SNMP Policies
-
Global SNMP policies
-
Defining SNMP traps and informs
-
Defining SNMP users
The SNMP Agent functionality remotely monitors Cisco UCS Central. You can also change the Cisco UCS Central host IP, and then restart the SNMP agent on the new IP. SNMP is run on both the active and standby Cisco UCS Central servers. The configuration persists on both. Cisco UCS Central offers read-only access to only the operating system managed information base (MIB). Through the Cisco UCS Central CLI you can configure the community strings for SNMP v1, v2c, and create and delete the SNMPv3 users.
SNMP Functional Overview
The SNMP framework consists of three parts:
- SNMP Manager
-
System used to control and monitor the activities of network devices using SNMP.
- SNMP Agent
-
Software component within Cisco UCS Central. The managed device that maintains the data for Cisco UCS Central and reports the data, as needed, to the SNMP manager. Cisco UCS Central includes the agent and a collection of MIBs. To enable the SNMP agent and create the relationship between the manager and agent, enable and configure SNMP.
- Managed Information Base (MIB)
-
Collection of managed objects in the SNMP agent. Cisco UCS Central supports only the OS MIBs.
For information about the specific MIBs available for Cisco UCS and where you can obtain them, see the MIB Reference for Cisco UCS Manager for B-series servers, and MIB Reference for Cisco UCS Standalone C-Series Servers C-series servers.
-
RFC 3410 (http://tools.ietf.org/html/rfc3410)
-
RFC 3411 (http://tools.ietf.org/html/rfc3411)
-
RFC 3412 (http://tools.ietf.org/html/rfc3412)
-
RFC 3413 (http://tools.ietf.org/html/rfc3413)
-
RFC 3414 (http://tools.ietf.org/html/rfc3414)
-
RFC 3415 (http://tools.ietf.org/html/rfc3415)
-
RFC 3416 (http://tools.ietf.org/html/rfc3416)
-
RFC 3417 (http://tools.ietf.org/html/rfc3417)
-
RFC 3418 (http://tools.ietf.org/html/rfc3418)
-
RFC 3584 (http://tools.ietf.org/html/rfc3584)
SNMP Notifications
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that the SNMP manager send the requests. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Cisco UCS Central generates SNMP notifications as traps. Traps are less reliable than Informs because the SNMP manager does not send any acknowledgment when it receives a trap. Therefore, Cisco UCS Central cannot determine if it received the trap.
An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If Cisco UCS Central does not receive the PDU, it can send the inform request again.
SNMP Security Features
SNMPv3 provides secure access to devices through a combination of authenticating and encrypting frames over the network. SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages. The SNMPv3 user-based security model (USM) refers to SNMP message-level security and offers the following services:
- Message Integrity
-
Ensures that nothing has altered or destroyed any messages in an unauthorized manner. Also ensures that nothing has altered data sequences to an extent greater than can occur non-maliciously.
- Message Origin Authentication
-
Confirms the claimed identity of the user who received the data.
- Message Confidentiality and Encryption
-
Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.
SNMP Security Levels and Privileges
SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. A security model is an authentication strategy that is set up for a user and the role in which the user resides. The security model combines with the selected security level to determine the security mechanism applied when Cisco UCS Central processes the SNMP message.
The security level determines the privileges required to view the message associated with an SNMP trap. The security level determines whether Cisco UCS Central must protect the message from disclosure, or authenticate it. The supported security level depends upon which security model is implemented. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet. SNMP security levels support one or more of the following privileges:
- NoAuthNoPriv
-
No authentication or encryption.
- AuthNoPriv
-
Authentication but no encryption.
- AuthPriv
-
Authentication and encryption.
SNMPv3 provides for both security models and security levels.
SNMP Security Models and Levels
|
Model |
Level |
Authentication |
Encryption |
What Happens |
|---|---|---|---|---|
|
v1 |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
|
v2c |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
|
v3 |
noAuthNoPriv |
Username |
No |
Uses a username match for authentication. |
|
v3 |
authNoPriv |
HMAC-MD5 or HMAC-SHA |
No |
|
|
v3 |
authPriv |
HMAC-MD5 or HMAC-SHA |
DES |
Provides authentication based on:
|
Feedback