SNMP Fundamentals
Framework
The SNMP framework consists of three parts:
-
An SNMP manager—The system used to control and monitor the activities of network devices using SNMP.
-
An SNMP agent—The software component within the managed device that maintains the data for the device and reports these data, as needed, to managing systems. The Cisco Nexus device supports the agent and MIB. To enable the SNMP agent, you must define the relationship between the manager and the agent.
-
A managed information base (MIB)—The collection of managed objects on the SNMP agent
 Note |
SNMP is defined in RFCs 3411 to 3418. The device supports SNMPv1, SNMPv2c, and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security. Cisco NX-OS supports SNMP over IPv6. |
Notifications
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Cisco NX-OS generates SNMP notifications as either traps or informs. A trap is an asynchronous, unacknowledged message sent from the agent to the SNMP managers listed in the host receiver table. Informs are asynchronous messages sent from the SNMP agent to the SNMP manager which the manager must acknowledge receipt of.
Traps are less reliable than informs because the SNMP manager does not send any acknowledgment when it receives a trap. The device cannot determine if the trap was received. An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If the device never receives a response, it can send the inform request again.
You can configure Cisco NX-OS to send notifications to multiple host receivers.
The following table lists the SNMP traps that are enabled by default.
| Trap Type | Description |
|---|---|
| generic | : coldStart |
| entity | : entity_fan_status_change |
| entity | : entity_mib_change |
| entity | : entity_module_status_change |
| entity | : entity_module_inserted |
| entity | : entity_module_removed |
| entity | : entity_power_out_change |
| entity | : entity_power_status_change |
| entity | : entity_unrecognised_module |
| link | : cErrDisableInterfaceEventRev1 |
| link | : cieLinkDown |
| link | : cieLinkUp |
| link | : cmn-mac-move-notification |
| link | : delayed-link-state-change |
| link | : extended-linkDown |
| link | : extended-linkUp |
| link | : linkDown |
| link | : linkUp |
| rf | : redundancy_framework |
| upgrade | : UpgradeOpNotifyOnCompletion |
| upgrade | : UpgradeJobStatusNotify |
| entity | : entity_sensor |
| rmon | : fallingAlarm |
| rmon | : hcRisingAlarm |
| rmon | : hcFallingAlarm |
| rmon | : risingAlarm |
Security Levels and Models
A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet. SNMPv3 provides for both security models and security levels.
The security level determines if an SNMP message needs to be protected from disclosure and if the message needs to be authenticated. The various security levels that exist within a security model are as follows:
-
noAuthNoPriv—Security level that does not provide authentication or encryption. This level is not supported for SNMPv3.
-
authNoPriv—Security level that provides authentication but does not provide encryption.
-
authPriv—Security level that provides both authentication and encryption.
The security models available are:
-
SNMPv1
-
SNMPv2c
-
SNMPv3
The following table identifies what the combinations of security models and levels mean.
|
Model |
Level |
Authentication |
Encryption |
What Happens |
|---|---|---|---|---|
|
v1 |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
|
v2c |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
|
v3 |
authNoPriv |
HMAC-MD5, HMAC-SHA, or SHA-256 |
No |
Provides authentication based on the Hash-Based Message Authentication Code (HMAC) Message Digest 5 (MD5) algorithm or the HMAC Secure Hash Algorithm (SHA). |
|
v3 |
authPriv |
HMAC-MD5, HMAC-SHA, or SHA-256 |
DES |
Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard. |
SNMP Logical Entities
A device can support multiple instances of a logical network entity, such as protocol instances or virtual routing and forwarding (VRF) instances. Most existing MIBs cannot distinguish between the multiple logical network entities. For example, the original OSPF-MIB assumes a single protocol instance on a device, but you can now configure multiple OSPF instances on a device.
Context
An SNMP context is a collection of management information that you can access through the SNMP agent.
