SNMP
Simple Network Management Protocol (SNMP) is an application layer protocol designed to manage and monitor network devices. Simple Network Management Protocol (SNMP) is a popular protocol for network management. It's used for collecting information from and configuring network devices such as; servers, printers, hubs, Switches, and routers on an internet Protocol (IP) network. SNMP is used to exchange information between a network management system (NMS) and a network device. A manager station can monitor the switch through their network via SNMPv1, v2c, and v3. An SNMP-managed network consists of two components; agents and a manager.
An agent translates the local management information from the managed switch into a form compatible with SNMP. SNMP allows a manager and agents to communicate to access Management Information Bases (MIBs). SNMP uses an extensible design, where MIBs define the available information. MIBs describe the structure of the management data of a device subsystem; they use a hierarchical namespace containing Object Identifiers (OID). Each OID identifies a variable that can be read or set via SNMP.
The manager is the console through which network administrators perform network management functions.
Several versions of SNMP are supported. They're v1, v2c, and v3. SNMPv1, which is defined in RFC 1157 "A Simple Network Management Protocol (SNMP)", is a standard that defines how communication occurs between SNMP-capable devices and specifies the SNMP message types. Version 1 is the simplest and most basic of versions. There may be times where it's required to support older hardware. SNMPv2c, which is defined in RFC 1901 "Introduction to Community Based SNMPv2", RFC 1905, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", and RFC 1906 "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)". SNMPv2c updates protocol operations by introducing a GetBulk request and authentication based on community names. Version 2c adds several enhancements to the protocol, such as support for "Informs". Because of this, v2c has become the most widely used version. Unfortunately, a major weakness of v1 and v2c is security. To combat this, SNMP v3 adds security features that overcome the weaknesses in v1 and v2c. If possible, we recommend that you use v3, especially if you plan to transmit sensitive information across unsecured links. However, the extra security feature makes configuration a little more complex.
In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing you to configure a secure SNMP environment. The SNMPv3 protocol uses different terminology than SNMPv1 and SNMPv2c as well. In the SNMPv1 and SNMPv2c protocols, the terms agent and manager are used. In the SNMPv3 protocol, agents and managers are renamed entities. With the SNMPv3 protocol, you create users and determine the protocol used for message authentication and if data transmitted between two SNMP entities is encrypted.
The SNMPv3 protocol supports two authentication protocols HMAC MD5 96 (MD5) and HMAC-SHA-96 SHA). Both MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protocols use keys to perform authentication. The keys for both protocols are generated locally using the Engine ID and the user password to provide even more security.
In SNMPv1 and SNMPv2c, user authentication is accomplished using types of passwords called Community Strings, which are transmitted in clear text and not supported by authentication. Users can assign community strings that specify which MIB objects can be accessed by a remote SNMP manager.
The default community strings for the switch used for SNMPv1 and SNMPv2c management access are public, allowing authorized management stations to get MIB objects, and private, which allows authorized management stations to get and change MIB objects.
Global Settings
Simple Network Management Protocol (SNMP) is an OSI Layer 7 (Application Layer) protocol designed specifically for managing and monitoring network devices. The SNMP agents maintain a list of variables that are used to manage the device. The variables are defined in the Management Information Base (MIB), which provides a standard presentation of the information controlled by the on-board SNMP agent.
| Option | Description |
|---|---|
| SNMP State | Turns on or turns off the SNMP function. The default SNMP global state is: Enabled. |
| Local Engine ID (10 to 64 hex characters) | Enter the Switch's Engine ID for the remote clients. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection issues. The engine ID is also combined with user passwords to generate security keys for authenticating and encrypting SNMPv3 packets. Normally, a local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all local SNMP users will be cleared, and you'll need to reconfigure all existing users. |
Click Apply to update the system settings.
User list
Use the user list page to create SNMP users for authentication with managers using SNMPv3 to associate them to SNMP groups. Click Add to add a new user.
| Option | Description |
|---|---|
| Privilege Mode | Select No Auth, Auth, or Priv security level from the list. No auth: Neither authentication nor privacy security levels are assigned to the group. Auth: Authenticates and ensures that the origin of the SNMP message is authenticated. Priv: Encrypts SNMP messages. |
| Authentication Protocol | Select the method used to authenticate users. MD5: Using the HMAC-MD5 algorithm. SHA: Using the HMAC-SHA-96 authentication level. Enter the SHA password and the HMAC-SHA-96 password to be used for authentication. |
| Authentication Password | Enter the MD5 password and the HMAC-MD5-96 password to be used for authentication. |
| Encryption Protocol | Select the method used to authenticate users. None: No user authentication is used. DES: Using the Data Encryption Standard algorithm. |
| Encryption Key | Enter the Data Encryption Standard key. |
Click the Apply button to accept the changes or the Cancel button to discard them.
Community List
In SNMPv1 and SNMPv2c, user authentication is accomplished using types of passwords called community strings, which are transmitted in clear text and not supported by authentication. It's important to note that the community name can limit access to the SNMP agent from the SNMP network management station, functioning as a password.
Click Add to add a community list to the switch. Next, name the community and choose the level of access granted to the specified list from the drop-down boxes.
| Option | Description |
|---|---|
| Community Name | Enter the name of the SNMP community string. |
| Security Name | Enter the security name of the group. The security name none, noAuthUser, templateMD5, and templateSHA are created once the switch is started. |
| Transport Tag | This string specifies a set of target addresses from which the SNMP accepts SNMP requests and to which traps may be sent. The target addresses identified by this tag are defined in the “target address table”. If this string is empty, addresses aren't checked when an SNMP request is received or when a trap is sent. If this string isn't empty, the transport tag must be contained in the value of the “tag list” of at least one entry in the “target address table.” |
Click the Apply button to accept the changes or the Cancel button to discard them.
