Simple Network Management Protocol
Overview
SNMP provides a standardized framework and a common language for monitoring and managing devices in a network. The SNMP framework consists of three parts:
• An SNMP manager: The system used to control and monitor the activities of network devices. This is sometimes called a Network Management System (NMS).
• An SNMP agent: The component within a managed device that maintains the data for the device and reports these data SNMP managers.
• Management Information Base (MIB): SNMP exposes management data in the form of variables which describe the system configuration. These variables can be queried by SNMP managers.
In SNMP, administration groups are known as communities. SNMP communities consist of one agent and one or more SNMP managers. You can assign groups of hosts to SNMP communities for limited security checking of agents and management systems or for administrative purposes. Defining communities provides security by allowing only management systems and agents within the same community to communicate.
A host can belong to multiple communities at the same time, but an agent does not accept a request from a management system outside its list of acceptable community names.
SNMP access rights are organized by groups. Each group is defined with three accesses: read access, write access, and notification access. Each access can be enabled or disabled within each group.
The SNMP v3 security level determines if an SNMP message needs to be protected from disclosure and if the message needs to be authenticated. The security levels are:
• noAuthNoPriv: No authentication or encryption
• authNoPriv: Authentication but no encryption
• authPriv: Both authentication and encryption
SNMP is defined in RFCs 3411-3418.
Topology
SNMP sample topology
Standard SNMP Configurations
#configure terminal | Enter configure mode. |
(config)#snmp-server view all .1 included vrf management | Creates SNMP view labeled as “all” for OID-Tree as “.1” for vrf management. |
(config)#snmp-server community test group network-operator vrf management | Set community string as “test” for group of users having “network-operator” privilege. |
(config)#snmp-server host 10.12.6.63 traps version 2c test udp-port 162 vrf management | Specify host “10.12.6.63” to receive SNMP version 2 notifications at udp port number 162 with community string as “test”. |
(config)#snmp-server enable snmp vrf management | Use this command to start the SNMP agent. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode. |
sing IPv6 address.
Standard SNMP Configurations over User Defined VRF
OcNOS supports SNMP over the user defined VRFs as well apart from default and management VRFs via in-band interface. Users must be able to enable SNMP service over any user defined vrf however it only runs on one VRF at once.
#configure terminal | Enter configure mode. |
(config)#ip vrf snmp-vrf | Creates a user-defined vrf called snmp-vrf |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)# snmp-server view newview 1.3.6.1.2.1.6.13.1.1.127.0.0.1 excluded vrf snmp-vrf | Creates SNMP view labeled as “newview” for OID-Tree “1.3.6.1.2.1.6.13.1.1.127.0.0.1” excluded for vrf snmp-vrf. |
(config)# snmp-server community newcom group network-operator vrf snmp-vrf | Set community string as “newcom” for group of users having “network-operator” privilege. |
(config)# snmp-server user newv3user auth sha AuthNewPass@123 priv aes PrivNewPass@123 vrf snmp-vrf | Creates SNMP V3 user “newv3user” with authentication encryption “sha” and privacy encryption “aes” passwords for added security on the snmp-vrf |
(config)# snmp-server host 172.18.19.22 traps version 2c newcom udp-port 162 vrf snmp-vrf | Specify host “172.18.19.22” to receive SNMP version 2 notifications at udp port number 162 with community string as “newcom”. |
(config)#snmp-server host 172.18.19.20 informs version 3 auth newv3user udp-port 65535 vrf snmp-vrf | Specify host “172.18.19.20” to receive SNMP v3 informs at udp-port number 65535 for user “newv3user” if correct authpriv passwords are used |
(config)#snmp-server enable snmp vrf snmp-vrf | Use this command to start the SNMP agent on the user defined vrf (snmp-vrf) |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode. |
Validation
Use the below commands to verify the SNMP configuration:
#show running-config snmp
snmp-server view all .1 included vrf management
snmp-server community test group network-operator vrf management
snmp-server host 10.12.6.63 traps version 2c test udp-port 162 vrf management
#show snmp group
------------------------------------------------------------------------------
community/user group version Read-View Write-view Notify-view
------------------------------------------------------------------------------
test network-operator 2c/1 all none all
#show snmp host
------------------------------------------------------------------------------
Host Port Version Level Type SecName
------------------------------------------------------------------------------
10.12.6.63 162 2c noauth trap test
SNMP GET Command
# snmpget -v2c -c test 10.12.45.238 .1.3.6.1.2.1.6.13.1.2.10.12.45.238.22.10.12.6.63.52214
TCP-MIB::tcpConnLocalAddress.10.12.45.238.22.10.12.6.63.52214 = IpAddress: 10.12.45.238
SNMP WALK Command
SNMP WALK for particular OID
#snmpwalk -v2c -c test 10.12.45.238 .1.3.6.1.2.1.25.3.8.1.8
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.1 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.4 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.5 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.6 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.10 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.12 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.13 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.14 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.15 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.16 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.17 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.18 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.19 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.20 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.21 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.22 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.23 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.24 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.25 = STRING: 0-1-1,0:0:0.0
HOST-RESOURCES-MIB::hrFSLastFullBackupDate.26 = STRING: 0-1-1,0:0:0.0
Complete SNMP WALK
#snmpwalk -v2c -c test 10.12.45.238 .1
SNMP Trap Server Configuration with IPv6 Address
Snmpwalk is performed by using IPv6 address. SNMP trap server is configured on the Router with IPv6 address.
