Thank you to Wikipedia.com for the above diagram, not sure if it entirely helps explain the data-flow, but it shows the components of SNMP (and yes I’ve made my donation!)
This is a lot to cram into the brain with the slam of complex topics toward the end, so I’d just try to keep the terminology / Port # 161 / mechanics down!
The 8+ word syntax of user privilege I just can’t seem to recall when the exam clock is ticking, so I just be sure to know the main points of SNMP, and see how bad you get drilled on it on your exam!
That being said, SNMP is a “polling” protocol used to carry network information traffic on UDP port 161, between an SNMP Manager and SNMP Agents., speaking of which the 3 main components of SNMP are:
- The SNMP Manager
- The SNMP Agents
- The SNMP MIB (Management Information Base)
The MIB is a database that resides on agents, which contains “variables” about the agent, which we will get to variables in a moment, but first lets see the two types of traffic sent from the Manager to its SNMP Agents:
- GET = A request for some form of information
- SET = A request to request a certain variable be set to the value indicated in the SET
So from my understanding of this, the Manager defines the information it wants each individual Agent to retain based on what is SET for that Agent, so that it can send a GET at any time to request the defined SET information.
As mentioned above the “polling” for events at set times, which would result in extremely slow notification time if an event were to happen if the polling is not happening every 5 seconds, and if it is polling every 5 seconds the network is going to take a big hit constantly on bandwidth and hardware resources (particularly the Managers).
To get a quick notification to the Manager without overloading it, is to set SNMP Traps on managed devices, which allows the Agent to generate SNMP traffic to send to the Manager if a critical variable changes between GET’s.
On a change of topic, there are 3 different flavors of SNMP currently in use: 1, 2c, and 3.
Versions 1 and 2c DO NOT have authentication and encryption, whereas 3 does, so there is some major security flaws with running them rather than v3 on your network.
If v1 or v2c are used, they should be using something called “SNMP Community strings” which are is a combination of password and authority level, and allows to choose whether its read-only or read-write access.
Now brace yourself for some huge output as I want the modifiers to be seen here, but I will highlight in red what I am using for my input on this router:
R5(config)#snmp-server ?
chassis-id String to uniquely identify this chassis
community Enable SNMP; set community string and access privs
contact Text for mib object sysContact
context Create/Delete a context apart from default
drop Silently drop SNMP packets
enable Enable SNMP Traps
engineID Configure a local or remote SNMPv3 engineID
file-transfer File transfer related commands
group Define a User Security Model group
host Specify hosts to receive SNMP notifications
ifindex Enable ifindex persistence
inform Configure SNMP Informs options
ip IP ToS configuration for SNMP traffic
location Text for mib object sysLocation
manager Modify SNMP manager parameters
packetsize Largest SNMP packet size
queue-length Message queue length for each TRAP host
queue-limit Message queue size for different queues
source-interface Assign an source interface
system-shutdown Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap SNMP trap options
trap-source Assign an interface for the source address of all traps
trap-timeout Set timeout for TRAP message retransmissions
user Define a user who can access the SNMP engine
view Define an SNMP MIB view
R5(config)#snmp-server community ?
WORD SNMP community string
R5(config)#snmp-server community CCNP ?
<1-99> Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
WORD Access-list name
ipv6 Specify IPv6 Named Access-List
ro Read-only access with this community string
rw Read-write access with this community string
view Restrict this community to a named MIB view
<cr>
R5(config)#snmp-server community CCNP ro ?
<1-99> Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
WORD Access-list name
ipv6 Specify IPv6 Named Access-List
<cr>
R5(config)#snmp-server community CCNP ro 15 ?
<cr>
R5(config)#snmp-server community CCNP ro 15
R5(config)#
So the above command will allow hosts defined in ACL 15 as permitted to have read-only access to SNMP objects specified by the community string.
With SNMP3, it is more secure, but it is more complex to configure and the commands are a bit more long winded to configure it:
R5(config)#snmp-server group CCNP v3 ?
auth group using the authNoPriv Security Level
noauth group using the noAuthNoPriv Security Level
priv group using SNMPv3 authPriv security level
R5(config)#snmp-server group CCNP v3
With the above output, it’s really about breaking down each line in it entirety, individually:
- “auth” – group using the authNoPriv Security Level – As Priv is referring to Privacy or Encryption, it is referring to this option offering Authentication, but no encryption
- “noauth” – group using the noAuthNoPriv Security Level – Really flushing security down the toilet with this option, no Authentication and no Encryption
- “priv” – group using SNMPv3 authPriv security level – As discussed in the beginning of this post, and indicated by authPriv, we do have Authentication and Encryption with this option using SNMPv3
Notice there wasn’t a <cr> there, so lets look at the continuation of the output of ? after that command to see what the options are:
R5(config)#snmp-server group CCNP v3 priv ?
access specify an access-list associated with this group
context specify a context to associate these views for the group
match context name match criteria
notify specify a notify view for the group
read specify a read view for the group
write specify a write view for the group
<cr>
Configuration is beyond the scope of the exam, but some key notes to try to keep in the back of your mind regarding SNMPv3 options above:
- If no read view is defined, all objects can be read
- If no write view is defined, no objects can be written
- If no notify view is defined, group members are not sent notifications
Speaking of users, I’ll create a user here use SHA for Auth and AES 128-bit encryption, and as a warning this is going to be a LOT of output as I show the ? modifiers:
R5(config)#snmp-server user Dave ?
