-
Cisco Nexus 6000 Series NX-OS System Management Configuration Guide, Release 6.0(2)N1(1)
-
Preface
-
Overview
-
Configuring Switch Profiles
-
Configuring Module Pre-Provisioning
-
Using Cisco Fabric Services
-
Configuring User Accounts and RBAC
-
Configuring Session Manager
-
Configuring Online Diagnostics
-
Configuring System Message Logging
-
Configuring Smart Call Home
-
Configuring Rollback
-
Configuring DNS
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN
-
Configuring ERSPAN
-
Index
-
Feedback
Contents
- Configuring SNMP
- Information About SNMP
- SNMP Functional Overview
- SNMP Notifications
- SNMPv3
- Security Models and Levels for SNMPv1, v2, v3
- User-Based Security Model
- CLI and SNMP User Synchronization
- Group-Based SNMP Access
- Licensing Requirements for SNMP
- Guidelines and Limitations for SNMP
- Default SNMP Settings
- Configuring SNMP
- Configuring SNMP Users
- Enforcing SNMP Message Encryption
- Assigning SNMPv3 Users to Multiple Roles
- Creating SNMP Communities
- Filtering SNMP Requests
- Configuring SNMP Notification Receivers
- Configuring SNMP Notification Receivers with VRFs
- Filtering SNMP Notifications Based on a VRF
- Configuring a Source Interface for Sending Out All SNMP Notifications
- Configuring a Host Receiver for SNMP Notifications
- Configuring SNMP for Inband Access
- Enabling SNMP Notifications
- Configuring Link Notifications
- Disabling Link Notifications on an Interface
- Enabling One-Time Authentication for SNMP over TCP
- Assigning SNMP Switch Contact and Location Information
- Configuring the Context to Network Entity Mapping
- Disabling SNMP
- Verifying SNMP Configuration
Configuring SNMP
This chapter contains the following sections:
- Information About SNMP
- Licensing Requirements for SNMP
- Guidelines and Limitations for SNMP
- Default SNMP Settings
- Configuring SNMP
- Disabling SNMP
- Verifying SNMP Configuration
Information About SNMP
SNMP Functional Overview
The SNMP framework consists of three parts:
- An SNMP manager—The system used to control and monitor the activities of network devices using SNMP.
- An SNMP agent—The software component within the managed device that maintains the data for the device and reports these data, as needed, to managing systems. The Cisco Nexus device supports the agent and MIB. To enable the SNMP agent, you must define the relationship between the manager and the agent.
- A managed information base (MIB)—The collection of managed objects on the SNMP agent
Note
Cisco NX-OS does not support SNMP sets for Ethernet MIBs.
The Cisco Nexus device supports SNMPv1, SNMPv2c and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security.
Cisco NX-OS supports SNMP over IPv6.
SNMP is defined in RFC 3410 (http://tools.ietf.org/html/rfc3410), RFC 3411 (http://tools.ietf.org/html/rfc3411), RFC 3412 (http://tools.ietf.org/html/rfc3412), RFC 3413 (http://tools.ietf.org/html/rfc3413), RFC 3414 (http://tools.ietf.org/html/rfc3414), RFC 3415 (http://tools.ietf.org/html/rfc3415), RFC 3416 (http://tools.ietf.org/html/rfc3416), RFC 3417 (http://tools.ietf.org/html/rfc3417), RFC 3418 (http://tools.ietf.org/html/rfc3418), and RFC 3584 (http://tools.ietf.org/html/rfc3584).
SNMP Notifications
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Cisco NX-OS generates SNMP notifications as either traps or informs. A trap is an asynchronous, unacknowledged message sent from the agent to the SNMP managers listed in the host receiver table. Informs are asynchronous messages sent from the SNMP agent to the SNMP manager which the manager must acknowledge receipt of.
Traps are less reliable than informs because the SNMP manager does not send any acknowledgment when it receives a trap. The switch cannot determine if the trap was received. An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If the Cisco Nexus device never receives a response, it can send the inform request again.
You can configure Cisco NX-OS to send notifications to multiple host receivers.
SNMPv3
SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network. The security features provided in SNMPv3 are the following:
- Message integrity—Ensures that a packet has not been tampered with in-transit.
