Configuring SNMP

Information About SNMP

Simple Network Management Protocol (SNMP) is an application layer protocol in a TCP/IP network. SNMP allows the network devices to exchange management information. SNMP helps centralized management of large networks by making it convenient for a network administrator to retrieve information from any node, make modifications, find faults, and complete fault diagnosis, capacity planning, and report generation.

The SNMP system consists of a Network Management Station (NMS) and an agent. The NMS is a workstation that runs client programs and forwards GetRequest, GetNextRequest, and SetRequest packets to the agent. An agent is a server software running on a network device. When the Agent receives an NMS request message, it performs Read or Write operations and generates a Response packet. This Response packet is sent back to the NMS. If a device experiences an abnormal event, like a hot start or a cold start, the agent forwards a trap packet to NMS to report the event.

The SNMP system supports SNMP v1, SNMP v2c, and SNMP v3.

SNMP v1 provides a simple authentication mechanism. It does not support administrator-to-manager communications. SNMP v1 Trap does not have a confirmation mechanism.

SNMP v2c version has enhanced security, management information structure, protocol operation, and manager communications.

SNMP v3 provides user authentication and packet encryption mechanisms. This greatly improves the security of the SNMP protocol.

SNMP MIB is a repository for information about device parameters and network data. An SNMP agent contains MIB variables, whose values the SNMP manager can request or change through Get or Set operations.

How to Configure SNMP

The following sections provide information about Configuring SNMP:

Configuring Basic Parameters of SNMP

To configure the SNMP basic parameters, perform the following steps:

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

snmp-server [ enable | disable ]

Example:

Device(config)#snmp-server enable

(Optional) Enables or disables SNMP on the device. If SNMP is enabled by default, this command is not required.

Step 4

[ no ] snmp-server contact syscontact

Example:

Device(config)#snmp-server contact DisplaySystemOperator

(Optional) Configures the SNMP contact information. To remove the configured contact information, use the no form of the command.

Step 5

show snmp contact

Example:

Device(config)# show snmp contact

(Optional) Displays the SNMP contact string that is configured.
Step 6

[ no ] snmp-server location syslocation

Example:

Device(config)#snmp-server location Building13

(Optional) Configures the SNMP location information. To remove the configured location string, use the no form of the command.

Step 7

show snmp location

Example:

Device(config)# show snmp location

(Optional) Displays the SNMP location string that is configured.
Step 8

[ no ] snmp-server name sysname

Example:

Device(config)#snmp-server name Building13Server

(Optional) Configures the SNMP system name. To remove the configured name string, use the no form of the command.

Step 9

show snmp name

Example:

Device(config)# show snmp name

(Optional) Displays the SNMP system name that is configured.
Step 10

[ no ] snmp-server max-packet-length length

Example:

Device(config)#snmp-server max-paxket-length 700

(Optional) Configures the maximum size of the SNMP packets. To remove the maximum packet length configuration, use the no form of the command.

The maximum packet length is set to 1000 bytes, by default.
Step 11

show snmp mib [ module module-name ]

Example:

Device(config)# show snmp mib

(Optional) Displays the MIB modules that are registered on the system.

Configuring SNMP Community Name

An SNMP community is named by a string, known as community name. SNMP community name authenticates access to MIB objects. In order for the NMS to access the switch, the community name definitions on the NMS must match at least one of the community name definitions on the switch.

A community name can have one of these definitions:

  • Read-only (RO): A community with read-only access can only query system information.

  • Read-write (RW): A community with read-write access can perform the system configurations along with querying system information.

To configure a community name, perform the following task:

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

snmp-server community encrypt { enable | disable }

Example:

Device(config)#snmp-server community encrypt enable

(Optional) Enables or disables the encryption of the community name. By default, the community name is not encrypted.
Step 4

snmp-server community name{ ro | rw } { permit | deny } [ view view-name ]

Example:

The following command permits read-write access to the community, comname.

Device(config)#snmp-server community comname rw permit

Configures the specified community for read or read-write access to SNMP.

By default, the ISO view is used.

Step 5

show snmp community

Example:

Device(config)#show snmp community

(Optional) Displays the SNMP community name.
Step 6

no snmp-server community community-index

Example:

no snmp-server community newname

Removes the SNMP community name that is configured.

Configuring SNMP Group

SNMPv3 groups allow you to combine users into groups of different authorization and access privileges. By default, there are two SNMP groups:

  • Group with a security level of auth: Requires authentication.

  • Group with a security level of noauthpriv: Does not require authentication or encryption.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

snmp-server group group-name 3 [ auth | noauth | priv] read read-view write write-view notify notify-view

Example:

Device(config)#snmp-server group g1 3 priv write dept-view

Configures the SNMP group.

If a read-view is not specified, it defaults to the iso view and auth security level.

write-view and notify-view do not have defaults. Hence it is mandatory to specify them if write or notify is configured.

Step 4

[ no] snmp-server group group-name 3 context context-name

Example:

Device(config)#snmp-server group g1 3 context alerts

(Optional) Specifies the SNMP context to associate with this SNMP group and its views.
Step 5

show snmp group [ group-name ]

Example:

Device(config)#show snmp group

(Optional) Displays the SNMP group configuration.

Configuring a User

You can configure a user for a local engine or a remote engine.

The following three users exist by default and they are reserved as the system users.

  • initialmd5

  • initialsha

  • initialnone

When an identifiable engine is deleted, its users are also deleted.