WORD Group to which the user belongs
R5(config)#snmp-server user Dave CCNP ?
remote Specify a remote SNMP entity to which the user belongs
v1 user using the v1 security model
v2c user using the v2c security model
v3 user using the v3 security model
R5(config)#snmp-server user Dave CCNP v3 ?
access specify an access-list associated with this group
auth authentication parameters for the user
encrypted specifying passwords as MD5 or SHA digests
<cr>
R5(config)#snmp-server user Dave CCNP v3 auth ?
md5 Use HMAC MD5 algorithm for authentication
sha Use HMAC SHA algorithm for authentication
R5(config)#snmp-server user Dave CCNP v3 auth sha ?
WORD authentication pasword for user
R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE ?
access specify an access-list associated with this group
priv encryption parameters for the user
<cr>
R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv ?
3des Use 168 bit 3DES algorithm for encryption
aes Use AES algorithm for encryption
des Use 56 bit DES algorithm for encryption
R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv aes ?
128 Use 128 bit AES algorithm for encryption
192 Use 192 bit AES algorithm for encryption
256 Use 256 bit AES algorithm for encryption
R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv aes 128 ?
WORD privacy pasword for user
R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv aes 128 CCNA ?
access specify an access-list associated with this group
<cr>
R5(config)#snmp-server user Dave CCNP v3 auth sha CCIE priv aes 128 CCNA
R5(config)#
*Mar 19 04:24:28.623: Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait…
R5(config)#
So I actually hit enter there without creating the above “group” config, just to see what happens, and I got this message. I am waiting for my routing to start sparking or smoking, but apparently when you hit enter you apparently start snmpEngineBoots.
So I hope the above ? output all looks fairly self explanatory, it’s just a mouthful to configure, which has me thankful its beyond the scope of this course (I hope) 🙂
Now to give you some output to chew on as to configuring the traps, I won’t actually be configuring one, but here is the output of the beginning of the configuration:
R5(config)#snmp-server host ?
WORD Hostname or IP address of SNMP notification host http://<Hostname or A.B.C.D>[:<port number>][/<uri>] HTTP address of XML notification host
R5(config)#snmp-server host 172.12.15.1 ?
WORD SNMPv1/v2c community string or SNMPv3 user name
informs Send Inform messages to this host
traps Send Trap messages to this host
version SNMP version to use for notification messages
vrf VPN Routing instance for this host
R5(config)#snmp-server host 172.12.15.1 traps ?
WORD SNMPv1/v2c community string or SNMPv3 user name
version SNMP version to use for notification messages
R5(config)#snmp-server host 172.12.15.1 traps version ?
1 Use SNMPv1
2c Use SNMPv2c
3 Use SNMPv3
R5(config)#snmp-server host 172.12.15.1 traps version 3 ?
auth Use the SNMPv3 authNoPriv Security Level
noauth Use the SNMPv3 noAuthNoPriv Security Level
priv Use the SNMPv3 authPriv Security Level
R5(config)#snmp-server host 172.12.15.1 traps version 3 priv ?
WORD SNMPv1/v2c community string or SNMPv3 user name
R5(config)#snmp-server host 172.12.15.1 traps version 3 priv Dave ?
aaa_server Allow SNMP AAA traps
adslline Allow ADSL LINE-MIB traps
atm Allow SNMP atm traps
authenticate-fail Allow SNMP 802.11 Authentication Fail Trap
bgp Allow BGP state change traps
bulkstat Allow Data-Collection-MIB traps
c3g Allow Cellular 3G modem reset traps
call-home Allow SNMP CISCO-CALLHOME-MIB traps
cnpd Allow NBAR Protocol Discovery traps
config Allow SNMP config traps
config-copy Allow SNMP config-copy traps
config-ctid Allow SNMP config-ctid traps
cpu Allow cpu related traps
deauthenticate Allow SNMP 802.11 Deauthentication Trap
disassociate Allow SNMP 802.11 Disassociation Trap
dot11-mibs Allow dot11 traps
dot11-qos Allow SNMP 802.11 QoS Change Trap
ds0-busyout Allow ds0-busyout traps
ds1 Allow SNMP ds1 traps
ds1-loopback Allow ds1-loopback traps
dsp Allow SNMP DSP traps
eigrp Allow SNMP EIGRP traps
–More–
And on and on it goes, which I won’t drown you or myself looking back on the modifier output, but the main take away if nothing else is REMEMBER THOSE PRIVILEGE LEVELS AND WHAT THEY DO (auth, noauth, priv)! Also, that SNMPv3 is the only one that offers both authentication and encryption.
That should cover what is needed for the ROUTE exam, next up is NTP and securing it, as it is possibly one of the most important protocols on your network to keep all network devices working. This is especially true for Cisco Voice stuff, but that’s a discussion for another day.
The DEVNET GRIND! 