Configuring SNMP Agent for Request Processing

This section describes the configurations required to work with SNMP v1, v2, and v3 Managers and the configurations required for generating traps and inform messages.

SNMP v1/v2 Request Processing

SNMPv3 is backward compatible with both SNMP v1 and SNMP v2. The version that needs to be enabled depends on the management software used.

SNMP Agent provides community-based Security Mechanism for v1/v2 operations.

Configuration Guidelines

Community parameters need to be configured in the SNMP Agent to allow SNMPv1/v2 Manager access.

Default Configuration

There is no specific default setting available for Community Index and Community Name. The values (NETMAN or PUBLIC) are available only at the time of boot-up.

Feature	Default Setting
Community Index	NETMAN/PUBLIC
Community Name	NETMAN/PUBLIC
Security Name	None
Storage type	Non-Volatile

Configuration Steps

Refer to Figure SNMP -Topology 1 for Topology Setup. Execute the following commands in the SNMP Agent (Switch1) to allow SNMPv1/v2 access, with SNMP Manager (Host1).

At SNMP Agent:

To configure the community details:

Type the following:

Enter the Global Configuration Mode.

iS5comm# configure terminal

iS5comm (config)# enable snmpagent

Configure the SNMP Community and its associated parameters to establish SNMP v1/v2 access.

iS5comm(config)# snmp community index com1 name is5Com1 security user1

iS5comm(config)# snmp community index com2 name is5Com2 security user2

Create and configure the parameters for the user (security name).

iS5comm(config)# snmp user user1

iS5comm(config)# snmp user user2

Configure the SNMP groups.

iS5comm(config)# snmp group group1 user user1 security-model v1

iS5comm(config)# snmp group group2 user user2 security-model v2c

Configure the access details for the already created group.

iS5comm(config)# snmp access group1 v1 read iso  write iso notify iso

iS5comm(config)# snmp access group2 v2c read iso  write iso notify iso

Exit the Global Configuration Mode.

iS5comm# exit

Execute the following command to view the community details configured in the agent.

iS5comm# show snmp community

Community Index : NETMAN

Community Name  : NETMAN

Security Name   : none

Context Name    :

Context EngineID: 80.00.08.1c.04.46.53

Transport Tag   :

Storage Type    : Nonvolatile

Row Status      : Active

------------------------------

Community Index : PUBLIC

Community Name  : PUBLIC

Security Name   : none

Context Name    :

Context EngineID: 80.00.08.1c.04.46.53

Transport Tag   :

Storage Type    : Nonvolatile

Row Status      : Active

------------------------------

Community Index : com1

Community Name  : is5Com1

Security Name   : user1

Context Name    :

Context EngineID: 80.00.08.1c.04.46.53

Transport Tag   :

Storage Type    : Nonvolatile

Row Status      : Active

------------------------------

Community Index : com2

Security Name   : user2

Context Name    :

Context EngineID: 80.00.08.1c.04.46.53

Transport Tag   :

Storage Type    : Nonvolatile

Row Status      : Active------------------------------

SNMP v3 Request Processing

It provides complete support for USM (User based Security Model) and VACM (View-based Access Control Model). This section explains both the models with examples. Version 3 is the most secure model, as it allows packet encryption.

Configuration Guidelines

The guidelines for configuration are as follows:

SNMPv3 framework has three security levels: noAuthNoPriv, authNoPriv, and authPriv can be configured.
- If the required security level is noAuthNoPriv, auth parameter has to be configured as none and no need to specify group access for both authentication and privacy.
- If the required security level is authNoPriv, auth parameter and group access for authentication have to be configured and no need to specify group access for privacy.
- If the required security level is authPriv, auth parameter and group access for authentication and privacy have to be configured.
View can be restricted for particular sub-tree (included/excluded), while accessing read or write or notify and to specify that the same appropriate views are configured.If the default view is none, nothing can be accessed.

Default Configuration

There is no specific default setting available for Community Index and Community Name. The values (NETMAN or PUBLIC) are available only at the time of boot-up.

Feature	Default Setting
SNMP engine ID	Generally, taken from the file issnvram.txt; otherwise, it is 80.00.08.1c.04.46.53.
Group Name	iso/initial
View Name (associated with the group name)	None
Sub-tree OID	1
Sub-tree Mask	1
View-type	included
User name	initial/templateSHA/templateMD5
Authentication Protocol (associated with the user name)	initial: none templateSHA: SHA templateMD5: MD5
Authentication Protocol (associated with the user name)	initial: none templateMD5: none templateSHA: DES_CBC
Storage type	Non-volatile

Configuration Steps

Refer to Figure SNMP -Topology 1 for Topology Setup. Execute the following commands in the SNMP Agent (Switch1) to allow SNMPv3 access, with SNMP Manager (Host1).

At SNMP Agent:

Configure the SNMP engine ID. SNMP engine ID is an administratively unique identifier.