- Authentication—Determines the message is from a valid source.
- Encryption—Scrambles the packet contents to prevent it from being seen by unauthorized sources.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.
- Security Models and Levels for SNMPv1, v2, v3
- User-Based Security Model
- CLI and SNMP User Synchronization
- Group-Based SNMP Access
Security Models and Levels for SNMPv1, v2, v3
The security level determines if an SNMP message needs to be protected from disclosure and if the message needs to be authenticated. The various security levels that exist within a security model are as follows:
- noAuthNoPriv—Security level that does not provide authentication or encryption.
- authNoPriv—Security level that provides authentication but does not provide encryption.
- authPriv—Security level that provides both authentication and encryption.
Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. The security model combined with the security level determine the security mechanism applied when the SNMP message is processed.
Table 1 SNMP Security Models and Levels Model
Level
Authentication
Encryption
What Happens
v1
noAuthNoPriv
Community string
No
Uses a community string match for authentication.
v2c
noAuthNoPriv
Community string
No
Uses a community string match for authentication.
v3
noAuthNoPriv
Username
No
Uses a username match for authentication.
v3
authNoPriv
HMAC-MD5 or HMAC-SHA
No
Provides authentication based on the Hash-Based Message Authentication Code (HMAC) Message Digest 5 (MD5) algorithm or the HMAC Secure Hash Algorithm (SHA).
v3
authPriv
HMAC-MD5 or HMAC-SHA
DES
Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaning (CBC) DES (DES-56) standard.
User-Based Security Model
SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:
- Message integrity—Ensures that messages have not been altered or destroyed in an unauthorized manner and that data sequences have not been altered to an extent greater than can occur non-maliciously.
- Message origin authentication—Ensures that the claimed identity of the user on whose behalf received data was originated is confirmed.
- Message confidentiality—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.
SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages.
Cisco NX-OS uses two authentication protocols for SNMPv3:
Cisco NX-OS uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The priv option offers a choice of DES or 128-bit AES encryption for SNMP security encryption. The priv option along with the aes-128 token indicates that this privacy password is for generating a 128-bit AES key.The AES priv password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters. If you use the localized key, you can specify a maximum of 130 characters.
Note
For an SNMPv3 operation using the external AAA server, you must use AES for the privacy protocol in user configuration on the external AAA server.
CLI and SNMP User Synchronization
SNMPv3 user management can be centralized at the Access Authentication and Accounting (AAA) server level. This centralized user management allows the SNMP agent in Cisco NX-OS to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.
Any configuration changes made to the user group, role, or password results in database synchronization for both SNMP and AAA.
Cisco NX-OS synchronizes user configuration in the following ways:
- The auth passphrase specified in the snmp-server user command becomes the password for the CLI user.
- The password specified in the username command becomes as the auth and priv passphrases for the SNMP user.
- If you create or delete a user using either SNMP or the CLI, the user is created or deleted for both SNMP and the CLI.
- User-role mapping changes are synchronized in SNMP and the CLI.
- Role changes (deletions or modifications from the CLI are synchronized to SNMP.
Note
When you configure passphrase/password in localized key/encrypted format, Cisco NX-OS does not synchronize the user information (passwords, rules, etc.).
Group-Based SNMP Access
Note
Because group is a standard SNMP term used industry-wide, roles are referred to as groups in this SNMP section.
SNMP access rights are organized by groups. Each group in SNMP is similar to a role through the CLI. Each group is defined with three accesses: read access, write access, and notification access. Each access can be enabled or disabled within each group.
You can begin communicating with the agent once your user name is created, your roles are set up by your administrator, and you are added to the roles.
Guidelines and Limitations for SNMP
Cisco NX-OS supports read-only access to Ethernet MIBs.
For more information about supported MIBs, see the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Configuring SNMP
Configuring SNMP Users
Procedure
NoteThe commands used to configure SNMP users in Cisco NX-OS are different from those used to configure users in Cisco IOS.
Enforcing SNMP Message Encryption
You can configure SNMP to require authentication or encryption for incoming requests. By default the SNMP agent accepts SNMPv3 messages without authentication and encryption. When you enforce privacy, Cisco NX-OS responds with an authorization error for any SNMPv3 PDU request using security level parameter of either noAuthNoPriv or authNoPriv.
