Network Security Fundamentals [Electronic resources] نسخه متنی

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) works on the application layer of the OSI model. SNMP enables network administrators to manage network performance and to find and solve network problems. The SNMP system consists of the following three parts:

• SNMP manager

• SNMP agent

• Management Information Base (MIB)

The SNMP manager can be part of a Network Management System (NMS) such as CiscoWorks. The agent and the MIB both reside on the router. An SNMP agent contains MIB variables that can be requested or changed by the SNMP manager. A manager can get a value from an agent or can store a value into an agent. The agent can also respond to a manager's request to get or set data. An agent can send unsolicited traps to the manager. Traps are messages to alert the manager to a certain condition on the network, such as improper user authentication, restarts, or link status.

SNMP Notifications

Besides traps, a client can send an inform request to the manager. The difference between a trap and an inform request is that a trap is unreliable and an inform request is reliable. If a manager does not receive an inform request, the manager does not send a response to the agent. The manager sends a response only when an inform request is sent. The advantage of using a trap is that it consumes fewer resources on a router. Figures 15-4 and 15-5 illustrate the difference between traps and inform requests.

Figure 15-4 displays a trap that is sent from an agent to a manager. As you can see in the figure, there is no difference between a successful and an unsuccessful notification. The manager doesn't know that a message was sent, and the agent doesn't know that the message was not received by the manager.

Figure 15-5 shows a different story. If the inform request is sent to the manager and the manager receives it, the manager sends a response back to the agent. The agent knows that the inform request successfully reached its destination. But if the request does not reach its destination, the manager never responds. After a certain period of time, if the agent does not receive a response, the agent resends the inform request to the manager. The second time, the manager receives the message and replies with a response.

You can also see that there is more traffic in Figure 15-5 than in Figure 15-4. However, in Figure 15-5, the notification reaches the SNMP manager.

SNMP Versions

Cisco IOS software supports the following versions of SNMP:

• SNMPv1
  This is a full Internet standard protocol defined in RFC 1157. Security is based on community strings, which are discussed later in this chapter.

• SNMPv2c
  This is an experimental Internet protocol defined in RFC 1901, RFC 1905, and RFC 1906.

• SNMPv3
  This version of SNMP is an interoperable, standards-based protocol defined in RFCs 2273 to 2275. SNMPv3 provides secure access to devices through a combination of authentication and encryption of the packets over the network.

SNMP Configuration

There is no specific command to enable SNMP. The first

snmp-server command that is entered enables the supported versions of SNMP. To configure SNMP, several tasks must be performed:

• Create or modify access control for an SNMP community

• Create or modify an SNMP view record

• Specify an SNMP server engine name

• Specify SNMP server group names

• Configure SNMP server hosts

• Configure SNMP server users

• Monitor and troubleshoot SNMP status

• Configure SNMP notifications

Create or Modify Access Control for an SNMP Community

To define the relationship between an SNMP manager and the agent, you have to use an SNMP community string. The string acts like a password to get access to the agent on the router. You can configure some optional parameters such as the following:

• An access list of the SNMP managers that are permitted to use the community string to gain access

• Read and write or read-only access

• The command to configure all this in global configuration mode is as follows:

  
  Router(config)# 
  snmp-server community  
  string  [
  view  
  view-name ] [
  ro  | 
  rw ] [
  access-list-number ]
  

It is possible to configure one or more community strings.

Create or Modify an SNMP View Record

To limit which objects an SNMP manager can access, you can assign a view to community strings. You can use predefined views or create your own views. To create or modify an SNMP view record, the following command is used in global configuration mode:

Router(config)# 
snmp-server view  
view-name oid-tree  {
included  | 
excluded }

Specify an SNMP Server Engine Name

To configure a name for either the local or the remote SNMP engine on the router, use the

snmp-server engineID global configuration command.

Router(config)# 
snmp-server engineID local  
engineid-string 

Specify SNMP Server Group Names

To specify a new SNMP group or a table that maps SNMP users to SNMP views, use the following command in global configuration mode:[View full width]

Router(config)#

snmp-server group [

groupname {

v1 |

v2c |

v3 [

auth |

noauth |

priv ]}][

read

readview ] [

write

writeview ] [

notify

notifyview ] [

access

access-list ]

Configure SNMP Server Hosts

To configure the recipient of an SNMP trap operation, the following command should be used in global configuration mode:[View full width]

Router(config)#

snmp-server host

host-id [

traps |

informs ][

version {

1 |

2c |

3 [

auth |

noauth |

priv ]} ]

community-string [

udp-port

port-number ] [

notification-type ]

Configure SNMP Server Users

To configure a new user to an SNMP group, use the following command in global configuration mode:[View full width]

Router(config)#

snmp-server user username

groupname [

remote

ip-address [

udp-port

port ]]
{

v1 |

v2c |

v3 [

encrypted ] [

auth {

md5 |

sha }

auth-password ]} [

access

access-list ]

To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID using the command

snmp-server

engineID with the remote option. The remote agent's SNMP engine ID is needed when computing the authentication/privacy digests from the password. If the remote engine ID is not configured first, the configuration command will fail.

Monitor and Troubleshoot SNMP Status

Several commands are available to monitor and troubleshoot SNMP, as described in Table 15-3.

If you want to monitor SNMP traffic in real time for the purpose of troubleshooting, several debug commands are also available. For documentation of SNMP debug commands, see the Cisco IOS Debug command reference:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup/122debug/

Configure SNMP Notifications

To configure a router to send traps or inform requests to a host, the following steps need to be taken:

Router(config)# 
snmp-server engineID remote  
remote-ip-addr remote-engineID 

[View full width]
Router(config)# 
snmp-server user  
username groupname  [
remote  
host  [
udp-port  
port ] {
v1  | 
v2c 
 | 
v3  [
encrypted ] [
auth  {
md5  | 
sha } 
auth-password ]} [
access  
access-list ]

[View full width]
Router(config)# 
snmp group  groupname {
v1  | 
v2  | 
v3  {
auth  | 
noauth  | 
priv }} [
read  
readview ]
 [
write  
writeview ] [
notify  
notifyview ] [
access  
access-list ]

[View full width]
Router(config)# 
snmp-server host  
host  [
traps  | 
informs ] [
version  {
1  | 
2c  | 
3  [
auth  |
 
noauth  | 
priv ]}] 
community-string  [
notification-type ]

Router(config)# 
snmp-server enable traps  [
notification-type  [
notification-options ]]

An example of the use of SNMP is covered in the case study at the end of this chapter.