SNMP Support on NFVIS

Introduction about SNMP

Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network.

The SNMP framework has three parts:

  • SNMP manager - The SNMP manager is used to control and monitor the activities of network hosts using SNMP.

  • SNMP agent - The SNMP agent is the software component within the managed device that maintains the data for the device and reports these data, as needed, to managing systems.

  • MIB - The Management Information Base (MIB) is a virtual information storage area for network management information, which consists of collections of managed objects.

A manager can send the agent requests to get and set MIB values. The agent can respond to these requests. Independent of this interaction, the agent can send unsolicited notifications (traps or informs) to the manager to notify the manager of network conditions.

SNMP Operations

SNMP applications perform the following operations to retrieve data, modify SNMP object variables, and send notifications:
  • SNMP Get - The SNMP GET operation is performed by a Network Management Server (NMS) to retrieve SNMP object variables.

  • SNMP Set - The SNMP SET operation is performed by a Network Management Server (NMS) to modify the value of an object variable.

  • SNMP Notifications - A key feature of SNMP is its capability to generate unsolicited notifications from an SNMP agent.

SNMP Get

The SNMP GET operation is performed by a Network Management Server (NMS) to retrieve SNMP object variables. There are three types of GET operations:

  • GET: Retrieves the exact object instance from the SNMP agent.

  • GETNEXT: Retrieves the next object variable, which is a lexicographical successor to the specified variable.

  • GETBULK: Retrieves a large amount of object variable data, without the need for repeated GETNEXT operations.

The command for SNMP GET is :

snmpget -v2c -c [community-name] [NFVIS-box-ip] [tag-name, example ifSpeed].[index value]

SNMP Walk

SNMP walk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

An object identifier (OID) may be given on the command line. This OID specifies which portion of the object identifier space will be searched using GETNEXT requests. All variables in the subtree below the given OID are queried and their values presented to the user.

The command for SNMP walk with SNMP v2 is:

snmpwalk -v2c -c [community-name] [nfvis-box-ip]


snmpwalk -v2c -c myUser 172.19.147.115 1.3.6.1.2.1.1
SNMPv2-MIB::sysDescr.0 = STRING: Cisco NFVIS 
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.12.3.1.3.1291
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (43545580) 5 days, 0:57:35.80
SNMPv2-MIB::sysContact.0 = STRING: 
SNMPv2-MIB::sysName.0 = STRING: 
SNMPv2-MIB::sysLocation.0 = STRING: 
SNMPv2-MIB::sysServices.0 = INTEGER: 70
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
IF-MIB::ifIndex.6 = INTEGER: 6
IF-MIB::ifIndex.7 = INTEGER: 7
IF-MIB::ifIndex.8 = INTEGER: 8
IF-MIB::ifIndex.9 = INTEGER: 9
IF-MIB::ifIndex.10 = INTEGER: 10
IF-MIB::ifIndex.11 = INTEGER: 11
IF-MIB::ifDescr.1 = STRING: GE0-0
IF-MIB::ifDescr.2 = STRING: GE0-1
IF-MIB::ifDescr.3 = STRING: MGMT
IF-MIB::ifDescr.4 = STRING: gigabitEthernet1/0
IF-MIB::ifDescr.5 = STRING: gigabitEthernet1/1
IF-MIB::ifDescr.6 = STRING: gigabitEthernet1/2
IF-MIB::ifDescr.7 = STRING: gigabitEthernet1/3
IF-MIB::ifDescr.8 = STRING: gigabitEthernet1/4
IF-MIB::ifDescr.9 = STRING: gigabitEthernet1/5
IF-MIB::ifDescr.10 = STRING: gigabitEthernet1/6
IF-MIB::ifDescr.11 = STRING: gigabitEthernet1/7
...
SNMPv2-SMI::mib-2.47.1.1.1.1.2.0 = STRING: "Cisco NFVIS"
SNMPv2-SMI::mib-2.47.1.1.1.1.3.0 = OID: SNMPv2-SMI::enterprises.9.1.1836
SNMPv2-SMI::mib-2.47.1.1.1.1.4.0 = INTEGER: 0
SNMPv2-SMI::mib-2.47.1.1.1.1.5.0 = INTEGER: 3
SNMPv2-SMI::mib-2.47.1.1.1.1.6.0 = INTEGER: -1
SNMPv2-SMI::mib-2.47.1.1.1.1.7.0 = STRING: "ENCS5412/K9"
SNMPv2-SMI::mib-2.47.1.1.1.1.8.0 = STRING: "M3"
SNMPv2-SMI::mib-2.47.1.1.1.1.9.0 = ""
SNMPv2-SMI::mib-2.47.1.1.1.1.10.0 = STRING: "3.7.0-817"
SNMPv2-SMI::mib-2.47.1.1.1.1.11.0 = STRING: "FGL203012P2"
SNMPv2-SMI::mib-2.47.1.1.1.1.12.0 = STRING: "Cisco Systems, Inc."
SNMPv2-SMI::mib-2.47.1.1.1.1.13.0 = ""
...