Use the following command in global configuration mode to enforce SNMP message encryption for a specific user.
Command
Purpose
switch(config)# snmp-server user name enforcePriv Enforces SNMP message encryption for this user.
Use the following command in global configuration mode to enforce SNMP message encryption for all users.
Filtering SNMP Requests
You can assign an access list (ACL) to a community to filter incoming SNMP requests. If the assigned ACL allows the incoming request packet, SNMP processes the request. If the ACL denies the request, SNMP drops the request and sends a system message.
Create the ACL with the following parameters:
The ACL applies to both IPv4 and IPv6 over UDP and TCP. After creating the ACL, assign the ACL to the SNMP community.
TipFor more information on creating ACLs, see the NX-OS Security Configuration Guide for the Cisco Nexus Series software that you are using.
Use the following command in global configuration mode to assign an ACL to a community to filter SNMP requests:
Configuring SNMP Notification Receivers
You can configure Cisco NX-OS to generate SNMP notifications to multiple host receivers.
You can configure a host receiver for SNMPv1 traps in a global configuration mode.
Command
Purpose
switch(config)# snmp-server host ip-address traps version 1 community [udp_port number] Configures a host receiver for SNMPv1 traps. The ip-address can be an IPv4 or IPv6 address. The community can be any alphanumeric string up to 255 characters. The UDP port number range is from 0 to 65535.
You can configure a host receiver for SNMPv2c traps or informs in a global configuration mode.
Command
Purpose
switch(config)# snmp-server host ip-address {traps | informs} version 2c community [udp_port number] Configures a host receiver for SNMPv2c traps or informs. The ip-address can be an IPv4 or IPv6 address. The community can be any alphanumeric string up to 255 characters. The UDP port number range is from 0 to 65535.
You can configure a host receiver for SNMPv3 traps or informs in a global configuration mode.
Command
Purpose
switch(config)# snmp-server host ip-address {traps | informs} version 3 {auth | noauth | priv} username [udp_port number] Configures a host receiver for SNMPv2c traps or informs. The ip-address can be an IPv4 or IPv6 address. The username can be any alphanumeric string up to 255 characters. The UDP port number range is from 0 to 65535.
Note
The SNMP manager must know the user credentials (authKey/PrivKey) based on the SNMP engineID of the Cisco Nexus device to authenticate and decrypt the SNMPv3 messages.
The following example shows how to configure a host receiver for an SNMPv1 trap:
switch(config)# snmp-server host 192.0.2.1 traps version 1 publicThe following example shows how to configure a host receiver for an SNMPv2 inform:
switch(config)# snmp-server host 192.0.2.1 informs version 2c publicThe following example shows how to configure a host receiver for an SNMPv3 inform:
switch(config)# snmp-server host 192.0.2.1 informs version 3 auth NMSConfiguring SNMP Notification Receivers with VRFs
ProcedureYou can configure Cisco NX-OS to use a configured VRF to reach the host receiver. SNMP adds entries into the cExtSnmpTargetVrfTable of the CISCO-SNMP-TARGET-EXT-MIB when you configure the VRF reachability and filtering options for an SNMP notification receiver.
NoteYou must configure the host before configuring the VRF reachability or filtering options.
Filtering SNMP Notifications Based on a VRF
ProcedureYou can configure Cisco NX-OS filter notifications based on the VRF in which the notification occurred.
Configuring a Source Interface for Sending Out All SNMP Notifications
ProcedureYou can configure SNMP to use the IP address of an interface as the source IP address for notifications. When a notification is generated, its source IP address is based on the IP address of this configured interface.
NoteConfiguring the source interface IP address for outgoing trap packets does not guarantee that the device will use the same interface to send the trap. The source interface IP address defines the source address inside of the SNMP trap and the connection is opened with the address of the egress interface as source.
Complete the following steps to configure a source interface for sending out all SNMP notifications:
What to Do NextThis example shows how to configure a source interface to sending out SNMPv2c traps:
switch# configure terminal switch(config) # snmp-server source-interface traps ethernet 2/1
To display information about configured source interfaces, enter the show snmp source-interface command.
Configuring a Host Receiver for SNMP Notifications
Procedure
NoteThis configuration overrides the global source interface configuration.