Groups
SNMP access rights are organized by groups. Each group in SNMP is similar to a role through the CLI. Each group is defined with read access or read-write access.
You can begin communicating with the agent once your username is created, your roles are set up by your administrator, and you are added to the roles.
Note |
Because group is a standard SNMP term used industry-wide, we refer to roles as groups in this SNMP section. |
Embedded Event Manager (EEM)
The Embedded Event Manager (EEM) feature monitors events, including SNMP MIB objects, and triggers an action based on these events. One of the actions could be to send an SNMP notification. EEM sends the cEventMgrPolicyEvent of CISCO-EMBEDDED-EVENT-MGR-MIB as the SNMP notification.
VRF Support
SNMP is also VRF aware. You can configure SNMP to use a particular VRF to reach the SNMP notification host receiver. You can also configure SNMP to filter notifications to an SNMP host receiver based on the VRF where the notification occurred.
Cisco NX-OS Support
Cisco NX-OS supports one instance of the SNMP. Cisco NX-OS supports stateless restarts for SNMP. After a reboot or supervisor switchover, Cisco NX-OS applies the running configuration. Cisco NX-OS supports SNMP over IPv6.
Multiple Instance Support
SNMP supports multiple MIB module instances and maps them to logical network entities. Cisco NX-OS supports the CISCO-CONTEXT-MAPPING-MIB to map between SNMP contexts and logical network entities. You can associate an SNMP context to a VRF, protocol instance, or topology.
SNMPv3 - uses contexts to distinguish between these multiple instances. A device can support multiple contexts for different logical network entities. An SNMP context allows the SNMP manager to access one of the multiple instances of a MIB module supported on the device for the different logical network entities. SNMPv3 supports contexts with the contextName field of the SNMPv3 PDU. You can map this contextName field to a particular protocol instance or VRF.
SNMPv2c - you can map the SNMP community to a context using the snmpCommunityContextName MIB object in the SNMP-COMMUNITY-MIB (RFC 3584). You can then map this snmpCommunityContextName to a particular protocol instance or VRF using the CISCO-CONTEXT-MAPPING-MIB or the CLI.
Note |
SNMP is defined in RFCs 3411 to 3418. The device supports SNMPv1, SNMPv2c, and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security. |
SNMPv3
SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network. The SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:
-
Message integrity— Ensures that messages have not been altered or destroyed in an unauthorized manner and that data sequences have not been altered to an extent greater than can occur nonmaliciously.
-
Authentication—Ensures that the claimed identity of the user on whose behalf received data was originated is confirmed.
-
Encryption—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.
SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages.
Cisco NX-OS uses three authentication protocols for SNMPv3:
-
HMAC-MD5-96 authentication protocol
-
HMAC-SHA-96 authentication protocol
-
SHA-256 authentication protocol
Note |
Beginning with Cisco NX-OS release 9.3(7), HMAC-SHA-256 authentication protocol is used for SNMPv3. When SHA-256 SNMP users are configured on the switch, ISSD is recommended by install all cmd else there will be config loss. |
Cisco NX-OS uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The priv option offers a choice of DES or 128-bit AES encryption for SNMP security encryption. The priv option and the aes-128 token indicate that this privacy password is for generating a 128-bit AES key. The AES priv password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 case-sensitive, alphanumeric characters. If you use the localized key, you can specify a maximum of 130 characters.
Note |
For an SNMPv3 operation using the external AAA server, you must use AES for the privacy protocol in the user configuration on the external AAA server. |
User Configuration Synchronization
SNMPv3 user management can be centralized at the Access Authentication and Accounting (AAA) server level. This centralized user management allows the SNMP agent in Cisco NX-OS to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.
Any configuration changes made to the user group, role, or password results in database synchronization for both SNMP and AAA.
Cisco NX-OS synchronizes the user configuration in the following ways:
-
The authentication passphrase specified in the snmp-server user command becomes the password for the CLI user.
