Simple Network Management Protocol (SNMP) provides a way for network engineers to get reactive alerts when something changes in the network.
SNMP can be used to configure devices too, but this is less common.
SNMP can send traps to a SNMP collector or network management system in response to a change that has happened in the network.
These traps or events are defined as part of a management information base (MIB). The MIB is a database of parameters that are triggered by these network events.
There are three versions of SNMP, SNMPv1, SNMPv2c, and SNMPv3
SNMPv1 uses a community string for authentication, and offers no encryption on data sent or received.
SNMPv2c again uses a community string for authentication with no encryption. It offers much better error handling and error code information over SNMPv1.
SNMPv3 is a major change to versions 1 and 2c. It can offer authentication based on HMAC-MD5 or HMAC-SHA algorithms in it’s authNoPriv mode.
SNMPv3 can go a step further in authPriv mode and offer encryption with Data Encryption Standard (DES) or Advanced Encryption Standard (AES)
As a result, SNMPv3 offers the most privacy and security options over the other two versions.
Offering username and password authentication over simple community strings is a major step for security in comparison to other versions.
SNMPv1 and SNMPv2c can use access lists to help secure access to their platforms by only whitelisted IP addresses.
Community strings can be set to read-only or read-write; so it can restrict SNMP agents to a ‘observation-only’ mode if set to read-only.
If no version is specified on a network device, SNMPv1 is used by default.
For communications between a network management system and a network device, SNMP use a number of operations
Retrieve a value from a specific variable.
Retrieve a value from a variable within a table
Retrieve a large block of data, such as multiple rows in a table with one transaction rather than multiple
Replies to a get-request, get next request
Stores a value in a specific variable
Sends an unsocialised message from an SNMP agent to a SNMP manager when an event has occurred
Defining a SNMP community
To define a secured SNMP community for SNMP v1 or v2c for the network 192.168.1.0
access-list 10 permit 192.168.1.0 0.0.0.255 snmp-server community SNMPCOMM ro 10
The above will create a read only community with the SNMP community string SNMPCOMM. Any network management server in the subnet 192.168.1.0 – 192.168.1.255 can poll the network device with the community string SNMPCOMM
A network device can be configured to send traps to a network management server.
snmp-server enable traps snmp-server host 192.168.1.50 traps SNMPCOMM
The router can be configured to send only specific categories of traps by affixing parameters on the first command
snmp-server enable traps config