The following is a sample configuration of SNMP walk with SNMP v3:


snmpwalk -v 3 -u user3 -a sha -A changePassphrase -x aes -X changePassphrase -l authPriv -n snmp 172.16.1.101 system
SNMPv2-MIB::sysDescr.0 = STRING: Cisco ENCS 5412, 12-core Intel, 8 GB, 8-port PoE LAN, 2 HDD, Network Compute System
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.2377
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (16944068) 1 day, 23:04:00.68
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING:
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 70
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

SNMP Notifications

A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Unsolicited (asynchronous) notifications can be generated as traps or inform requests. Traps are messages alerting the SNMP manager to a condition on the network. Inform requests (informs) are traps that include a request for confirmation of receipt from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.


Note


Starting from Release 3.8.1 NFVIS has SNMP Trap support for switch interfaces. If a trap server is setup in the NFVIS snmp configuration, it will send trap messages for both NFVIS and switch interfaces. Both the interfaces are triggered by the link state up or down by unplugging a cable or setting admin_state up or down when a cable is connected.


SNMP Versions

Cisco enterprise NFVIS supports the following versions of SNMP:

  • SNMP v1—The Simple Network Management Protocol: A Full Internet Standard, defined in RFC 1157. (RFC 1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based on community strings.

  • SNMP v2c—The community-string based Administrative Framework for SNMPv2. SNMPv2c (the "c" stands for "community") is an Experimental Internet Protocol defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic), and uses the community-based security model of SNMPv1.

  • SNMPv3—Version 3 of SNMP. SNMPv3 is an interoperable standards-based protocol defined in RFCs 3413 to 3415. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network.

The security features provided in SNMPv3 are as follows:
  • Message integrity—Ensuring that a packet has not been tampered with in transit.

  • Authentication—Determining that the message is from a valid source.

  • Encryption—Scrambling the contents of a packet to prevent it from being learned by an unauthorized source.

Both SNMP v1 and SNMP v2c use a community-based form of security. The community of managers able to access the agent MIB is defined by an IP address Access Control List and password.

SNMPv3 is a security model in which an authentication strategy is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.

Authentication of the community with the user configuration is implemented even though SNMP v1 and v2 traditionally do not require a user configuration to be set. For both SNMP v1 and v2 on NFVIS, the user must be set with the same name and version as the corresponding community name. The user group must also match an existing group with the same SNMP version for snmpwalk commands to work.

SNMP MIB Support

Table 1. Feature History

Feature Name

Release Information

Description

SNMP CISCO-MIB

NFVIS Release 4.11.1

The CISCO-MIB displays the Cisco NFVIS hostname using SNMP.

SNMP VM Monitoring MIB

NFVIS Release 4.4.1

Support added for SNMP VM monitoring MIBs.