Type the following:

Enter the Global Configuration Mode.

iS5comm# configure terminal

iS5comm (config)# enable snmpagent

Configure the SNMP engine ID.

iS5comm(config)# snmp engineid 80.00.08.1c.04.46.64

Create and configure the parameters for the user user3.

iS5comm(config)# snmp user user3 auth SHA sha12345 priv DES des12345 engineid 80.00.08.1c.04.46.64

Configure the SNMP Group as group3 and the associated group parameters. Group must be created using the command “snmp group” command before configuring the group access details.

iS5comm(config)# snmp group group3 user user3 security-model v3

Configure the access details for the group group3.

iS5comm(config)# snmp access group3 v3 priv read v3read  write v3write notify none

Configure the parameters associated with SNMP view.
- Configure the view as v3read.
```
iS5comm(config)# snmp view v3read 1 included
```
- Configure the view as v3write.
```
snmp view v3write 1 included
```

Exit the Global Configuration Mode.

iS5comm# exit

Execute the following command to view the users’ details configured in the agent.

iS5comm# show snmp engineid

Community Index : 80.00.08.1c.04.46.64

iS5comm# show snmp user

Community Index : Engine ID               : 80.00.08.1c.04.46.64

User                    : user1

Authentication Protocol : None

Privacy Protocol        : None

Storage Type            : Nonvolatile

Row Status              : Active

------------------------------

Engine ID               : 80.00.08.1c.04.46.64

User                    : user2

Authentication Protocol : None

Privacy Protocol        : None

Storage Type            : Nonvolatile

Row Status              : Active

------------------------------

Engine ID               : 80.00.08.1c.04.46.64

User                    : user3

Authentication Protocol : SHA

Privacy Protocol        : DES_CBC

Storage Type            : Nonvolatile

Row Status              : Active

------------------------------

Engine ID               : 80.00.08.1c.04.46.64

User                    : noAuthUser

Authentication Protocol : None

Privacy Protocol        : None

Storage Type            : Nonvolatile

Row Status              : Active

-----------------------------

Engine ID               : 80.00.08.1c.04.46.64

User                    : templateMD5

Authentication Protocol : MD5

Privacy Protocol        : None

Storage Type            : Nonvolatile

Row Status              : Active

------------------------------

Engine ID               : 80.00.08.1c.04.46.64

User                    : templateSHA

Authentication Protocol : SHA

Privacy Protocol        : AES_CFB128

Storage Type            : Nonvolatile

Row Status              : Active

------------------------------

iS5comm# show snmp group

Security Model : v1

Security Name  : none

Group Name     : iso

Storage Type   : Nonvolatile

Row Status     : Active

------------------------------

Security Model : v1

Security Name  : user1

Group Name     : group1

Storage Type   : Nonvolatile

Row Status     : Active

------------------------------

Security Model : v2c

Security Name  : none

Group Name     : iso

Storage Type   : Nonvolatile

Row Status     : Active

------------------------------

Security Model : v2c

Security Name  : user2

Group Name     : group2

Storage Type   : Nonvolatile

Row Status     : Active

------------------------------

Security Model : v3

Security Name  : user3

Group Name     : group3

Storage Type   : Nonvolatile

Row Status     : Active

------------------------------

Security Model : v3

Security Name  : noAuthUser

Group Name     : noAuthUser

Storage Type   : Nonvolatile

Row Status     : Active

------------------------------

Security Model : v3

Security Name  : templateMD5

Group Name     : noAuthUser

Storage Type   : Nonvolatile

Row Status     : Active

------------------------------

Security Model : v3

Security Name  : templateSHA

Group Name     : noAuthUser

Storage Type   : Nonvolatile

Row Status     : Active

------------------------------

iS5comm# show snmp group access

Group Name   : iso

Read View    : iso

Write View   : iso

Notify View  : iso

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

Group Name   : iso

Read View    : iso

Write View   : iso

Notify View  : iso

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

Group Name   : group2

Read View    : iso

Write View   : iso

Notify View  : iso

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

Group Name   : group2

Read View    : iso

Write View   : iso

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

Group Name   : group3

Read View    : v3read

Write View   : v3write

Notify View  :

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

Group Name   : group3

Read View    : v3read

Write View   : v3write

Notify View  :

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

Group Name   : noAuthUser

Read View    : restricted

Write View   : restricted

Notify View  : restricted

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

Group Name   : noAuthUser

Read View    : iso

Write View   : iso

Notify View  : iso

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

Group Name   : noAuthUser

Read View    : iso

Write View   : iso

Notify View  : iso

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

iS5comm# show snmp viewtree

View Name    : iso

Subtree OID  : 1

Subtree Mask : 1

View Type    : Included

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

View Name    : v3read

Subtree OID  : 1.3.6.1.2.1.17.7.1.4.5.1

Subtree Mask : 1.1.1.1.1.1.1.1.1.1.1.1

View Type    : Included

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

View Name    : v3write

Subtree OID  : 1.3.6.1.2.1.17.7.1.4.5.1

Subtree Mask : 1.1.1.1.1.1.1.1.1.1.1.1

View Type    : Included

Storage Type : Nonvolatile

Row Status   : Active

------------------------------

View Name    : restricted

Subtree OID  : 1

Subtree Mask : 1

View Type    : Included

Storage Type : Nonvolatile

Row Status   : Active

------------------------------