SNMP Support over VPNs--Context-Based Access Control
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents
SNMP Support over VPNs--Context-Based Access ControlLast Updated: August 17, 2011
The SNMP Support over VPNs--Context-Based Access Control feature provides the infrastructure for multiple Simple Network Management Protocol (SNMP) context support in Cisco IOS software and VPN-aware MIB infrastructure using the multiple SNMP context support infrastructure.
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for SNMP Support over VPNs--Context-Based Access Control
Information About SNMP Support over VPNs--Context-Based Access ControlSNMP Versions and SecurityCisco IOS software supports the following versions of SNMP:
For more information about SNMP Versions, see the â Configuring SNMP Support â module in the Cisco IOS Network Management Configuration Guide . SNMPv1 or SNMPv2 SecuritySNMPv1 and SNMPv2 are not as secure as SNMPv3. SNMP version 1 and 2 use plain text communities and do not perform the authentication or security checks that SNMP version 3 performs. To configure the SNMP Support over VPNs--Context-Based Access Control feature when using SNMP version 1 or SNMP version 2, you need to associate a community name with a VPN. This association causes SNMP to process requests coming in for a particular community string only if it comes in from the configured VRF. If the community string contained in the incoming packet does not have an associated VRF, it is processed only if it came in through a non-VRF interface. This process prevents users outside the VPN from snooping a clear text community string to query the VPNâs data. These methods of source address validation are not as secure as using SNMPv3. SNMPv3 SecurityIf you are using SNMPv3, the security name should always be associated with authentication or privileged passwords. Source address validation is not performed on SNMPv3 users. To ensure that a VPNâs user has access only to context associated to the VPN and cannot see the MIB data of other VPNs, you must configure a minimum security level of AuthNoPriv. On a provider edge (PE) router, a community can be associated with a VRF to provide source address validation. However, on a customer edge (CE) router, if source address validation is to be provided, you must associate a source address with the community list by using an access control list. If you are using SNMPv3, the security name or security password of the users of a VPN should be unknown to users of other VPNs. Cisco recommends not to use SNMPv3 nonauthorized users if you need security of management information. SNMP Notification Support over VPNsThe SNMP Notification Support over VPNs feature allows the sending and receiving of SNMP notifications (traps and informs) using VPN routing and forwarding (VRF) instance tables. In particular, this feature adds support to Cisco IOS software for the sending and receiving of SNMP notifications (traps and informs) specific to individual VPNs. SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. A VPN is a network that provides high-connectivity transfers on a shared system with the same usage guidelines as a private network. A VPN can be built on the Internet over IP, Frame Relay, or ATM networks. A VRF stores per-VPN routing data. It defines the VPN membership of a customer site attached to the network access server (NAS). A VRF consists of an IP routing table, a derived Cisco Express Forwarding (formerly known as CEF) table, and guidelines and routing protocol parameters that control the information that is included in the routing table. The SNMP Support for VPNs--Context-Based Access Control feature provides configuration commands that allow users to associate SNMP agents and managers with specific VRFs. The associated VRF is used for the sending of SNMP notifications (traps and informs) and responses between agents and managers. If a VRF is not specified, the default routing table for the VPN is used. VPN-Aware SNMPThe SNMP Support for VPNs--Context-Based Access Control feature extends the capabilities of the SNMP Notification Support for VPNs feature and enables SNMP to differentiate between incoming packets from different VPNs. When the SNMP Support for VPNs--Context-Based Access Control feature is configured, SNMP accepts requests on any configured VRF and returns responses to the same VRF. A trap host also can be associated with a specific VRF. The configured VRF is then used for sending out traps; otherwise, the default routing table is used. You also can associate a remote user with a specific VRF. You also can configure the VRFs from which SNMP should accept requests. Any requests coming from VRFs that are not specified are dropped. IP access lists can be configured and associated with SNMP community strings. This feature enables you to configure an association between VRF instances with SNMP community strings. When a VRF instance is associated with an SNMP community string, SNMP processes the requests coming in for a particular community string only if the requests are received from the configured VRF. If the community string contained in the incoming packet does not have a VRF associated with it, the community string will be processed only if it came in through a non-VRF interface. You also can enable or disable authentication traps for SNMP packets dropped due to VRF mismatches. By default if SNMP authentication traps are enabled, VRF authentication traps are also enabled. VPN Route DistinguishersA route distinguisher (RD) creates routing and forwarding tables and specifies the default route distinguisher for a VPN. The RD is added to the beginning of the customerâs IPv4 prefixes to change them into globally unique VPN-IPv4 prefixes. The RD is either an autonomous system number (ASN)-relative RD, in which case it comprises an autonomous system number and an arbitrary number, or it is an IP-address-relative RD, in which case it comprises an IP address and an arbitrary number. You can enter an RD in either of these formats:
SNMP ContextsSNMP contexts provide VPN users with a secure way of accessing MIB data. When a VPN is associated with a context, that VPNâs specific MIB data exists in that context. Associating a VPN with a context enables service providers to manage networks with multiple VPNs. Creating and associating a context with a VPN enables a provider to prevent the users of one VPN from accessing information about other VPN userss on the same networking device. VPN-aware SNMP requires an agreement between SNMP manager and agent entities operating in a VPN environment on a mapping between the SNMP security name and the VPN ID. This mapping is created by using multiple contexts for the SNMP data of different VPNs through the configuration of the SNMP-VACM-MIB. The SNMP-VACM-MIB is configured with views so that a user on a VPN with a security name is allowed access to the restricted object space associated with a userâs access type in the context associated with the user of that VPN. SNMP request messages undergo three phases of security and access control before a response message is sent back with the object values in the context of a VPN:
How to Configure SNMP Support over VPNs--Context-Based Access Control
Configuring an SNMP Context and Associating the SNMP Context with a VPNPerform this task to configure an SNMP context and to associate the SNMP context with a VPN. DETAILED STEPS Configuring SNMP Support and Associating an SNMP Context
SUMMARY STEPS
DETAILED STEPS
Configuration Examples for SNMP Support over VPNs--Context-Based Access ControlExample Configuring Context-Based Access ControlThe following configuration example shows how to configure the SNMP Support over VPNs--Context-Based Access Control feature for SNMPv3:
snmp-server context A snmp-server context B ip vrf CustomerA rd 100:110 context A route-target export 100:1000 route-target import 100:1000 ! ip vrf CustomerB rd 100:120 context B route-target export 100:2000 route-target import 100:2000 ! interface Ethernet3/1 description Belongs to VPN A ip vrf forwarding CustomerA ip address 192.168.2.1 255.255.255.0 interface Ethernet3/2 description Belongs to VPN B ip vrf forwarding CustomerB ip address 192.168.2.2 255.255.255.0 snmp-server user CustomerAv3authusr CustomerAv3grpauth v3 auth md5 passwdA snmp-server user CustomerBv3authusr CustomerBv3grpauth v3 auth md5 passwdB snmp-server group CustomerAv3grpauth v3 auth context A read CustomerAv3view write CustomerAv3view notify CustomerAv3view snmp-server group CustomerBv3grpauth v3 auth context B read CustomerBv3view write CustomerBv3view notify CustomerBv3view snmp-server view view1 internet included snmp-server view view1 internet.6.3.16 included snmp-server view view1 internet.6.3.17 included snmp-server view view1 internet.6.3.18 included snmp-server view CustomerAv3view ipForward included snmp-server view CustomerAv3view ciscoPingMIB included snmp-server view CustomerBv3view ipForward included snmp-server view CustomerBv3view ciscoPingMIB included snmp-server community public view view1 rw snmp-server enable traps snmp-server host 192.168.2.3 vrf CustomerA version 3 auth CustomerAv3authusr udp-port 7002 snmp-server host 192.168.2.4 vrf CustomerB version 3 auth CustomerBv3authusr udp-port 7002 The following configuration example shows how to configure the SNMP Support over VPNs--Context-Based Access Control feature for SNMPv1 or SNMPv2:
snmp-server context A snmp-server context B ip vrf Customer_A rd 100:110 context A route-target export 100:1000 route-target import 100:1000 ! ip vrf Customer_B rd 100:120 context B route-target export 100:2000 route-target import 100:2000 ! interface Ethernet3/1 description Belongs to VPN A ip vrf forwarding CustomerA ip address 192.168.2.1 255.255.255.0 interface Ethernet3/2 description Belongs to VPN B ip vrf forwarding CustomerB ip address 192.168.2.2 255.255.255.0 snmp-server user commA grp1A v1 snmp-server user commA grp2A v2c snmp-server user commB grp1B v1 snmp-server user commB grp2B v2c snmp-server group grp1A v1 context A read viewA write viewA notify viewA snmp-server group grp1B v1 context B read viewB write viewB notify viewB snmp-server view viewA ipForward included snmp-server view viewA ciscoPingMIB included snmp-server view viewB ipForward included snmp-server view viewB ciscoPingMIB included snmp-server enable traps snmp-server host 192.168.2.3 vrf CustomerA commA udp-port 7002 snmp-server host 192.168.2.4 vrf CustomerB commB udp-port 7002 snmp mib community-map commA context A target-list commAvpn ! Configures source address validation snmp mib community-map commB context B target-list commBvpn ! Configures source address validation snmp mib target list commAvpn vrf CustomerA ! Configures a list of VRFs or from which community commA is valid snmp mib target list commBvpn vrf CustomerB ! Configures a list of VRFs or from which community commB is valid Additional ReferencesRelated Documents
MIBsRFCs
Technical Assistance
Feature Information for SNMP Support over VPNs--Context-Based Access ControlThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
GlossaryMPLS VPN --Multiprotocol Label Switching Virtual Private Network NMS --Network Management System. System responsible for managing at least part of a network. An NMS is generally a reasonably powerful and well-equipped computer, such as an engineering workstation. NMSs communicate with agents to help keep track of network statistics and resources. SNMP --Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices and to manage configurations, statistics collection, performance, and security. SNMP communities --Authentication scheme that enables an intelligent network device to validate SNMP requests. SNMPv2c --Version 2c of the Simple Network Management Protocol. SNMPv2c supports centralized and distributed network management strategies and includes improvements in the Structure of Management Information (SMI), protocol operations, management architecture, and security. SNMPv3 --Version 3 of the Simple Network Management Protocol. Interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. UDP --User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768. VRF --A VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||