Before you begin

Before you configure a user, ensure that the engine for which the user is being configured, is identifiable.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

snmp-server encrypt { enable | disable }

Example:

Device(config)#snmp-server encrypt enable

(Optional) Enables or disables the encryption of password. Password is encrypted by default.
Step 4

snmp-server user username groupname [ remote ipaddress [ udp-port port-number ]] [ auth { md5 | sha } { auth-password { authpassword | encrypt-authpassword password } | auth-key { authkey | encrypt-authkey password }} [ priv des { priv-key { key | encrypt-privkey key } | priv-password { password | encrypt-privpassword privpassword } } ] ]

Example:

Device(config)#snmp-server user userOne gpr1

Configures the user.

To configure a remote engine user, specify remote ipaddress . If you do not specify remote ipaddress , a local engine user is configured.

For a remote user, the default port number is 162. To configure a different remote port, specify a udp-port port-number .

Three levels of user privileges can be specified:

  • noauthpriv : Authentication and password encryption are not required. It is the default configuration.

  • auth: Authentication is required but password encryption is not required.

  • authpriv: Authentication and password encryption, both are required.

Note that the user security level should be the same as the corresponding group security level.
Step 5

no snmp-server user username [ remote ipaddress [ udp-port port-number ] ]

Example:

Device(config)#no snmp-server user userOne

(Optional) Removes the username user.

Step 6

show snmp user [ username ]

Example:

Device(config)#show snmp user

(Optional) Displays the user configuration.

Configuring a View

A view is a list of SNMP object trees that you can access. The iso, internet, and sysview views exist by default. You cannot delete or modify the internet view.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

snmp-server view view-name oid-subtree { included | excluded }

Example:

Device(config)#snmp-server view oneview

Configures a View.
Step 4

no snmp-server view view-name [ oid-tree ]

Example:

Device(config)#no snmp-server view oneview mib-1 excluded

(Optional) Removes the specified view.
Step 5

show snmp view view-name

Example:

Device(config)#show snmp oneview

(Optional) Displays the configurations of the specified view.

Configuring an SNMP Notification

SNMP notifications can be sent as traps or inform requests. Follow these steps to configure an SNMP notification.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

[ no] snmp-server trap-source { loopback-interface | vlan-interface } if-id

Example:

Device(config)#snmp-server trap-source vlan-interface 3

(Optional) Configures the source IP of the notification packets.
Step 4

[ no] snmp-server enable [[ informs | traps ] [ bridge | gbn | gbnsavecfg | interfaces | rmon| snmp

Example:

Device(config)#snmp-server enable

Enables the sending of SNMP inform notifications. Use the no form of the command to disable notifications.

Step 5

show snmp notify

Example:

Device(config)#show snmp notify

(Optional) Displays the SNMP notification configurations.
Step 6

[ no] snmp-server host ipaddress [ version { 1 | 2c | 3 } ]

Example:

Device(config)#snmp-server host 10.0.0.0 version 2 test 2

Specifies the recipient of an SNMP notification operation.
Step 7

show snmp host

Example:

Device(config)#show snmp host

(Optional) Displays the details of the recipient of SNMP notification operations.

Configuring Engine ID

An SNMP engine ID is a unique string that identifies the device, for administrative purposes.

The engine ID of the local SNMP device is 134640000000000000000000. You can modify the local engine ID, but not delete it. You can create or delete the engine ID of a remote SNMP device. If you delete a remote engine ID, the corresponding users are also deleted. You can configure a maximum number of 32 remote engine IDs.

Follow these steps to configure an engine ID:

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

snmp-server engineid { local engine-id | remote ipaddress [ udp-port port-number ] engine-id }

Example:

Device(config)#snmp-server engineid remote 172.16.20.4 1

(Optional) Configures the engine ID of the local SNMP device or the remote SNMP device.
Step 4

show snmp engineid { local | remote } id

Example:

Device(config)#show snmp engineid remote traps

(Optional) Displays the specified engineID configurations.
Step 5

no snmp-server engineid { local | remote ipaddress port-number }

Example:

Device(config)#no snmp-server engine-id local

Removes the specified engine ID.

Configuration Example for SNMP

Network Requirements

Before accessing a device with the mib-browser, ensure that the mib-browser terminal is able to communicate with the device.

Configuration Steps

The following example configures a community, test2, and lets the mib-browser access the device through SNMP V1 or SNMP v2. It then configures a group g3, a user u3, with the security levels such that the mib-browser can access the switch through SNMP v3. 

Device(config)#snmp-server enable
Device(config)#snmp-server community test2 rw permit view iso
Device(config)#snmp-server group g3 3 auth notify iso read iso write iso
Device(config)#snmp-server user u3 g3 auth md5 auth-password password

Device(config)#show snmp group g3
groupname: g3                                                                   
securitymodel: 3 auth                                                           
readview: iso                                                                   
writeview: iso                                                                  
notifyview: iso                                                                 
context: default value(NULL)                                                    

Device(config)#show snmp user u3
User name: u3                                                                   
Engine ID: 134640000000000000000000                                             
Authentication Protocol: HMACMD5AuthProtocol                                    
Group-name: g3                                                                  
Validation: valid 

Device(config)#snmp-server enable traps
Device(config)#snmp-server host 192.168.1.10 version 2 test2

Device(config)#snmp-server host 192.168.1.10 version 3 auth u3