The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network.
The SNMP framework consists of three parts:
SNMP is defined in RFCs 3411 to 3418.
Note |
SNMP Role Based Access Control (RBAC) is not supported. |
Cisco NX-OS supports SNMPv1, SNMPv2c, and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security.
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of a connection to a neighbor router, or other significant events.
Cisco NX-OS generates SNMP notifications as either traps or informs. A trap is an asynchronous, unacknowledged message sent from the agent to the SNMP managers listed in the host receiver table. Informs are asynchronous messages sent from the SNMP agent to the SNMP manager which the manager must acknowledge receipt of.
Traps are less reliable than informs because the SNMP manager does not send any acknowledgment when it receives a trap. The Cisco NX-OS cannot determine if the trap was received. An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If the Cisco NX-OS never receives a response, it can send the inform request again.
You can configure Cisco Nexus NX-OS to send notifications to multiple host receivers.
SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network. The security features provided in SNMPv3 are as follows:
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.
The security level determines if an SNMP message needs to be protected from disclosure and if the message needs to be authenticated. The various security levels that exist within a security model are as follows:
Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. The security model combined with the security level determine the security mechanism applied when the SNMP message is processed.
The following table identifies what the combinations of security models and levels mean.
Model |
Level |
Authentication |
Encryption |
What Happens |
---|---|---|---|---|
v1 |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
v2c |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
v3 |
noAuthNoPriv |
Username |
No |
Uses a username match for authentication. |
v3 |
authNoPriv |
HMAC-MD5 or HMAC-SHA |
No |
Provides authentication based on the Hash-Based Message Authentication Code (HMAC) Message Digest 5 (MD5) algorithm or the HMAC Secure Hash Algorithm (SHA). |
v3 |
authPriv |
HMAC-MD5 or HMAC-SHA |
DES |
Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard. |
SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:
SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages
Cisco NX-OS uses two authentication protocols for SNMPv3:
The Cisco NX-OS uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The priv option offers a choice of DES or 128-bit AES encryption for SNMP security encryption. The priv option along with the aes-128 token indicates that this privacy password is for generating a 128-bit AES key.The AES priv password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 case-sensitive alphanumeric characters. If you use the localized key, you can specify a maximum of 130 characters.
Note |
For an SNMPv3 operation that uses the external AAA server, you must use AES for the privacy protocol in the user configuration on the external AAA server. |
SNMPv3 user management can be centralized at the Access Authentication and Accounting (AAA) server level. This centralized user management allows the SNMP agent in Cisco NX-OS to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.
Any configuration changes made to the user group, role, or password results in database synchronization for both SNMP and AAA.
Cisco Nexus 1000V NX-OS synchronizes user configuration in the following ways:
Note |
When you configure passphrase/password in localized key/encrypted format, Cisco NX-OS does not synchronize the user information (password, roles, and so on). |
Cisco NX-OS holds the synchronized user configuration for 60 minutes by default. See Modifying the AAA Synchronization Time for information on how to modify this default value.
Note |
Because group is a standard SNMP term used industry-wide, we refer to roles as groups in this SNMP section. |
SNMP access rights are organized by groups. Each group in SNMP is similar to a role through the CLI. Each group is defined with read access or read-write access.
You can begin communicating with the agent once your username is created, your roles are set up by your administrator, and you are added to the roles.
Stateless restarts for SNMP are supported. After a reboot or supervisor switchover, the running configuration is applied.
Parameters |
Default |
---|---|
license notifications |
enabled |
This section includes the following topics:
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# snmp-server user Admin auth sha abcd1234 priv abcdefgh
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# snmp-server globalEnforcePriv | Enforces SNMP message encryption for all users. |
switch(config)# snmp-server globalEnforcePriv
You can create SNMP communities for SNMPv1 or SNMPv2c.
You must be in global configuration mode.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# snmp-server community name {ro | rw} | Creates an SNMP community string. |
switch(config)# snmp-server community public ro
You must configure a notification target user on the device to send SNMPv3 inform notifications to a notification host receiver
TheCisco Nexus 1000V uses the credentials of the notification target user to encrypt the SNMPv3 inform notification messages to the configured notification host receiver.
