I will keep this brief and right to the points of SNMP, as it is St. Patricks Day night, and I really don’t have any other better plans… I’m just tired from work and its about nap time.

That being said, SNMP is a “polling” protocol used to carry network information traffic on UDP port 161, between an SNMP Manager and SNMP Agents., speaking of which the 3 main components of SNMP are:

  • The SNMP Manager
  • The SNMP Agents
  • The SNMP MIB (Management Information Base)

The MIB is a database that resides on agents, which contains “variables” about the agent, which we will get to variables in a moment, but first lets see the two types of traffic sent from the Manager to its SNMP Agents:

  • GET = A request for some form of information
  • SET = A request to request a certain variable be set to the value indicated in the SET

So from my understanding of this, the Manager defines the information it wants each individual Agent to retain based on what is SET for that Agent, so that it can send a GET at any time to request the defined SET information.

As mentioned above the “polling” for events at set times, which would result in extremely slow notification time if an event were to happen if the polling is not happening every 5 seconds, and if it is polling every 5 seconds the network is going to take a big hit constantly on bandwidth and hardware resources (particularly the Managers).

To get a quick notification to the Manager without overloading it, is to set SNMP Traps on managed devices, which allows the Agent to generate SNMP traffic to send to the Manager if a critical variable changes between GET’s.

On a change of topic, there are 3 different flavors of SNMP currently in use: 1, 2c, and 3.

Versions 1 and 2c DO NOT have authentication and encryption, whereas 3 does, so there is some major security flaws with running them rather than v3 on your network.

If v1 or v2c are used, they should be using something called “SNMP Community strings” which are is a combination of password and authority level, and allows to choose whether its read-only or read-write access.

Now brace yourself for some huge output as I want the modifiers to be seen here, but I will highlight in red what I am using for my input on this router:

R5(config)#snmp-server ?
  chassis-id        String to uniquely identify this chassis
  community         Enable SNMP; set community string and access privs
  contact           Text for mib object sysContact
  context           Create/Delete a context apart from default
  drop              Silently drop SNMP packets
  enable            Enable SNMP Traps
  engineID          Configure a local or remote SNMPv3 engineID
  file-transfer     File transfer related commands
  group             Define a User Security Model group
  host              Specify hosts to receive SNMP notifications
  ifindex           Enable ifindex persistence
  inform            Configure SNMP Informs options
  ip                IP ToS configuration for SNMP traffic
  location          Text for mib object sysLocation
  manager           Modify SNMP manager parameters
  packetsize        Largest SNMP packet size
  queue-length      Message queue length for each TRAP host
  queue-limit       Message queue size for different queues
  source-interface  Assign an source interface
  system-shutdown   Enable use of the SNMP reload command
  tftp-server-list  Limit TFTP servers used via SNMP
  trap              SNMP trap options
  trap-source       Assign an interface for the source address of all traps
  trap-timeout      Set timeout for TRAP message retransmissions
  user              Define a user who can access the SNMP engine
  view              Define an SNMP MIB view

R5(config)#snmp-server community ?
  WORD  SNMP community string

R5(config)#snmp-server community CCNP ?
  <1-99>       Std IP accesslist allowing access with this community string
  <1300-1999>  Expanded IP accesslist allowing access with this community
               string
  WORD         Access-list name
  ipv6         Specify IPv6 Named Access-List
  ro           Read-only access with this community string
  rw           Read-write access with this community string
  view         Restrict this community to a named MIB view
  <cr>

R5(config)#snmp-server community CCNP ro ?
  <1-99>       Std IP accesslist allowing access with this community string
  <1300-1999>  Expanded IP accesslist allowing access with this community
               string
  WORD         Access-list name
  ipv6         Specify IPv6 Named Access-List
  <cr>

R5(config)#snmp-server community CCNP ro 15 ?
  <cr>

R5(config)#snmp-server community CCNP ro 15
R5(config)#

So the above command will allow hosts defined in ACL 15 as permitted to have read-only access to SNMP objects specified by the community string.

With SNMP3, it is more secure, but it is more complex to configure and the commands are a bit more long winded to configure it:

R5(config)#snmp-server group CCNP v3 ?
  auth    group using the authNoPriv Security Level
  noauth  group using the noAuthNoPriv Security Level
  priv    group using SNMPv3 authPriv security level

R5(config)#snmp-server group CCNP v3

With the above output, it’s really about breaking down each line in it entirety, individually:

  1.  auth –  group using the authNoPriv Security Level – As Priv is referring to Privacy or Encryption, it is referring to this option offering Authentication, but no encryption
  2. noauth – group using the noAuthNoPriv Security Level – Really flushing security down the toilet with this option, no Authentication and no Encryption
  3. priv – group using SNMPv3 authPriv security level – As discussed in the beginning of this post, and indicated by authPriv, we do have Authentication and Encryption with this option using SNMPv3

Notice there wasn’t a <cr> there, so lets look at the continuation of the output of ? after that command to see what the options are:

R5(config)#snmp-server group CCNP v3 priv ?
  access   specify an access-list associated with this group
  context  specify a context to associate these views for the group
  match    context name match criteria
  notify   specify a notify view for the group
  read     specify a read view for the group
  write    specify a write view for the group
  <cr>

Configuration is beyond the scope of the exam, but some key notes to try to keep in the back of your mind regarding SNMPv3 options above:

