Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(4.1)
Cisco Virtual Security Gateway SNMP Configuration
Downloads: This chapterpdf (PDF - 130.0KB) The complete bookPDF (PDF - 2.63MB) | Feedback

Configuring SNMP

Table Of Contents

Configuring SNMP

Information About SNMP

SNMP Functional Overview

SNMP Notifications

SNMPv3

Security Models and Levels for SNMPv1, v2, v3

User-Based Security Model

CLI and SNMP User Synchronization

Group-Based SNMP Access

High Availability

Guidelines and Limitations

Configuring SNMP

Verifying the SNMP Configuration

Additional References

Related Documents

Standards

MIBs

Feature History for SNMP


Configuring SNMP


This chapter describes how to configure the Simple Network Management Protocol (SNMP) for the Cisco Virtual Security Gateway (VSG).

This chapter includes the following sections:

Information About SNMP

Guidelines and Limitations

Configuring SNMP

Verifying the SNMP Configuration

Additional References

Feature History for SNMP

Information About SNMP

SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network. This section includes the following topics:

SNMP Functional Overview

SNMP Notifications

SNMPv3

High Availability

SNMP Functional Overview

The SNMP framework consists of three parts:

An SNMP manager—The system used to control and monitor the activities of network devices using SNMP.

An SNMP agent—The software component within the managed device that maintains the data for the device and reports these data, as needed, to managing systems. The Cisco VSG supports the agent and MIB. To enable the SNMP agent, you must define the relationship between the manager and the agent.

A managed information base (MIB)—The collection of managed objects on the SNMP agent.

SNMP is defined in RFCs 3411 to 3418.


Note SNMP role-based access control (RBAC) is not supported. Both SNMPv1 and SNMPv2c use a community-based form of security.


SNMP Notifications

A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of a connection to a neighbor router, or other significant events.

SNMP notifications are generated as either traps or informs. A trap is an asynchronous, unacknowledged message sent from the agent to the SNMP managers listed in the host receiver table. Informs are asynchronous messages sent from the SNMP agent to the SNMP manager which the manager must acknowledge receipt of.

Traps are less reliable than informs because the SNMP manager does not send any acknowledgment when it receives a trap. The Cisco VSG cannot determine if the trap was received. An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If the Cisco VSG never receives a response, it can send the inform request again. You can configure the Cisco VSG to send notifications to multiple host receivers.

SNMPv3

SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network. The security features provided in SNMPv3 are as follows:

Message integrity—Ensures that a packet has not been tampered with in-transit.

Authentication—Determines that the message is from a valid source.

Encryption—Scrambles the packet contents to prevent it from being seen by unauthorized sources.

SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.

This section includes the following topics:

Security Models and Levels for SNMPv1, v2, v3

User-Based Security Model

CLI and SNMP User Synchronization

Group-Based SNMP Access

Security Models and Levels for SNMPv1, v2, v3

The security level determines if an SNMP message needs to be protected from disclosure and if the message needs to be authenticated.

The various security levels that exist within a security model are as follows:

noAuthNoPriv—Security level that does not provide authentication or encryption.

authNoPriv—Security level that provides authentication but does not provide encryption.

authPriv—Security level that provides both authentication and encryption.

Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. The security model combined with the security level determine the security mechanism applied when the SNMP message is processed. Table 5-1 identifies what the combinations of security models and levels mean.

Table 5-1 SNMP Security Models and Levels

Model
Level
Authentication
Encryption
What Happens

v1

noAuthNoPriv

Community string

No

Uses a community string match for authentication.

v2c

noAuthNoPriv

Community string

No

Uses a community string match for authentication.

v3

noAuthNoPriv

Username

No

Uses a community string match for authentication.

v3

authNoPriv

HMAC-MD5 or HMAC-SHA

No

Provides authentication based on the Hash-Based Message Authentication Code (HMAC) Message Digest 5 (MD5) algorithm or the HMAC Secure Hash Algorithm (SHA).

v3

authNoPriv

HMAC-MD5 or HMAC-SHA

DES

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard.


User-Based Security Model

The SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:

Message integrity—Ensures that messages have not been altered or destroyed in an unauthorized manner and that data sequences have not been altered to an extent greater than can occur nonmaliciously.

Message origin authentication—Ensures that the claimed identity of the user on whose behalf received data was originated is confirmed.

Message confidentiality—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.

SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages.

Cisco VSG uses two authentication protocols for SNMPv3:

HMAC-MD5-96 authentication protocol

HMAC-SHA-96 authentication protocol

Cisco VSG uses the Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption. AES conforms with RFC 3826.

The priv option offers a choice of DES or 128-bit AES encryption for SNMP security encryption. The priv option with the aes-128 token indicates that this privacy password is for generating a 128-bit AES key. The AES priv password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 case-sensitive, alphanumeric characters. If you use the localized key, you can specify a maximum of 130 alphanumeric characters. For an SNMPv3 operation that uses the external AAA server, you must use AES for the privacy protocol in the user configuration on the external AAA server.

