Home > Articles > Cisco > CCNP Routing and Switching

CCNP SWITCH 642-813: Simple Network Management Protocol (SNMP)

  • Oct 15, 2010
A key topic on the CCNP SWITCH exam, The Simple Network Management Protocol (SNMP) is a protocol that allows a network device to share information about itself and its activities In this article, expert network architect and author of best-selling CCNP SWITCH 642-813 Official Certification Guide Dave Hucaby helps you understand the basics of how SNMP works and the differences between the different SNMP versions as well as how you might apply SNMP to monitor a switched network.
Like this article? We recommend

Like this article? We recommend

CCNP SWITCH 642-813 Official Certification GuideCCNP SWITCH 642-813 Official Certification Guide

Learn More Buy

Like this article? We recommend

Like this article? We recommend

CCNP SWITCH 642-813 Official Certification GuideCCNP SWITCH 642-813 Official Certification Guide

Learn More Buy

The Simple Network Management Protocol (SNMP) is a protocol that allows a network device to share information about itself and its activities. A complete SNMP system consists of the following parts:

  • SNMP manager—A network management system that uses SNMP to poll and receive data from any number of network devices. The SNMP manager is usually an application that runs in a central location.
  • SNMP agent—A process that runs on the network device being monitored. All types of data are gathered by the device itself and stored in a local database. The agent can then respond to SNMP polls and queries with information from the database and it can send unsolicited alerts or “traps” to an SNMP manager.

In the case of Catalyst switches in the network, each switch automatically collects data about itself, its resources, and each of its interfaces. This data is stored in a Management Information Base (MIB) database in memory, and is updated in real time.

The MIB is organized in a structured, hierarchical fashion, forming a tree structure. In fact, the entire MIB is really a collection of variables that are stored in individual, more granular MIBs that form the branches of the tree. Each MIB is based on the Abstract Syntax Notation 1 (ASN.1) language. Each variable in the MIB is referenced by an object identifier (OID), a long string of concatenated indexes that follow the path from the root of the tree all the way to the variable’s location.

Fortunately, only the SNMP manager and agent need to be concerned with interpreting the MIBs. As far as the SWITCH exam and course go, you should just be aware that the MIB structure exists and that it contains everything that can be monitored about a switch.

To see any of the MIB data, an SNMP manager has to send an SNMP poll or query to the switch. The query contains the OID of the specific variable being requested so that the agent running on the switch knows what information to return. An SNMP manager can use the following mechanisms to communicate with an SNMP agent, all over UDP port 161:

  • Get Request—The value of one specific MIB variable is needed.
  • Get Next Request—The next or subsequent value following an initial Get Request is needed.
  • Get Bulk Request—Entire tables or lists of values in a MIB variable are needed.
  • Set Request—A specific MIB variable needs to be set to a value.

SNMP polls or requests are usually sent by the SNMP manager at periodic intervals. This makes real-time monitoring difficult, as changing variables won’t be noticed until the next poll cycle. However, SNMP agents can send unsolicited alerts to notify the SNMP manager of real-time events at any time. Alerts can be sent using the following mechanisms, over UDP port 162:

  • SNMP trap—News of an event (interface state change, device failure, and so on) is sent without any acknowledgement that the trap has been received.
  • Inform request—News of an event is sent to an SNMP manager, and the manager is required to acknowledge receipt by echoing the request back to the agent.

SNMP Versions

As network management has evolved, SNMP has developed into three distinct versions. The original, SNMP version 1 (SNMPv1), is defined in RFC1157. It uses simple one-variable Get and Set requests, along with simple SNMP traps. SNMP managers can gain access to SNMP agents by matching a simple “community” text string. When a manager wants to read or write a MIB variable on a device, it sends the community string in the clear, as part of the request. If that community string matches the agent’s community string, then the request is granted.