The following MIBs are supported for SNMP on NFVIS:

CISCO-MIB starting from Cisco NFVIS Release 4.11.1:

CISCO-MIB OID 1.3.6.1.4.1.9.2.1.3. hostname

IF-MIB (1.3.6.1.2.1.31):

  • ifDescr

  • ifType

  • ifPhysAddress

  • ifSpeed

  • ifOperStatus

  • ifAdminStatus

  • ifMtu

  • ifName

  • ifHighSpeed

  • ifPromiscuousMode

  • ifConnectorPresent

  • ifInErrors

  • ifInDiscards

  • ifInOctets

  • ifOutErrors

  • ifOutDiscards

  • ifOutOctets

  • ifOutUcastPkts

  • ifHCInOctets

  • ifHCInUcastPkts

  • ifHCOutOctets

  • ifHCOutUcastPkts

  • ifInBroadcastPkts

  • ifOutBroadcastPkts

  • ifInMulticastPkts

  • ifOutMulticastPkts

  • ifHCInBroadcastPkts

  • ifHCOutBroadcastPkts

  • ifHCInMulticastPkts

  • ifHCOutMulticastPkts

Entity MIB (1.3.6.1.2.1.47):

  • entPhysicalIndex

  • entPhysicalDescr

  • entPhysicalVendorType

  • entPhysicalContainedIn

  • entPhysicalClass

  • entPhysicalParentRelPos

  • entPhysicalName

  • entPhysicalHardwareRev

  • entPhysicalFirmwareRev

  • entPhysicalSoftwareRev

  • entPhysicalSerialNum

  • entPhysicalMfgName

  • entPhysicalModelName

  • entPhysicalAlias

  • entPhysicalAssetID

  • entPhysicalIsFRU

Cisco Process MIB (1.3.6.1.4.1.9.9.109):

  • cpmCPUTotalPhysicalIndex (.2)

  • cpmCPUTotal5secRev (.6.x)*

  • cpmCPUTotal1minRev (.7.x)*

  • cpmCPUTotal5minRev (.8.x)*

  • cpmCPUMonInterval (.9)

  • cpmCPUMemoryUsed (.12)

  • cpmCPUMemoryFree (.13)

  • cpmCPUMemoryKernelReserved (.14)

  • cpmCPUMemoryHCUsed (.17)

  • cpmCPUMemoryHCFree (.19)

  • cpmCPUMemoryHCKernelReserved (.21)

  • cpmCPULoadAvg1min (.24)

  • cpmCPULoadAvg5min (.25)

  • cpmCPULoadAvg15min (.26)


Note


* indicates the support data required for a single CPU core starting from NFVIS 3.12.3 release.


Cisco Environmental MIB (1.3.6.1.4.1.9.9.13):

  • Voltage Sensor:

    • ciscoEnvMonVoltageStatusDescr

    • ciscoEnvMonVoltageStatusValue

  • Temperature Sensor:

    • ciscoEnvMonTemperatureStatusDescr

    • ciscoEnvMonTemperatureStatusValue

  • Fan Sensor

    • ciscoEnvMonFanStatusDescr

    • ciscoEnvMonFanState


Note


Sensor support for the following hardware platforms:

  • ENCS 5400 series: all

  • ENCS 5100 series: none

  • UCS-E: voltage, temperature

  • UCS-C: all

  • CSP: CSP-2100, CSP-5228, CSP-5436 and CSP5444 (Beta)


Cisco Environmental Monitor MIB notification starting from NFVIS 3.12.3 release:

  • ciscoEnvMonEnableShutdownNotification

  • ciscoEnvMonEnableVoltageNotification

  • ciscoEnvMonEnableTemperatureNotification

  • ciscoEnvMonEnableFanNotification

  • ciscoEnvMonEnableRedundantSupplyNotification

  • ciscoEnvMonEnableStatChangeNotif

VM-MIB (1.3.6.1.2.1.236) starting from NFVIS 4.4 release:

  • vmHypervisor:

    • vmHvSoftware

    • vmHvVersion

    • vmHvUpTime

  • vmTable:

    • vmName

    • vmUUID

    • vmOperState

    • vmOSType

    • vmCurCpuNumber

    • vmMemUnit

    • vmCurMem

    • vmCpuTime

  • vmCpuTable:

    • vmCpuCoreTime

  • vmCpuAffinityTable

    • vmCpuAffinity

Configuring SNMP Support

Feature

Description

SNMP encryption passphrase

Starting from Cisco NFVIS Release 4.10.1, there is an option to add an optional passphrase for SNMP that can generate a different priv-key other than the auth-key.

Though SNMP v1 and v2c uses community-based string, the following is still required:

  • Same community and user name.

  • Same SNMP version for user and group.