Topology
Figure 1-22 shows the sample configuration of SNMP trap server.
SNMP trap server topology
R1
#configure terminal | Enter configure mode. |
(config)#snmp-server view all .1 included vrf management | Configure SNMP server view |
(config)#snmp-server view test1 1.3.6.1 included vrf management | Configure SNMP server view |
(config)#snmp-server user test1 network-admin auth md5 test1234 vrf management | Configure SNMP server user |
(config)#snmp-server user test2 network-admin vrf management | Configure SNMP server user |
(config)#snmp-server user test3 network-admin auth md5 test1234 priv des test1234 vrf management | Configure SNMP server user |
(config)#snmp-server community test group network-operator vrf management | Configure SNMP server community |
(config)#snmp-server community test1 group network-admin vrf management | Configure SNMP server community |
(config)#snmp-server host 2001:db8:100::2 traps version 2c test udp-port 162 vrf management | Configure SNMP trap server |
(config)#interface eth0 | Navigate to the interface mode |
(config-if)#ipv6 address 2001:db8:100::5/64 | Configure IPv6 address on the eth0 interface |
(config-if)#exit | Exit interface configure mode |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode |
Validation
Below is the SNMP configuration in Router node:
#show running-config snmp
snmp-server view all .1 included vrf management
snmp-server user test1 network-admin auth MD5 encrypt 0xd1fe6acc88856c90 vrf man
agement
snmp-server user test2 network-admin vrf management
snmp-server user test3 network-admin auth MD5 encrypt 0xd1fe6acc88856c90 priv DE
S 0xd1fe6acc88856c90 vrf management
snmp-server community test group network-operator vrf management
snmp-server community test1 group network-admin vrf management
snmp-server enable snmp vrf management
snmp-server enable traps link linkDown
snmp-server enable traps link linkUp
#show ipv6 interface eth0 brief
Interface IPv6-Address Admin-Sta
tus
eth0 2001:db8:100::5
fe80::218:23ff:fe30:e6ba [up/up]
Perform snmpwalk as mentioned below with IPv6 address using SNMPv3
snmpwalk -v3 -u test3 -a MD5 -A test1234 -x DES -X test1234 -l authPriv 2001:db8:100::5 .1.3.6.1.2.1.25.3.8.1.8
Perform snmpwalk as mentioned below with IPv6 address using SNMPv2
snmpwalk -v2c -c test 2001:db8:100::5 1.3.6.1.2.1.31
Perform snmpwalk as mentioned below with IPv6 address using SNMPv1
snmpwalk -v1 -c test 2001:db8:100::5 1.3.6.1.2.1.31
#show snmp trap
-------------------------------------------------
Trap type Description Enabled
---------------------------------------------------
link linkUp yes
link linkDown yes
vxlan notification no
mpls notification no
mpls pw no
mpls pw delete no
mpls-l3vpn notification no
ospf notification no
ospf6 notification no
isis notification no
snmp authentication no
mpls rsvp no
vrrp notification no
bgp notification no
As mentioned above, perform link down and link up of any interface in Router node. Check that SNMP trap is sent u
SNMP Informs with IPv6 Address over User Defined VRF
Snmpwalk is performed by using IPv6 address. SNMP trap server is configured on the Router with IPv6 address.
Topology
Figure 1-22 shows the sample configuration of SNMP trap server.