-
The password specified in the username command becomes the authentication and privacy passphrases for the SNMP user.
-
If you create or delete a user using either SNMP or the CLI, the user is created or deleted for both SNMP and the CLI.
-
User-role mapping changes are synchronized in SNMP and the CLI.
-
Role changes (deletions or modifications) from the CLI are synchronized to SNMP.
Note |
When you configure a passphrase/password in localized key/encrypted format, Cisco NX-OS does not synchronize the user information (passwords, roles, and so on). Cisco NX-OS holds the synchronized user configuration for 60 minutes by default. |
Disable Security and SNMP User Synchronization
Beginning with Cisco NX-OS Release 10.2(2)F, the following desynchronization command is introduced to provide you an option to disable the user synchronization between the SNMP and the security (AAA or CLI) components:
# snmp-server disable snmp-aaa sync
You can execute this command from the configure terminal on the Nexus switches. By default, the no form of the desynchronization command is available on the switch.
When the no-form of the desynchronization command is enabled on the device, for example, switch (config)# no snmp-server disable snmp-aaa sync , a user created through snmp-server user CLI results in the creation of a username CLI for that user in the running configuration and conversely. So, the user can log in to the switch, using the authentication credentials mentioned in the snmp-server user CLI or the username CLI, at the time of creation/updation, and will also be able to perform SNMP operations from a network manager on the switch. Thus, the no form of the desynchronization command ensures that the user synchronization between the SNMP and the AAA functions the way it did in the releases prior to 10.2(2)F.
When the desynchronization command is enabled on the device, for example, switch (config)# snmp-server disable snmp-aaa sync , a user created through the snmp-server user command does not create a username configuration for that user. So, the user cannot log in to the switch and is only allowed to do SNMP operations through a network manager on the switch. Similarly, creation of a security user through the username CLI does not create a corresponding snmp-server user CLI for the user. This user will be able to log in to the switch but will not be able to perform any SNMP operation on the switch. This is a new feature that the desynchronization command has introduced from Release 10.2(2)F.
You can view the status of the desynchronization command in one of the following ways:
-
The value of the field
SNMP-AAA sync disablein the output of the CLI show snmp internal globals -
The value of the field
disableSnmpAaaSyncin the sys/snmp/inst/globals MO -
The CLI print in the show-running-config output and show-running-config-snmp output or show-running-all output, based on whether the command is enabled or disabled, respectively
Remote Users
With regard to remote users, who are authenticated for login through external servers using protocols such as RADIUS and TACACS+, when the desynchronization command is enabled on the switch, the remote users cannot be created in SNMP. For more information, refer to the Configuring AAA chapter in the Cisco Nexus 9000 NX-OS Security Configuration Guide.
However, when the no form of the desynchronization command is enabled on the switch, if a remote user is created in AAA, the corresponding user is created in SNMP as well. Furthermore, the user will not be available in the running-config output of SNMP, but will be able to perform SNMP operations on the managed device, which is an existing feature prior to Release 10.2(2)F. However, external NMS client's originated snmpwalk and so on does not go through unless the snmp-sync-password command is executed in the device for the remote user created in AAA.
DCNM Security Users
The security users created using DCNM (also called as Nexus Dashboard Fabric Controller from Release 12.0.1a onwards) will not have a corresponding SNMPv3 profile when the desynchronization command is enabled. When the synchronization is disabled, the users created on the security component can log in to the switch, but the switches will not be discovered by the controller, as the controller uses the SNMP configuration created for the security user to discover the switch. Furthermore, the SNMP does not recognize the security users created due to the desynchronized state of the userDB, resulting in failure to discover the switch. Therefore, to have the switches discovered by the controller, the SNMP user must be explicitly created. It is not recommended to use the desynchronization command along with DCNM functionality. For more information, refer to the Cisco Nexus 9000 NX-OS Security Configuration Guide.