To create SNMP community:


configure terminal
snmp community <community_name> community-access <access>

SNMP community name string supports [A-Za-z0-9_-] and maximum length of 32. NFVIS supports only readOnly access.

To create SNMP Group:


configure terminal
snmp group <group_name> <context> <version> <security_level> notify <notify_list> read <read_list> write <write_list>

Variables

Description

group_name

Group name string. Supporting string is [A-Za-z0-9_-] and maximum length is 32.

context

Context string, default is snmp. Maximum length is 32. Minimum length is 0 (empty context).

version

1, 2 or 3 for SNMP v1, v2c and v3.

security_level

authPriv, authNoPriv, noAuthNoPriv

Note

 

SNMP v1 and v2c uses noAuthNoPriv only.

notify_list/read_list/write_list

It can be any string. read_list and notify_list is required to support data retrieval by SNMP tools. write_list can be skipped because NFVIS SNMP does not support SNMP write access.

To create SNMP v3 user:

When security level is authPriv


configure terminal
snmp user <user_name> user-version 3 user-group <group_name> auth-protocol <auth> priv-protocol <priv> passphrase <passphrase_string>

configure terminal
snmp user <user_name> user-version 3 user-group <group_name> auth-protocol <auth> priv-protocol <priv> passphrase <passphrase_string> encryption-passphrase <encryption_passphrase>

When security level is authNoPriv:


configure terminal
snmp user <user_name> user-version 3 user-group <group_name> auth-protocol <auth> passphrase <passphrase_string>

When security level is noAuthNopriv


configure terminal
snmp user <user_name> user-version 3 user-group <group_name>

Variables

Description

user_name

User name string. Supporting string is [A-Za-z0-9_-] and maximum length is 32. This name has to be the same as community_name.

version

1 and 2 for SNMP v1 and v2c.

group_name

Group name string. This name has to be same as the group name configured in the NFVIS.

auth

md5 or sha

priv

aes or des

passphrase_string

Passphrase string. Supporting string is [A-Za-z0-9\-_#@%$*&! ].

encryption_passphrase

Passphrase string. Supporting string is [A-Za-z0-9\-_#@%$*&! ]. The user must configure passphrase first to configure encryption-passphrase.


Note


Do not use auth-key and priv-key. The auth and priv passphrases are encrypted after configuration and saved in NFVIS.


To enable SNMP traps:


configure terminal
snmp enable traps <trap_event>

trap_event can be linkup or linkdown

To create SNMP trap host:


configure terminal
snmp host <host_name> host-ip-address <ip_address> host-port <port> host-user-name <user_name> host-version <version> host-security-level noAuthNoPriv

Variables

Description

host_name

User name string. Supporting string is [A-Za-z0-9_-] and maximum length is 32. This is not FQDN host name, but an alias to IP address of traps.

ip_address

IP address of traps server.

port

Default is 162. Change to other port number based on your own setup.

user_name

User name string. Must be the same as user_name configured in NFVIS.

version

1, 2 or 3 for SNMP v1, v2c or v3.

security_level

authPriv, authNoPriv, noAuthNoPriv

Note

 

SNMP v1 and v2c uses noAuthNoPriv only.

SNMP Configuration Examples

The following example shows SNMP v3 configuration

configure terminal
snmp group testgroup3 snmp 3 authPriv notify test write test read test
!
snmp user user3 user-version 3 user-group testgroup3 auth-protocol sha privprotocol aes passphrase changePassphrase encryption-passphrase encryptPassphrase
! configure snmp host to enable snmp v3 trap
snmp host host3 host-ip-address 3.3.3.3 host-version 3 host-user-name user3
host-security-level authPriv host-port 162
!!

The following example shows SNMP v1 and v2 configuration:


configure terminal
snmp community public community-access readOnly
!
snmp group testgroup snmp 2 noAuthNoPriv read read-access write write-access notify
notify-access
!
snmp user public user-group testgroup user-version 2
!
snmp host host2 host-ip-address 2.2.2.2 host-port 162 host-user-name public host-version 2 host-security-level noAuthNoPriv
!
snmp enable traps linkup
snmp enable traps linkDown

The following example shows SNMP v3 configuration:


configure terminal
snmp group testgroup3 snmp 3 authPriv notify test write test read test
!
snmp user user3 user-version 3 user-group testgroup3 auth-protocol sha priv-protocol aes passphrase changePassphrase
! configure snmp host to enable snmp v3 trap
snmp host host3 host-ip-address 3.3.3.3 host-version 3 host-user-name user3
host-security-level authPriv host-port 162
!!