Complete the following steps to configure a host receiver on a source interface responsible for receiving all SNMP notifications:
What to Do NextTo the following example configures a source interface responsible for receiving all SNMP notifications:
switch# config t switch(config) # snmp-server host 192.0.2.1 source-interface ethernet 2/1
To display information about configured source interface, enter the show snmp source-interface command.
Configuring SNMP for Inband Access
ProcedureYou can configure SNMP for inband access using the following:
- Using SNMP v2 without context—You can use a community which is mapped to a context. In this case the SNMP client does not need to know about the context.
- Using SNMP v2 with context—The SNMP client needs to specify the context by specifying a community, for example, <community>@<context>.
- Using SNMP v3—You can specify the context.
The following SNMPv2 example shows how to map a community named snmpdefault to a context:
switch# config t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# snmp-server context def vrf default switch(config)# snmp-server community snmpdefault group network-admin switch(config)# snmp-server mib community-map snmpdefault context def switch(config)#The following SNMPv2 example shows how to configure and inband access to the community comm which is not mapped:
switch# config t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# snmp-server context def vrf default switch(config)# snmp-server community comm group network-admin switch(config)#The following SNMPv3 example shows how to use a v3 username and password:
switch# config t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# snmp-server context def vrf default switch(config)#Enabling SNMP Notifications
You can enable or disable notifications. If you do not specify a notification name, Cisco NX-OS enables all notifications.
Note
The snmp-server enable traps CLI command enables both traps and informs, depending on the configured notification host receivers.
The following table lists the CLI commands that enable the notifications for Cisco NX-OS MIBs.
Table 3 Enabling SNMP Notifications MIB
Related Commands
All notifications
snmp-server enable traps
BRIDGE-MIB
snmp-server enable traps bridge newroot
snmp-server enable traps bridge topologychange
CISCO-AAA-SERVER-MIB
snmp-server enable traps aaa
ENITY-MIB, CISCO-ENTITY-FRU-CONTROL-MIB, CISCO-ENTITY-SENSOR-MIB
snmp-server enable traps entity
snmp-server enable traps entity fru
CISCO-LICENSE-MGR-MIB
snmp-server enable traps license
IF-MIB
snmp-server enable traps link
CISCO-PSM-MIB
snmp-server enable traps port-security
SNMPv2-MIB
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
CISCO-FCC-MIB
snmp-server enable traps fcc
CISCO-DM-MIB
snmp-server enable traps fcdomain
CISCO-NS-MIB
snmp-server enable traps fcns
CISCO-FCS-MIB
snmp-server enable traps fcs discovery-complete
snmp-server enable traps fcs request-reject
CISCO-FDMI-MIB
snmp-server enable traps fdmi
CISCO-FSPF-MIB
snmp-server enable traps fspf
CISCO-PSM-MIB
snmp-server enable traps port-security
CISCO-RSCN-MIB
snmp-server enable traps rscn
snmp-server enable traps rscn els
snmp-server enable traps rscn ils
CISCO-ZS-MIB
snmp-server enable traps zone
snmp-server enable traps zone default-zone-behavior-change
snmp-server enable traps zone enhanced-zone-db-change
snmp-server enable traps zone merge-failure
snmp-server enable traps zone merge-success
snmp-server enable traps zone request-reject
snmp-server enable traps zone unsupp-mem
CISCO-CONFIG-MAN-MIB
Note Supports no MIB objects except the following notification: ccmCLIRunningConfigChanged
snmp-server enable traps config
Note
The license notifications are enabled by default.
To enable the specified notification in the global configuration mode, perform one of the following tasks:
Command
Purpose
switch(config)# snmp-server enable traps Enables all SNMP notifications.
switch(config)# snmp-server enable traps aaa [server-state-change] Enables the AAA SNMP notifications.
switch(config)# snmp-server enable traps entity [fru] Enables the ENTITY-MIB SNMP notifications.
switch(config)# snmp-server enable traps license Enables the license SNMP notification.
switch(config)# snmp-server enable traps port-security Enables the port security SNMP notifications.
switch(config)# snmp-server enable traps snmp [authentication] Enables the SNMP agent notifications.