CLI and SNMP User Synchronization

SNMPv3 user management can be centralized at the Access Authentication and Accounting (AAA) server level. This centralized user management allows the SNMP agent in the Cisco VSG to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.

Any configuration changes made to the user group, role, or password results in database synchronization for both SNMP and AAA.

Cisco VSG synchronizes user configuration in the following ways:

The authentication passphrase specified in the snmp-server user command becomes the password for the CLI user.

The password specified in the username command becomes the authentication and privacy passphrases for the SNMP user.

If you delete a user using either SNMP or the CLI, the user is deleted for both SNMP and the CLI.

User-role mapping changes are synchronized in SNMP and the CLI.

Role changes (deletions or modifications) from the CLI are synchronized to SNMP.


Note When you configure the passphrase/password in the localized key/encrypted format, the Cisco VSG does not synchronize the password.


The Cisco NX-OS software holds the synchronized user configuration for 60 minutes by default.

Group-Based SNMP Access


Note Because group is a standard SNMP term used industry-wide, this document refers to roles as groups in this SNMP chapter.


SNMP access rights are organized by groups. Each group in SNMP is similar to a role through the CLI. Each group is defined with read-only access or read-write access. You can begin communicating with the agent after your username is created, your roles are set up by your administrator, or you are added to the roles.

High Availability

Stateless restarts for SNMP are supported. After a reboot or supervisor switchover, the running configuration is applied.

Guidelines and Limitations

SNMP has the following configuration guidelines and limitations:

Read-only access to some SNMP MIBs is supported. See the Cisco NX-OS MIB support list at the following URL for more information: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

SNMP role-based access control (RBAC) is not supported.

The SNMP set command is supported by the following Cisco MIBs:

CISCO-IMAGE-UPGRADE-MIB

CISCO-CONFIG-COPY-MIB

Configuring SNMP

For SNMP configuration, see the Cisco Virtual Network Management Center GUI Configuration Guide at http://www.cisco.com/en/US/docs/unified_computing/vnmc/sw/1.3/VNMC_GUI_Configuration/b _VNMC_GUI_Configuration_Guide_1_3.pdf.

Verifying the SNMP Configuration

To display the SNMP configuration, perform one of the following tasks:

Table 5-2 SNMP Configuration

Command
Purpose

show running-config snmp [all]

Displays the SNMP running configuration.

show snmp

Displays the SNMP status.

show snmp community

Displays the SNMP community strings.

show snmp context

Displays the SNMP context mapping.

show snmp engineID

Displays the SNMP engine ID.

show snmp group

Displays SNMP roles.

show snmp session

Displays SNMP sessions.

show snmp trap

Displays the SNMP enabled or disabled notifications .

show snmp user

Displays SNMPv3 users.


Additional References

For additional information related to implementing SNMP, see the following sections:

Related Documents

Standards

MIBs

Related Documents

Related Topic
Document Title

Complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Cisco Virtual Security Gateway for Nexus 1000V Series Switch Command Reference, Release 4.2(1)VSG1(4)


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

CISCO-TC

SNMPv2-MIB

SNMP-COMMUNITY-MIB

SNMP-FRAMEWORK-MIB

SNMP-NOTIFICATION-MIB

SNMP-TARGET-MIB

ENTITY-MIB

IF-MIB

CISCO-ENTITY-EXT-MIB

CISCO-ENTITY-FRU-CONTROL-MIB

CISCO-FLASH-MIB

CISCO-IMAGE-MIB

CISCO-VIRTUAL-NIC-MIB

CISCO-ENTITY-VENDORTYPE-OID-MIB

NOTIFICATION-LOG-MIB

IANA-ADDRESS-FAMILY-NUMBERS-MIB

IANAifType-MIB

IANAiprouteprotocol-MIB

HCNUM-TC

To locate and download MIBs, go to the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.sht ml

CISCO-VLAN-MEMBERSHIP-MIB

CISCO-SYSTEM-MIB

CISCO-SYSTEM-EXT-MIB

ISCO-IMAGE-MIB

CISCO-IMAGE-UPGRADE-MIB

CISCO-BRIDGE-MIB

CISCO-CONFIG-COPY-MIB

CISCO-SYSLOG-EXT-MIB

CISCO-PROCESS-MIB

CISCO-AAA-SERVER-MIB

CISCO-AAA-SERVER-EXT-MIB

CISCO-COMMON-ROLES-MIB

CISCO-COMMON-MGMT-MIB

CISCO-UNIFIED-FIREWALL-MIB

 

Feature History for SNMP

Table 5-3 lists the feature history for SNMP:

Table 5-3

Feature Name
Release
Feature information

SNMP

4.0(4)SV1(1)

This feature was introduced.