Group List
Configure SNMP Groups to control network access on the switch by providing users in various groups with different management rights.
| Option | Description |
|---|---|
| Group Name | Enter the group name that access control rules are applied to. The group name can contain up to 30 alphanumeric characters. |
| Security Mode | Selects the SNMP version (v1, v2c, or v3) associated with the group. |
| Security Name | Enter the security name of the group. The security names none, noAuthUser, templateMD5, and templateSHA are created once the switch is started. |
Click the Apply button to accept the changes or the Cancel button to discard them.
Access List
Configure an SNMP Access List to allow SNMP access to the device. Access lists provide further protection when used in combination with other protective measures.
| Option | Description |
|---|---|
| Group Name | Enter the group name that access control rules are applied to. The group name can contain up to 30 alphanumeric characters. |
| Security Mode | Selects the SNMP version (v1, v2c, v3) associated with the group. |
| Privilege Mode | Select No Auth, Auth, or Priv security levels from the list. No auth: Neither authentication nor privacy security levels are assigned to the group. Auth: Authenticates and ensures that the origin of the SNMP message is authenticated. Priv: Encrypts SNMP messages. |
| Read View | Management access is restricted to read-only. |
| Write View | Select an SNMP to allow SNMP write privileges to the switch's SNMP agent. |
| Notify View | Select an SNMP group to receive SNMP trap messages generated by the switch's SNMP agent. |
View List
SNMP uses an extensible design, where the available information is defined by Management Information Bases (MIBs). MIBs describe the structure of the management data of a device subsystem; they use a hierarchical namespace containing Object Identifiers (OID) to organize themselves. Each OID identifies a variable that can be read or set via SNMP. The SNMP View List is created for the SNMP management station to manage MIB objects.
Click the Add button to create a new entry.
| Option | Description |
|---|---|
| View Name | Enter the view name. The view name can contain up to 30 alphanumeric characters. |
| Subtree OID | Enter the Object Identifier (OID) Subtree. The OID identifies an object tree (MIB tree) that will be included or excluded from access by an SNMP manager. Note that the first character must be a period (.). Wild cards can be used to mask a specific portion of the OID string using a period (.). |
| Subtree Mask | Select 0 or 1 for the subtree mask. The mask of the Subtree OID 1 means this object number "is concerned", and 0 means "do not concern". |
| View Type | Select whether the defined OID branch within the MIB tree will be Included or Excluded from the selected SNMP view. Generally, if the view type of an entry is Excluded, another entry of view type Included should exist, and its OID subtree should overlap the Excluded view entry. |
Click the Apply button to accept the changes or the Cancel button to discard them.
Target Params
The target params table is used in conjunction with the target address table. It's required for all notification originators. It contains information about SNMP versions and security levels that is used when sending notifications to particular domains and addresses. This information is separate from the target address table to allow multiple rows in the target address table to correspond to a single row in the target params table. You can populate this table from information stored in non-volatile memory, or you can add entries as new targets are discovered.
| Option | Description |
|---|---|
| Target Parameter Name | Enter the parameter name into the field. The parameter name can contain up to 30 alphanumeric characters. |
| Message Processing Model | Selects the message processing model version (v1, v2c, or v3) associated with the group. |
| Security Mode | Selects the security mode version (v1, v2c, or v3) associated with the group. |
| Security Name | Enter the security name of the group. The security names none, noAuthUser, templateMD5, and templateSHA are created once the switch is started. |
| Privilege Mode | Select No Auth, Auth, or Priv security levels from the list. No auth: Neither authentication nor privacy security levels are assigned to the group. Auth: Authenticates and ensures that the origin of the SNMP message is authenticated. Priv: Encrypts SNMP messages. |
Target Address
The target address table is required for all notification originators. It contains the domain and addressing information that allows applications, such as the notification originator, to determine where to send notifications. It also contains information about how often and how quickly packets should be retransmitted. You can populate this table from information stored in non-volatile memory, or you can add entries as new target addresses are discovered.
| Option | Description |
|---|---|
| Target Address Name | Enter the address name into the field. The address name can contain up to 32 alphanumeric characters. |
| IP address | Enter the target IP address into the field |
| UDP | Enter the UDP port used to send notifications. |
| Timeout | Configurable only if the notify type is Informs. Enter the amount of time the device waits before resending. The default is 15 seconds. |
| Retry | Configurable only if the notify type is Informs. Enter the amount of time the device waits before resending an inform request. The default is 3 seconds. |
| Tag Identifier | Enter the Tag Identifier string into the field |
| Target Parameter | Configure the SNMP parameter in different target parameters. |
Notify List
The SNMP Notify List is a type of SNMP message. The switch can send notifications to an SNMP manager when an event occurs. You can restrict user privileges by specifying which portions of the MIBs that a user can view. In this way, you restrict which MIBs a user can display and modify for better security. In addition, you can restrict the types of notifications users can send as well. You can do this by determining where messages are sent and what types of messages can be sent per user. The notifications indicating status changes can be issued by the switch by sending authentication failure messages and other notification messages.
| Option | Description |
|---|---|
| Notify Name | Enter the notify name. The notify name can contain up to 32 alphanumeric characters. |
| Tag Identifier | Enter the tag identifier string into the field. |
| Notify Type | Select the type of notification to be sent. Traps: Traps are sent. Informs: Informs are sent ONLY when v2c is enabled. |
Info
The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgment of receipt. Inform messages can be used to ensure that critical information is received by the host. However, please note that informs consume more system resources because they must be kept in memory until a response is received. Informs also add to network traffic. You should consider these effects when deciding whether to issue notifications as traps or informs.
Click the Apply button to accept the changes or the Cancel button to discard them.