Note |
For authenticating and decrypting the received INFORM PDU, the notification host receiver should have the same user credentials as configured in Cisco Nexus 1000V to authenticate and decrypt the inform s |
You must be in global configuration mode.
switch(config)# snmp-server user NMS auth sha abcd1234 priv abcdefgh engineID 00:00:00:63:00:01:00:10:20:15:10:03
You can enable or disable notifications. If you do not specify a notification name, Cisco Nexus 1000V enables all notifications.
The following table lists the commands that enable the notifications for Cisco Nexus 1000V MIBs.
Note |
The snmp-server enable traps command enables both traps and informs, depending on the configured notification host receivers. |
MIB |
Related Commands |
---|---|
All notifications |
snmp-server enable traps |
CISCO-AAA-SERVER-MIB |
snmp-server enable traps aaa |
ENITY-MIB |
snmp-server enable traps entity |
CISCO-ENTITY-FRU-CONTROL-MIB |
snmp-server enable traps entity fru |
CISCO-LICENSE-MGR-MIB |
snmp-server enable traps license |
IF-MIB |
snmp-server enable traps link |
CISCO-PSM-MIB |
snmp-server enable traps port-security |
SNMPv2-MIB |
snmp-server enable traps snmp snmp-server enable traps snmp authentication |
The license notifications are enabled by default. All other notifications are disabled by default.
You must be in global configuration mode to enable the specified notification
You can disable linkUp and linkDown notifications on an individual interface. You can use this limit notifications on flapping interface (an interface that transitions between up and down repeatedly).
You must be in interface configuration mode to disable linkUp/linkDown notifications for the interface.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config-if)# no snmp trap link-status | Disables SNMP link-state traps for the interface. This command is enabled by default. |
switch(config-if)# no snmp trap link-status
You must be in global configuration mode to enable one-time authentication for SNMP over TCP
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# snmp-server tcp-session [auth] | Enables a one-time authentication for SNMP over a TCP session. The default is disabled. |
switch(config)# snmp-server tcp-session
You can assign the switch contact information, which is limited to 32 characters (without spaces) and the switch location.
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# snmp contact Admin switch(config)# snmp location Lab-7 switch(config)# show snmp switch(config)# copy running-config startup-config
You must be in global configuration mode.
switch(config)# snmp-server host 192.0.2.1 traps version 1 public
You must be in global configuration mode to disable the SNMP protocol on a device.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# no snmp-server protocol enable | Disables the SNMP protocol. This command is enabled by default. |
switch(config)# no snmp-server protocol enable
You can modify how long Cisco NX-OS holds the synchronized user configuration.
You must be in global configuration mode.
switch(config)# snmp-server aaa-user cache-timeout 1200
Use one of the following commands to verify the configuration:
Command |
Purpose |
---|---|
show running-config snmp [all] |
Displays the SNMP running configuration. |
show snmp |
Displays the SNMP status. |
show snmp community |
Displays the SNMP community strings. |
show snmp context |
Displays the SNMP context mapping. |
show snmp engineID |
Displays the SNMP engineID. |
show snmp group |
Displays SNMP roles. |
show snmp session |
Displays SNMP sessions. |
show snmp trap |
Displays the SNMP notifications enabled or disabled. |
show snmp user |
Displays SNMPv3 users. |
This example shows how to configure sending the Cisco linkUp/Down notifications to one notification host receiver using the Blue VRF and define two SNMP users, Admin and NMS
switch# configure terminal switch(config)# snmp-server contact Admin@company.com switch(config)# snmp-server user Admin auth sha abcd1234 priv abcdefgh switch(config)# snmp-server user NMS auth sha abcd1234 priv abcdefgh engineID 00:00:00:63:00:01:00:22:32:15:10:03 switch(config)# snmp-server host 192.0.2.1 informs version 3 auth NMS switch(config)# snmp-server host 192.0.2.1 use-vrf Blue switch(config)# snmp-server enable traps link cisco
Related Topic |
Document Title |
---|---|
MIBs |
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
|
To locate and download MIBs, go to the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
Feature Name |
Releases |
Feature Information |
---|---|---|
SNMP |
Release 5.2(1)IC1(1.1) |
This feature was introduced. |