access the information within the MIB.
There are two main SNMP administrator requests: get and set.

  • NMS uses a get request to request data from the device.
  • NMS uses an established request to change the configuration variables on the agent's device. A set request can also initiate actions within a device. For example, a set request can cause a router to restart, send or receive a configuration file.

The SNMP administrator uses the actions of the get and set requests to perform the operations described in the table:
SNMP Operations Table.
OperationDescription
get-requestRetrieve a value of a specific variable.
get-next-requestRetrieves a value of a variable within a table; The SNMP administrator does not need to know the exact name of the variable. A sequential search is performed to find the necessary variable within a table.
get-bulk-requestIt retrieves large blocks of data, such as several rows in a table, that would otherwise require the transmission of many small blocks of data. (Only works with SNMPv2 or newer).
get-responseIt responds to a get-request, get-next-request and set-request operation sent by NMS.
set-requestStores a value in a specific variable.
The SNMP agent responds to SNMP administrator requests as follows:

  • Obtain an MIB variable : The SNMP agent performs this function in response to an NMS get request PDU. The agent retrieves the value of the requested MIB variable and responds to NMS with that value.
  • Set a MIB variable : The SNMP agent performs this function in response to an NMS set request PDU. The SNMP agent changes the value of the MIB variable to the value specified by NMS. The SNMP agent response to a set request includes the new configuration on the device.

SNMP AGENT TRAPS

NMS periodically polls SNMP agents that reside on managed devices to request data from devices through the get request. With this process, a network management application can collect information to control traffic loads and verify the configurations of managed devices.
The information can be displayed through the NMS GUI. You can calculate the averages, the minimums or the maximums, graph the data or set thresholds to activate a notification process when the thresholds are exceeded.
For example, NMS can control the CPU usage of a Cisco router. The SNMP administrator periodically tests the value and presents this information in a graph so that the network administrator uses it to create a baseline.
SNMP periodic polling has disadvantages:

  • There is a delay between the moment at which an event occurs and the moment when NMS warns of it (by polling).
  • There is a level of balance between the frequency of the poll and the use of bandwidth.

To mitigate these disadvantages, SNMP agents may generate and send traps to inform NMS about certain events immediately.

USE OF AN SNMP TRAP

Traps are unsolicited messages that alert the SNMP administrator about a condition or event on the network. Some examples of trap conditions include, but are not limited to, incorrect user authentication, reboots, link status (active or inactive), MAC address tracking, closing a TCP connection, loss of connection to a Neighbor or other important events.
Trap notifications reduce network and agent resources by eliminating the need for some of the SNMP polling requests.

In Image, the use of an SNMP trap to alert the network administrator that the G0 / 0 interface failed is shown. The NMS software can send a text message to the network administrator, display a pop-up window in the NMS software or display the router icon in red in the NMS GUI.

SNMP VERSIONS

There are several versions of SNMP, including the following:

  • SNMPv1 : The simple network management protocol, a complete Internet standard, is defined in RFC 1157.
  • SNMPv2c : defined in RFCs 1901 to 1908; uses the administrative framework based on community chains.
  • SNMPv3 : interoperable protocol based on standards originally defined in RFCs 2273 to 2275; Provides secure access through authentication and encryption of packets across the network.

All versions use SNMP managers, SNMP agents and MIB. Cisco IOS software supports the three versions mentioned above.
Unlike SNMPv1, SNMPv2c includes a mass recovery mechanism and more detailed error message reports for management stations.
The most up-to-date description of SNMPv3 is found in RFCs 3410 to 3415. It adds methods to ensure the secure transmission of important data between managed devices.
SNMPv3 provides both models and security levels. A security model is an authentication strategy configured for a user and the group within which the user resides. A security level is the level of security allowed within a security model.
The combination of security level and security model determines what security mechanism is used when handling an SNMP package. The available security models are SNMPv1, SNMPv2c and SNMPv3.
A network administrator must configure the SNMP agent to use the version of SNMP that the management station supports.

COMMUNITY CHAINS

For SNMP to work, NMS must have access to the MIB. To ensure that access requests are valid, there must be some form of authentication.
SNMPv1 and SNMPv2c use community strings that control access to the MIB. Community strings are passwords for unencrypted text. SNMP community strings authenticate access to MIB objects.
There are two types of community chains:

  • Read only (ro) : provides access to MIB variables, but does not allow changes to these variables, just read them. Because security is minimal in version 2c, many organizations use SNMPv2c in read-only mode.
  • Read and write (rw) : provides read and write access to all objects in the MIB.