SNMP trap server topology
R1
#configure terminal | Enter configure mode. |
(config)#ip vrf snmp-vrf | Creates a user-defined vrf called snmp-vrf |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#snmp-server view all .1 included vrf snmp-vrf | Configure SNMP server view |
(config)#snmp-server view test1 1.3.6.1 included vrf snmp-vrf | Configure SNMP server view |
(config)# snmp-server user newv3user auth sha AuthNewPass@123 priv aes PrivNewPass@123 vrf snmp-vrf | Configure SNMP server user |
(config)#snmp-server community test group network-operator vrf snmp-vrf | Configure SNMP server community |
(config)#snmp-server community test1 group network-admin vrf snmp-vrf | Configure SNMP server community |
(config)# snmp-server host 8901:DB8:0:1::1 informs version 3 auth newv3user udp-port 60000 vrf snmp-vrf | Configure SNMP informs server |
(config)#interface xe0.6 | Navigate to the interface mode |
(config-if)#ipv6 address 8901:db8:0:1::2/64 | Configure IPv6 address on the xe0.6 sub vlan interface |
(config-if)#exit | Exit interface configure mode |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode |
Validation
Below is the SNMP configuration in Router node:
#show running-config snmp
snmp-server view all .1 included vrf snmp-vrf
snmp-server view newview 1.3.6.1.2.1.6.13.1.1.127.0.0.1 excluded vrf snmp-vrf
snmp-server view test1 1.3.6.1 included vrf snmp-vrf
snmp-server user newv3user auth sha encrypt 0xd01d08043ea89bd3f77ccf8992973502 priv aes 0x7517e1def71063d7f77ccf8992973502 vrf snmp-vrf
snmp-server community newcom group network-operator vrf snmp-vrf
snmp-server community test group network-operator vrf snmp-vrf
snmp-server community test1 group network-admin vrf snmp-vrf
snmp-server host 172.18.19.22 traps version 2c newcom udp-port 162 vrf snmp-vrf
snmp-server host 172.18.19.20 informs version 3 auth newv3user udp-port 65535 vrf snmp-vrf
snmp-server host 8901:db8:0:1::1 informs version 3 auth newv3user udp-port 60000 vrf snmp-vrf
snmp-server enable snmp vrf snmp-vrf
snmp-server enable traps link linkDown
snmp-server enable traps link linkUp
snmp-server enable traps link include-interface-name
snmp-server enable traps vxlan
snmp-server enable traps pwdelete
snmp-server enable traps pw
snmp-server enable traps mpls
snmp-server enable traps mplsl3vpn
snmp-server enable traps snmp authentication
snmp-server enable traps ospf
snmp-server enable traps bgp
snmp-server enable traps ospf6
snmp-server enable traps vrrp
snmp-server enable traps rsvp
snmp-server enable traps rib
snmp-server enable traps isis
snmp-server enable traps pim
#show ipv6 interface xe0.6 brief
Interface IPv6-Address Admin-Status
xe0.6 8901:db8:0:1::2
fe80::5e07:58ff:fe51:caea [up/up]
Perform snmpwalk as mentioned below with IPv6 address using SNMPv3
snmpwalk -v3 -u newv3user -a SHA -A AuthNewPass@123 -x AES -X PrivNewPass@123 -l authPriv 8901:DB8:0:1::2 .1.3.6.1.2.1.25.3.8.1.8 -m all
Perform snmpwalk as mentioned below with IPv6 address using SNMPv2
snmpwalk -v2c -c newcom 8901:DB8:0:1::2 -t 5 -r 20 1.3.6.1.2.1.31 -Cp -Ct -m all
Perform snmpwalk as mentioned below with IPv6 address using SNMPv1
snmpwalk -v1 -c newcom 8901:DB8:0:1::2 -t 5 -r 20 1.3.6.1.2.1.31 -Cp -Ct -m all
#show snmp trap
-------------------------------------------------
Trap type Description Enabled
---------------------------------------------------
link linkUp yes
link linkDown yes
link linkWithIfname yes
vxlan notification yes
mpls notification yes
mpls pw yes
mpls pw delete yes
mpls-l3vpn notification yes
ospf notification yes
ospf6 notification yes
isis notification yes
snmp authentication yes
mpls rsvp yes
pim notification yes
vrrp notification yes
rib notification yes
bgp notification yes
As mentioned above, perform link down and link up of any interface in Router node. Check that SNMP trap is sent u