Categories
Architecture CCNP Enterprise Core (350-401) Cisco

Network Diagnostics: Simple Network Management Protocol

Simple Network Management Protocol (SNMP) provides a way for network engineers to get reactive alerts when something changes in the network.

SNMP can be used to configure devices too, but this is less common.

SNMP can send traps to a SNMP collector or network management system in response to a change that has happened in the network.

These traps or events are defined as part of a management information base (MIB). The MIB is a database of parameters that are triggered by these network events.

There are three versions of SNMP, SNMPv1, SNMPv2c, and SNMPv3

SNMPv1 uses a community string for authentication, and offers no encryption on data sent or received.

SNMPv2c again uses a community string for authentication with no encryption. It offers much better error handling and error code information over SNMPv1.

SNMPv3 is a major change to versions 1 and 2c. It can offer authentication based on HMAC-MD5 or HMAC-SHA algorithms in it’s authNoPriv mode.

SNMPv3 can go a step further in authPriv mode and offer encryption with Data Encryption Standard (DES) or Advanced Encryption Standard (AES)

As a result, SNMPv3 offers the most privacy and security options over the other two versions.

Offering username and password authentication over simple community strings is a major step for security in comparison to other versions.

SNMPv1 and SNMPv2c can use access lists to help secure access to their platforms by only whitelisted IP addresses.

Community strings can be set to read-only or read-write; so it can restrict SNMP agents to a ‘observation-only’ mode if set to read-only.

If no version is specified on a network device, SNMPv1 is used by default.

SNMP Operations

For communications between a network management system and a network device, SNMP use a number of operations

get-request

Retrieve a value from a specific variable.

get-next-request

Retrieve a value from a variable within a table

get-bulk-request

Retrieve a large block of data, such as multiple rows in a table with one transaction rather than multiple

get-response

Replies to a get-request, get next request

set-request

Stores a value in a specific variable

trap

Sends an unsocialised message from an SNMP agent to a SNMP manager when an event has occurred

Defining a SNMP community

To define a secured SNMP community for SNMP v1 or v2c for the network 192.168.1.0

access-list 10 permit 192.168.1.0 0.0.0.255
snmp-server community SNMPCOMM ro 10

The above will create a read only community with the SNMP community string SNMPCOMM. Any network management server in the subnet 192.168.1.0 – 192.168.1.255 can poll the network device with the community string SNMPCOMM

Sending traps

A network device can be configured to send traps to a network management server.

snmp-server enable traps
snmp-server host 192.168.1.50 traps SNMPCOMM

The router can be configured to send only specific categories of traps by affixing parameters on the first command

snmp-server enable traps config

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.