Configuring Link Notifications
ProcedureYou can configure which linkUp/linkDown notifications to enable on a device. You can enable the following types of linkUp/linkDown notifications:
- Cisco—Cisco NX-OS sends only the Cisco-defined notifications (cieLinkUp, cieLinkDow in CISCO-IF-EXTENSION-MIB.my), if ifLinkUpDownTrapEnable (defined in IF-MIB) is enabled for that interface.
- IETF—Cisco NX-OS sends only the IETF-defined notifications (linkUp, linkDown in IF-MIB) with only the defined varbinds, if ifLinkUpDownTrapEnable (defined in IF-MIB) is enabled for that interface.
- IEFT extended—Cisco NX-OS sends only the IETF-defined notifications (linkUp, linkDown defined in IF-MIB), if ifLinkUpDownTrapEnable (defined in IF-MIB) is enabled for that interface. Cisco NX-OS adds additional varbinds specific to Cisco Systems in addition to the varbinds defined in the IF-MIB. This is the default setting.
- IEFT Cisco—Cisco NX-OS sends the notifications (linkUp, linkDown) defined in IF-MIB and notifications (cieLinkUp, cieLinkDown) defined in CISCO-IF-EXTENSION-MIB.my , if ifLinkUpDownTrapEnable (defined in IF-MIB) is enabled for that interface. Cisco NX-OS sends only the varbinds defined in the linkUp and linkDown notifications.
- IEFT extended Cisco—Cisco NX-OS sends the notifications (linkUp, linkDown) defined in IF-MIB and notifications (cieLinkUp, cieLinkDown) defined in CISCO-IF-EXTENSION-MIB.my, if ifLinkUpDownTrapEnable (defined in IF-MIB) is enabled for that interface. Cisco NX-OS adds additional varbinds specific to Cisco Systems in addition to the varbinds defined in the IF-MIB for the linkUp and linkDown notifications.
Command or Action Purpose Disabling Link Notifications on an Interface
ProcedureYou can disable linkUp and linkDown notifications on an individual interface. You can use this limit notifications on flapping interface (an interface that transitions between up and down repeatedly).
Assigning SNMP Switch Contact and Location Information
ProcedureYou can assign the switch contact information, which is limited to 32 characters (without spaces), and the switch location.
Command or Action Purpose
Step 1 switch# configuration terminal
Enters configuration mode.
Step 2 switch(config)# snmp-server contact name
Configures sysContact, the SNMP contact name.
Step 3 switch(config)# snmp-server location name
Configures sysLocation, the SNMP location.
Step 4 switch# show snmp
(Optional) Displays information about one or more destination profiles.
Step 5 switch# copy running-config startup-config
(Optional) Saves this configuration change.
Configuring the Context to Network Entity Mapping
ProcedureYou can configure an SNMP context to map to a logical network entity, such as a protocol instance or VRF.
Command or Action Purpose
Step 1 switch# configuration terminal
Enters configuration mode.
Step 2 switch(config)# snmp-server context context-name [instance instance-name] [vrf vrf-name] [topology topology-name]
Maps an SNMP context to a protocol instance, VRF, or topology. The names can be any alphanumeric string up to 32 characters.
Step 3 switch(config)# snmp-server mib community-map community-name context context-name
Maps an SNMPv2c community to an SNMP context. The names can be any alphanumeric string up to 32 characters.
Step 4 switch(config)# no snmp-server context context-name [instance instance-name] [vrf vrf-name] [topology topology-name]
(Optional) Deletes the mapping between an SNMP context and a protocol instance, VRF, or topology. The names can be any alphanumeric string up to 32 characters.
Note Do not enter an instance, VRF, or topology to delete a context mapping. If you use the instance, vrf, or topology keywords, you configure a mapping between the context and a zero-length string.
Verifying SNMP Configuration
To display SNMP configuration information, perform one of the following tasks:
Command
Purpose
switch# show snmp Displays the SNMP status.
switch# show snmp community Displays the SNMP community strings.
switch# show snmp engineID Displays the SNMP engineID.
switch# show snmp group Displays SNMP roles.
switch# show snmp sessions Displays SNMP sessions.
switch# show snmp trap Displays the SNMP notifications enabled or disabled.
switch# show snmp user Displays SNMPv3 users.