In theory, only managers and agents belonging to the same “community” should be able to communicate. In practice, any device has the potential to read or write variables to an agent’s MIB database by sending the right community string, whether it’s a legitimate SNMP manager or not. This creates a huge security hole in SNMPv1.

The second version of SNMP, SNMPv2C (RFC 1901), was developed to address some efficiency and security concerns. For example, SNMPv2c adds 64-bit variable counters, extending the useful range of values over the 32-bit counters used in SNMPv1. In addition, SNMPv2C offers the bulk request, making MIB data retrieval more efficient. It also offers inform requests, which make real-time alerts more reliable by requiring confirmation of receipt.

Despite the intentions of its developers, SNMPv2C does not address any security concerns over that of SNMPv1. SNMPv2C does offer 64-bit variable counters, which extend the capability to keep track of very large numbers like byte counters found on very high-speed interfaces. With SNMPv2C, MIB variables can be obtained in a bulk form with a single request. In addition, event notifications sent from an SNMPv2C agent can be in the form of SNMP traps or inform requests. The latter form requires an acknowledgment from the SNMP manager that the inform message was received.

The third generation of SNMP, SNMPv3, is defined in RFCs 3410 through 3415. It addresses the security features that are lacking in the earlier versions. SNMPv3 can authenticate SNMP managers through usernames. When usernames are configured on the SNMP agent of a switch, they can be organized into SNMPv3 group names.

Each SNMPv3 group is defined with a security level that describes the extent to which the SNMP data will be protected. Data packets can be authenticated to preserve their integrity, encrypted to obscure their contents, or both. The following security levels are available. The naming scheme uses “auth” to represent packet authentication and “priv” to represent data privacy or encryption.

  • noAuthNoPriv—SNMP packets are neither authenticated nor encrypted.
  • authNoPriv—SNMP packets are authenticated, but not encrypted.
  • authPriv—SNMP packets are authenticated and encrypted.

TIP

As a best practice, you should use SNMPv3 to leverage its superior security features whenever possible. If you must use SNMPv1 for a device, you should configure the switch to limit SNMP access to a read-only role. Never permit read-write access because the simple community string authentication can be exploited to make unexpected changes to a switch configuration.

Catalyst switches offer one additional means of limiting SNMP access: An access list can be configured to permit only specific SNMP manager IP addresses. You should configure and apply an access list to your SNMP configurations whenever possible.

Because SNMP is a universal method for monitoring all sorts of network devices, it isn’t unique to LAN switches. Therefore, you should understand the basics of how SNMP works, the differences between the different SNMP versions, and how you might apply SNMP to monitor a switched network. You can use Table 1 as a memory aid for your exam study.

Table 1—A Comparison of SNMP Versions and Their Features

Version

Authentication

Data Protection

Unique Features

SNMPv1

Community String

None

32-bit counters

SNMPv2c

Community String

None

Added bulk request and inform request message types, 64-bit counters

SNMPv3

Username authentication

Hash-based MAC (SHA or MD5)

DES, 3DES, AES (128, 192, 256-bit) encryption

Added user authentication, data integrity, and encryption

Configuring SNMPv1 and SNMPv2C

You should be familiar with the basic SNMP configuration. Fortunately, this involves just a few commands, as follows:

Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community string [ro | rw] [access-list-number]
!
Switch(config)# snmp-server host host-address community-string [trap-type]

First, define a standard IP access list that permits only the IP addresses of your SNMP agent machines. Then apply that access list to the SNMPv1 community string with the snmp-server community command. Use the ro keyword to allow read-only access by the SNMP manager; otherwise, use the rw keyword to allow both read and write access.

Finally, use the snmp-server host command to identify the IP address of the SNMP manager where SNMP traps will be sent. By default, all types of traps are sent. You can use the ? key in place of trap-type to see a list of the available trap types.