  • If no read view is defined, all objects can be read
  • If no write view is defined, no objects can be written
  • If no notify view is defined, group members are not sent notifications

Speaking of users, I’ll create a user here use SHA for Auth and AES 128-bit encryption, and as a warning this is going to be a LOT of output as I show the ? modifiers:

R5(config)#snmp-server user Dave ?
  WORD  Group to which the user belongs

R5(config)#snmp-server user Dave CCNP ?
  remote  Specify a remote SNMP entity to which the user belongs
  v1      user using the v1 security model
  v2c     user using the v2c security model
  v3      user using the v3 security model

R5(config)#snmp-server user Dave CCNP v3 ?
  access     specify an access-list associated with this group
  auth       authentication parameters for the user
  encrypted  specifying passwords as MD5 or SHA digests
  <cr>

R5(config)#snmp-server user Dave CCNP v3 auth ?
  md5  Use HMAC MD5 algorithm for authentication
  sha  Use HMAC SHA algorithm for authentication

R5(config)#snmp-server user Dave CCNP v3 auth sha ?
  WORD  authentication pasword for user

R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE ?
  access  specify an access-list associated with this group
  priv    encryption parameters for the user
  <cr>

R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv ?
  3des  Use 168 bit 3DES algorithm for encryption
  aes   Use AES algorithm for encryption
  des   Use 56 bit DES algorithm for encryption

R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv aes ?
  128  Use 128 bit AES algorithm for encryption
  192  Use 192 bit AES algorithm for encryption
  256  Use 256 bit AES algorithm for encryption

R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv aes 128 ?
  WORD  privacy pasword for user

R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv aes 128 CCNA ?
  access  specify an access-list associated with this group
  <cr>

R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv aes 128 CCNA
R5(config)#
*Mar 19 04:24:28.623: Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait…

R5(config)#

So I actually hit enter there without creating the above “group” config, just to see what happens, and I got this message. I am waiting for my routing to start sparking or smoking, but apparently when you hit enter you apparently start snmpEngineBoots.

So I hope the above ? output all looks fairly self explanatory, it’s just a mouthful to configure, which has me thankful its beyond the scope of this course (I hope) 🙂

Now to give you some output to chew on as to configuring the traps, I won’t actually be configuring one, but here is the output of the beginning of the configuration:

R5(config)#snmp-server host ?
  WORD                                                  Hostname or IP address
                                                        of SNMP notification
                                                        host
  http://<Hostname or A.B.C.D>[:<port number>][/<uri>]  HTTP address of XML
                                                        notification host

R5(config)#snmp-server host 172.12.15.1 ?
  WORD     SNMPv1/v2c community string or SNMPv3 user name
  informs  Send Inform messages to this host
  traps    Send Trap messages to this host
  version  SNMP version to use for notification messages
  vrf      VPN Routing instance for this host

R5(config)#snmp-server host 172.12.15.1 traps ?
  WORD     SNMPv1/v2c community string or SNMPv3 user name
  version  SNMP version to use for notification messages

R5(config)#snmp-server host 172.12.15.1 traps version ?
  1   Use SNMPv1
  2c  Use SNMPv2c
  3   Use SNMPv3

R5(config)#snmp-server host 172.12.15.1 traps version 3 ?
  auth    Use the SNMPv3 authNoPriv Security Level
  noauth  Use the SNMPv3 noAuthNoPriv Security Level
  priv    Use the SNMPv3 authPriv Security Level

R5(config)#snmp-server host 172.12.15.1 traps version 3 priv ?
  WORD  SNMPv1/v2c community string or SNMPv3 user name

R5(config)#snmp-server host 172.12.15.1 traps version 3 priv Dave ?
  aaa_server               Allow SNMP AAA traps
  adslline                 Allow ADSL LINE-MIB traps
  atm                      Allow SNMP atm traps
  authenticate-fail        Allow SNMP 802.11 Authentication Fail Trap
  bgp                      Allow BGP state change traps
  bulkstat                 Allow Data-Collection-MIB traps
  c3g                      Allow Cellular 3G modem reset traps
  call-home                Allow SNMP CISCO-CALLHOME-MIB traps
  cnpd                     Allow NBAR Protocol Discovery traps
  config                   Allow SNMP config traps
  config-copy              Allow SNMP config-copy traps
  config-ctid              Allow SNMP config-ctid traps
  cpu                      Allow cpu related traps
  deauthenticate           Allow SNMP 802.11 Deauthentication Trap
  disassociate             Allow SNMP 802.11 Disassociation Trap
  dot11-mibs               Allow dot11 traps
  dot11-qos                Allow SNMP 802.11 QoS Change Trap
  ds0-busyout              Allow ds0-busyout traps
  ds1                      Allow SNMP ds1 traps
  ds1-loopback             Allow ds1-loopback traps
  dsp                      Allow SNMP DSP traps
  eigrp                    Allow SNMP EIGRP traps
 –More–

And on and on it goes, which I won’t drown you or myself looking back on the modifier output, but the main take away if nothing else is REMEMBER THOSE PRIVILEGE LEVELS AND WHAT THEY DO (auth, noauth, priv)! Also, that SNMPv3 is the only one that offers both authentication and encryption.

That should cover what is needed for the ROUTE exam, next up is NTP and securing it, as it is possibly one of the most important protocols on your network to keep all network devices working. This is especially true for Cisco Voice stuff, but that’s a discussion for another day.