ISSD and ISSU
In general, if SNMP user synchronization has been disabled, do not enable SNMP user synchronization unless all the desynchronized users are removed. A running configuration with such a combination will result in a configuration replace failure.
The only way to achieve the desynchronized state in older releases without the desynchronization command is as follows:
-
If the Disruptive/ND-ISSD is performed from a desynchronized state to a release without the desynchronization command, the desynchronized databases will be ported as-is through ISSD to the previous release.
Note
Any modifications done to the user database after such ISSD will be synchronized between SNMP and security components.
After such ISSD, ISSU to a release with desynchronization command brings in the desynchronized user database as-is, but the desynchronization command comes up in its default no form. If required, enable the desynchronization command.
Guidelines and Limitations
SNMP has the following configuration guidelines and limitations:
-
Commands configured using SNMP SET should be deleted using SNMP SET only. Commands configured using Command Line Interface(CLI) or NX-API should be deleted using CLI or NX-API only.
-
When you create or edit a user in AAA using clear text password, SNMP creates or edits the user to have default auth (md5) and priv types.
When you create or edit a user in SNMP using clear text password, AAA creates or edits the user to have default password type (type 5).
-
Access control list (ACLs) can be applied only to local SNMPv3 users configured on the switch. ACLs cannot be applied to remote SNMPv3 users stored on Authentication, Authorization, and Accounting (AAA) servers.
-
Do not enable SNMP user synchronisation after it has been disabled unless all desynchronised users are removed. A running configuration with such a combination will result in a configuration replace failure.
-
Cisco NX-OS supports read-only access to some SNMP MIBs. See the Cisco NX-OS MIB support list at the following URL for more information: https://cisco.github.io/cisco-mibs/supportlists/nexus9000/Nexus9000MIBSupportList.html
-
Cisco NX-OS does not support the SNMPv3 noAuthNoPriv security level.
-
Cisco Nexus 9000 Series switches and the Cisco Nexus 3164Q, 31128PQ, 3232C, and 3264Q switches support the configuration of the SNMP local engine ID.
-
For a nondisruptive downgrade path to an earlier release, if a local engine ID has been configured, then you must unconfigure the local engine ID, and then reconfigure the SNMP users and the community strings.
-
Special characters @ and % are not allowed in the SNMP community string.
-
The default SNMP PDU value is 1500 bytes. The SNMP agent drops any response PDU that is greater than 1500 bytes, causing the SNMP request to fail. To receive MIB data values larger than 1500 bytes, use the snmp-server packetsize <byte-count> command to reconfigure the packet size. The valid byte-count range is from 484 to 17382. When a GETBULK response exceeds the packet size, the data can get truncated.
-
You must use either the CLI or SNMP to configure a feature on your switch. Do not configure a feature using both interfaces to the switch.
-
Using cefcFanTrayOperStatus snmpwalk on an individual fan OID tree where the fan is not populated in chassis, can return a response for next OID entry in the tree. To prevent this behavior, use the -CI option in snmpwalk.
The behavior is not seen when polling parent OID, or when using getmany.
-
Cisco Nexus 9000 series switches support upto 10000 flash files for snmpwalk request.
-
There must be at least one running BGP instance to have full, proper functional behavior of SNMP traps. Configure a BGP routing instance before configuring any snmp-server traps related commands.
-
Beginning with Release 10.1(1), AES-128 is the recommended encryption algorithm, as it is a strong encryption algorithm. However, DES encryption is also supported.
Downgrade: In-Service System Downgrade (ISSD) with install all command is aborted if users with DES privacy protocol are present in the SNMP database. Users need to be reconfigured (using the default AES-128) or deleted. In case of a cold reboot, the SNMP users with DES are deleted.
-
Beginning with Cisco NX-OS Release 10.5(2), users can configure AES-256 as the privacy protocol for SNMPv3.
-
Before downgrading to the earlier releases, reconfigure the existing user with encryption AES-256 to AES-128 or remove the user with encryption AES-256.