To view or set MIB variables, the user must specify the corresponding community string for read or write access.

STEPS TO CONFIGURE SNMP

A network administrator can configure SNMPv2 to obtain network information from network devices:

  1. Step 1 . (Required) Configure the community string and access level (read or read and write only) using the snmp-server community string ro | rw .
  2. Step 2 . (Optional) Register the device location using the snmp-server location text command .
  3. Step 3 . (Optional) Register the system contact using the snmp-server contact text command .
  4. Step 4 . (Optional) Restrict SNMP access to NMS hosts (SNMP administrators) that authorizes an ACL: Define the ACL and then name the ACL with the snmp-server community string access-list-number-or-name command . This command can be used to specify the community string and to restrict SNMP access through ACLs. Steps 1 and 4 can be combined in one step, if desired.
  5. Step 5 . (Optional) Specify the recipient of SNMP trap operations with the snmp-server host id-host [ version { 1 | 2c | 3 [ auth | noauth | priv ]}] community-string . By default, no trap manager is defined.
  6. Step 6 . (Optional) Enable traps on an SNMP agent with the snmp-server enable traps notification-types command . If no type of trap notification is specified in this command, then all types of trap are sent. Repeated use of this command is necessary if a certain subset of trap types is desired.

All basic steps to configure SNMP are performed in global configuration mode:

R1 (config) # snmp-server community batonaug ro SNMP_ACL 
R1 (config) # snmp-server location NOC_SNMP_MANAGER 
R1 (config) # snmp-server contact Wayne World 
R1 (config) # snmp-server host 192.168.1.3 version 2c batonaug 
R1 ( config) # snmp-server enable traps 
R1 (config) # ip access-list standard SNMP_ACL 
R1 (config-std-nacl) # permit 192.168.1.3

VERIFICATION OF SNMP CONFIGURATION

There are several software solutions to see the SNMP result. For our purposes, the Kiwi syslog server shows the SNMP messages associated with SNMP traps.
PC1 and R1 are configured to demonstrate the result in an SNMP manager in relation to SNMP traps. IP address 192.168.1.3/24 was assigned to PC1. The Kiwi syslog server is installed on PC1.
After R1 is configured, every time an event occurs that qualifies as a trap, SNMP traps are sent to the SNMP administrator. For example, if an interface is activated, a trap is sent to the server. Configuration changes on the router also activate the sending of SNMP traps to the SNMP administrator.
Can you see a list of more than 60 types of trap notification with the snmp-server enable traps command ? . In the configuration of R1, no type of trap notification is specified in the snmp-server enable traps notification-types command , so all traps are sent.

SNMP Manager

In Image 12, a check box was activated in the Setup menu to indicate that the network administrator wants the SNMP manager software to listen to detect SNMP traps on UDP port 162.

SNMP VERIFICATION COMMANDS

To verify the SNMP configuration, use any variant of the show snmp command in privileged EXEC mode. The most useful command is simply the show snmp command, as it shows the information that is usually of interest when examining the SNMP configuration.
Unless an SNMPv3 configuration is involved, most other command options only show selected parts of the show snmp command result .
The result of the show snmp command does not show information related to the SNMP community string or, if applicable, to the associated ACL. Figure 5 shows the information of the SNMP community string and the ACL using the show snmp community command .

RECOMMENDED SECURITY PRACTICES

While SNMP is very useful for monitoring and troubleshooting, it can also create security vulnerabilities. For this reason, before implementing SNMP, consider security best practices.

SNMPv1 and SNMPv2c rely on SNMP community strings in unencrypted text to authenticate access to MIB objects. These community chains, like all passwords, must be chosen carefully to ensure that they are not too easy to crack.
In addition, community chains should be changed at regular intervals and in accordance with network security policies. For example, chains must be changed when a network administrator changes roles or leaves the company. If SNMP is used only to monitor devices, use read-only communities.
Make sure SNMP messages do not spread beyond management consoles. ACLs must be used to prevent SNMP messages from being sent beyond the required devices.
SNMPv3 is recommended because it provides authentication and security encryption. There are other global configuration mode commands that a network administrator can implement to take advantage of authentication and encryption in SNMPv3:

  • The snmp-server group groupname { v1 | v2c | v3 { auth | noauth | priv }} creates a new SNMP group on the device.
  • The snmp-server user username groupname v3 [ encrypted ] [ auth { md5 | sha } auth-password ] [ priv { des | 3des | aes { 128 | 192 | 256 }} priv-password ] is used to add a new user to the SNMP group specified in the snmp-server group ngroupname command .


No comments:

Post a Comment