In Example 1, the switch is configured to allow SNMP polling from network management stations at 192.168.3.99 and 192.168.100.4. The community string MonitorIt is used to authenticate the SNMP requests. All possible SNMP traps are sent to 192.168.3.99.

Example 1—Configuring SNMPv1 Access

Switch(config)# access-list 10 permit 192.168.3.99
Switch(config)# access-list 10 permit 192.168.100.4 
Switch(config)# snmp-server community MonitorIt ro 10
Switch(config)# snmp-server host 192.168.3.99 MonitorIt

Configuring SNMPv2C

Configuring SNMPv2C is very similar to SNMPv1. The only difference is with SNMP trap or inform configuration. You can use the following commands to configure basic SNMPv2C operation:

Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community string [ro | rw] [access-list-number]
!
Switch(config)# snmp-server host host-address [informs] version 2c community-string

In the snmp-server host command, use the version 2c keywords to identify SNMPv2C operation. By default, regular SNMP traps are sent. To use inform requests instead, add the informs keyword.

Configuring SNMPv3

SNMPv3 configuration is a bit more involved than versions 1 or 2C, due mainly to the additional security features.

Switch(config)# access-list access-list-number permit ip-addr
!
Switch(config)# snmp-server group group-name v3 {noauth | auth | priv}
Switch(config)# snmp-server user user-name group-name v3 auth {md5 | sha}
 auth-password priv {des | 3des | aes {128 | 192 | 256} priv-password [access-list-number]
!
Switch(config)# snmp-server host host-address [informs] version 3 {noauth | auth | priv}
 user-name [trap-type]

First, use the snmp-server group command to define a group-name that will set the security level policies for SNMPv3 users. The security level is defined by the noauth (no packet authentication or encryption), auth (packets are authenticated but not encrypted), or priv (packets are both authenticated and encrypted) keyword. Only the security policy is defined in the group; no passwords or keys are required yet.

TIP

The SNMPv3 priv keyword and packet encryption can be used only if the switch is running a cryptographic version of its IOS software image. The auth keyword and packet authentication can be used regardless.

Next, define a username that an SNMP manager will use to communicate with the switch. Use the snmp-server user command to define the user-name and associate it with the SNMPv3 group-name. The v3 keyword configures the user to use SNMPv3.

The SNMPv3 user must also have some specifics added to its security policy. Use the auth keyword to define either MD5 or SHA as the packet authentication method, along with the auth-password text string that will be used in the hash computation. The priv keyword defines the encryption method (DES, 3DES, or AES 128/192/256-bit), and the priv-password text string that will be used in the encryption algorithm.

The same SNMPv3 username, authentication method and password, and encryption method and password must also be defined on the SNMP manager so it can successfully talk to the switch.

Finally, you can use the snmp-server host command to identify the SNMP manager that will receive either traps or informs. The switch can use SNMPv3 to send traps and informs, using the security parameters that are defined for the SNMPv3 user-name.

In Example 2, a switch is configured for SNMPv3 operation. Access list 10 permits only stations at 192.168.3.99 and 192.168.100.4 with SNMP access. SNMPv3 access is defined for a group named NetOps, using the priv (authentication and encryption) security level. One SNMPv3 user named mymonitor is defined; the network management station will use that username when it polls the switch for information. The username will require SHA packet authentication and AES-128 encryption, using the s3cr3tauth and s3cr3tpr1v passwords, respectively.

Finally, SNMPv3 informs will be used to send alerts to station 192.168.3.99 using the priv security level and username mymonitor.

Example 2—Configuring SNMPv3 Access

Switch(config)# access-list 10 permit 192.168.3.99
Switch(config)# access-list 10 permit 192.168.100.4
Switch(config)# snmp-server group NetOps v3 priv
Switch(config)# snmp-server user mymonitor NetOps v3 auth sha s3cr3tauth priv aes 128 s3cr3tpr1v 10
Switch(config)# snmp-server host 192.168.3.99 informs version 3 priv mymonitor

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020