-
This feature is supported on all N9K platforms.
-
-
When engine ID is configured after configuring the SNMP user, ensure that you perform the following action:
-
After changing the engine ID, reconfigure the SNMP user and the related configuration including group, ACL, along with the password. This avoids authentication failure and impact on the ACL and group attached to the user.
-
-
Beginning with Cisco NX-OS Release 10.3(1)F, SNMP (MIBs – 400G Optic MIB, Switch MIB, Datapath MIBs, Interface MIB) is supported on the Cisco Nexus 9808 platform switches.
-
The SVI stats are polled only at an interval of every 120 seconds for SNMP cache.
-
Beginning with Cisco NX-OS Release 10.3(3)F, Type-6 encryption for SNMPv3 user password is supported with following limitations:
-
Type-6 encryption is successful only if the following is taken care:
-
feature password encryption aes {tam} is enabled.
-
Primary key is configured.
-
The pwd_type 6 option is specified during SNMPv3 user configuration.
-
-
Changing the primary key configuration results in SNMP re-encrypting all Type-6 users stored in its database. However, the SNMP functionalities continue to work the same way as before.
-
Primary key configuration is local to the switch. If the user takes the Type-6 configured running data from one switch and applies it on other switch where a different primary key is configured, SNMP features for the same user might not work on the other switch.
-
If Type-6 is configured, ensure to remove the configuration, or reconfigure the Type-6 option before downgrading to the release where Type-6 is not supported.
-
In case of ISSU, if you migrate from an earlier image (where localizedkey, localizedV2key config is present) to a new image where Type-6 encryption is supported, SNMP won’t convert the existing keys to Type-6 encryption.
-
Conversion between existing SALT encryption to Type-6 encryption is supported using the encryption re-encrypt obfuscated command.
-
ASCII-based reloads through disruptive upgrades and reload-ascii commands leads to loss of primary key which would impact the SNMP functionality for the Type-6 users.
-
If a user enforces re-encryption using the encryption re-encrypt obfuscated command, then SNMP encrypts all passwords from non-Type-6 SNMP users to Type-6 mode.
Note
The SNMP does not support the encryption delete type6 command and a syslog warning message is also displayed indicating the same.
-
-
From Cisco NX-OS Release 10.4(1)F, you can view Electronic Programmable Logic Device (EPLD) firmware version using SNMP. As part of Entity MIB structure, you can view the firmware version, type of EPLD device (IO or MI FPGA), and the parent entity of the EPLD devices, such as supervisor, line card, and Line card expansion module (LEM). This feature is supported for Cisco Nexus 9300-FX/FX2/FX3/GX platform switches, N9K-C9332D-H2R switch, and Nexus 9508 switch. Beginning with Cisco NX-OS Release 10.4(3)F, this feature is also supported on N9K-C9364C-H1 switch.Beginning with Cisco NX-OS Release 10.5(2)F, this feature is also supported on N9K-X9736C-FX3 line card.
-
Beginning with Cisco NX-OS Release 10.4(1)F, SNMP (MIBs – 400G Optic MIB, Switch MIB, Datapath MIBs, Interface MIB) is supported on the following line cards and switches:
-
Cisco Nexus 9804 switch
-
Cisco Nexus C9332D-H2R switch
-
Cisco Nexus X98900CD-A and X9836DM-A line cards with Cisco Nexus 9808 and 9804 switches
-
-
Beginning with Cisco NX-OS Release 10.4(2)F, SNMP (MIBs – 400G Optic MIB, Switch MIB, Datapath MIBs, Interface MIB) is supported on Cisco Nexus 93400LD-H1 platform switches.
-
Beginning with Cisco NX-OS Release 10.4(2)F, SNMP (MIBs – 400G Optic MIB, Switch MIB, Datapath MIBs, Interface MIB) is supported on Cisco Nexus N9K-C9364C-H1 platform switches.
Feedback