To change the security level:


configure terminal
!
snmp group testgroup4 snmp 3 authNoPriv notify test write test read test
!
snmp user user4 user-version 3 user-group testgroup4 auth-protocol md5 passphrase
changePassphrase
! configure snmp host to enable snmp v3 trap
snmp host host4 host-ip-address 4.4.4.4 host-version 3 host-user-name user4
host-security-level authNoPriv host-port 162
!!
snmp enable traps linkUp
snmp enable traps linkDown

To change default context SNMP:


configure terminal
!
snmp group testgroup5 devop 3 authPriv notify test write test read test
!
snmp user user5 user-version 3 user-group testgroup5 auth-protocol md5 priv-protocol des passphrase changePassphrase
!

To use empty context and noAuthNoPriv


configure terminal
!
snmp group testgroup6 "" 3 noAuthNoPriv read test write test notify test
!
snmp user user6 user-version 3 user-group testgroup6
!


Note


SNMP v3 context snmp is added automatically when configured from the web portal. To use a different context value or empty context string, use NFVIS CLI or API for configuration.

NFVIS SNMP v3 only supports single passphrase for both auth-protocol and priv-protocol.

Do not use auth-key and priv-key to configure SNMP v3 passphrase. These keys are generated differently between different NFVIS systems for the same passphrase.



Note


NFVIS 3.11.1 release enhances the special character support for passphrase. Now the following characters are supported: @#$-!&*



Note


NFVIS 3.12.1 release supports the following special characters: -_#@%$*&! and whitespace. Backslash (\) is not supported.


Verify the Configuration for SNMP Support

Use the show snmp agent command to verify the snmp agent description and ID.


nfvis# show snmp agent 

snmp agent sysDescr "Cisco NFVIS "
snmp agent sysOID 1.3.6.1.4.1.9.12.3.1.3.1291

Use the show snmp traps command to verify the state of snmp traps.


nfvis# show snmp traps

TRAP      TRAP      
NAME      STATE     
--------------------
linkDown  disabled  
linkUp    enabled

Use the show snmp stats command to verify the snmp stats.


nfvis# show snmp stats

snmp stats sysUpTime    57351917
snmp stats sysServices  70
snmp stats sysORLastChange 0
snmp stats snmpInPkts   104
snmp stats snmpInBadVersions 0
snmp stats snmpInBadCommunityNames 0
snmp stats snmpInBadCommunityUses 0
snmp stats snmpInASNParseErrs 0
snmp stats snmpSilentDrops 0
snmp stats snmpProxyDrops 0

Use the show running-config snmp command to verify the interface configuration for snmp.


nfvis# show running-config snmp

snmp agent enabled true
snmp agent engineID 00:00:00:09:11:22:33:44:55:66:77:88
snmp enable traps linkUp
snmp community pub_comm
community-access readOnly
!
snmp community tachen
community-access readOnly
!
snmp group tachen snmp 2 noAuthNoPriv
read   test
write  test
notify test
!
snmp group testgroup snmp 2 noAuthNoPriv
read   read-access
write  write-access
notify notify-access
!
snmp user public
user-version  2
user-group    2
auth-protocol md5
priv-protocol des
!
snmp user tachen
user-version 2
user-group   tachen
!
snmp host host2
host-port           162
host-ip-address     2.2.2.2
host-version        2
host-security-level noAuthNoPriv
host-user-name      public
!

Upper limit for SNMP configurations

Upper limit for SNMP configurations:

  • Communities: 10

  • Groups: 10

  • Users: 10

  • Hosts: 4

SNMP Support APIs and Commands

APIs

Commands

  • /api/config/snmp/agent

  • /api/config/snmp/communities

  • /api/config/snmp/enable/traps

  • /api/config/snmp/hosts

  • /api/config/snmp/user

  • /api/config/snmp/groups

  • agent

  • community

  • trap-type

  • host

  • user

  • group