Simple Network Management Protocol (SNMP) works on the application layer of the OSI model. SNMP enables network administrators to manage network performance and to find and solve network problems. The SNMP system consists of the following three parts:
The SNMP manager can be part of a Network Management System (NMS) such as CiscoWorks. The agent and the MIB both reside on the router. An SNMP agent contains MIB variables that can be requested or changed by the SNMP manager. A manager can get a value from an agent or can store a value into an agent. The agent can also respond to a manager's request to get or set data. An agent can send unsolicited traps to the manager. Traps are messages to alert the manager to a certain condition on the network, such as improper user authentication, restarts, or link status.
Besides traps, a client can send an inform request to the manager. The difference between a trap and an inform request is that a trap is unreliable and an inform request is reliable. If a manager does not receive an inform request, the manager does not send a response to the agent. The manager sends a response only when an inform request is sent. The advantage of using a trap is that it consumes fewer resources on a router. Figures 15-4 and 15-5 illustrate the difference between traps and inform requests.
Figure 15-4 displays a trap that is sent from an agent to a manager. As you can see in the figure, there is no difference between a successful and an unsuccessful notification. The manager doesn't know that a message was sent, and the agent doesn't know that the message was not received by the manager.
Figure 15-5 shows a different story. If the inform request is sent to the manager and the manager receives it, the manager sends a response back to the agent. The agent knows that the inform request successfully reached its destination. But if the request does not reach its destination, the manager never responds. After a certain period of time, if the agent does not receive a response, the agent resends the inform request to the manager. The second time, the manager receives the message and replies with a response.
You can also see that there is more traffic in Figure 15-5 than in Figure 15-4. However, in Figure 15-5, the notification reaches the SNMP manager.
Cisco IOS software supports the following versions of SNMP:
SNMPv1 This is a full Internet standard protocol defined in RFC 1157. Security is based on community strings, which are discussed later in this chapter.
SNMPv2c This is an experimental Internet protocol defined in RFC 1901, RFC 1905, and RFC 1906.
SNMPv3 This version of SNMP is an interoperable, standards-based protocol defined in RFCs 2273 to 2275. SNMPv3 provides secure access to devices through a combination of authentication and encryption of the packets over the network.
There is no specific command to enable SNMP. The first
snmp-server command that is entered enables the supported versions of SNMP. To configure SNMP, several tasks must be performed:
Create or modify access control for an SNMP community
Create or modify an SNMP view record
Specify an SNMP server engine name
Specify SNMP server group names
Configure SNMP server hosts
Configure SNMP server users
Monitor and troubleshoot SNMP status
Configure SNMP notifications
To define the relationship between an SNMP manager and the agent, you have to use an SNMP community string. The string acts like a password to get access to the agent on the router. You can configure some optional parameters such as the following:
An access list of the SNMP managers that are permitted to use the community string to gain access
Read and write or read-only access
The command to configure all this in global configuration mode is as follows:
Router(config)#snmp-server community
string [
view
view-name ] [
ro |
rw ] [
access-list-number ]
It is possible to configure one or more community strings.
To limit which objects an SNMP manager can access, you can assign a view to community strings. You can use predefined views or create your own views. To create or modify an SNMP view record, the following command is used in global configuration mode:
Router(config)#snmp-server view
view-name oid-tree {
included |
excluded }
To configure a name for either the local or the remote SNMP engine on the router, use the
snmp-server engineID global configuration command.
Router(config)#snmp-server engineID local
engineid-string
To specify a new SNMP group or a table that maps SNMP users to SNMP views, use the following command in global configuration mode:[View full width]
Router(config)#
snmp-server group [
groupname {
v1 |
v2c |
v3 [
auth |
noauth |
priv ]}][
read
readview ] [
write
writeview ] [
notify
notifyview ] [
access
access-list ]
To configure the recipient of an SNMP trap operation, the following command should be used in global configuration mode:[View full width]
Router(config)#
snmp-server host
host-id [
traps |
informs ][
version {
1 |
2c |
3 [
auth |
noauth |
priv ]} ]
community-string [
udp-port
port-number ] [
notification-type ]
To configure a new user to an SNMP group, use the following command in global configuration mode:[View full width]
Router(config)#
snmp-server user username
groupname [
remote
ip-address [
udp-port
port ]]
v1 |
v2c |
v3 [
encrypted ] [
auth {
md5 |
sha }
auth-password ]} [
access
access-list ]
To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID using the command
snmp-server
engineID with the remote option. The remote agent's SNMP engine ID is needed when computing the authentication/privacy digests from the password. If the remote engine ID is not configured first, the configuration command will fail.
Several commands are available to monitor and troubleshoot SNMP, as described in Table 15-3.
Command | Purpose |
|---|---|
show snmp | Monitors SNMP status |
show snmp engineID [ local remote ] | Displays information on all local or remote engines that have been configured on the router |
show snmp groups | Displays information about each SNMP group on the network |
show snmp user | Displays information about each SNMP username in the SNMP user table |
If you want to monitor SNMP traffic in real time for the purpose of troubleshooting, several debug commands are also available. For documentation of SNMP debug commands, see the Cisco IOS Debug command reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup/122debug/
To configure a router to send traps or inform requests to a host, the following steps need to be taken:
Step 1. | Specify the engine ID for the remote host. Router(config)# |
Step 2. | Configure an SNMP user to be associated with the host in step 1. [View full width] |
Step 3. | Configure an SNMP group. [View full width] |
Step 4. | Specify that you want the SNMP notifications sent as traps or informs, the version you want to use, and the security level of the notifications (for SNMPv3). [View full width] |
Step 5. | Enable sending of traps or informs and specify the type of notification to be sent. Router(config)# |
An example of the use of SNMP is covered in the case study at the end of this chapter.
![[View full size image]](/image/library/english/13756_15fig04_alt.gif;380136){kind=link}
![[View full size image]](/image/library/english/13756_15fig05_alt.gif;380136){kind=link}