SNMP’s key feature is the ability to generate notifications from SNMP agents.
Cisco routers can be configured to send SNMP traps or informed requests to a Network Management System (NMS) where a network administrator can view the data.
Figure 3-6 displays the typical communication between an SNMP manager and the SNMP agent (for example, a Cisco-enabled SNMP router).
Unsolicited notifications can be generated as traps or inform requests. Traps are messages alerting the SNMP manager to a condition on the network (sent by the SNMP agent). Inform requests (informs) are traps that include a request for confirmation of receipt from the SNMP manager. SNMP notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Table 3-1 snmp-server community Command Syntax Description
Syntax Description
string Case-sensitive community string that acts like a password and permits access to the SNMP protocol.
viewview-name (Optional) Name of a previously defined view. The view defines the objects available to the community.
ro (Optional) Specifies read-only access. Authorized management stations are able to retrieve only MIB objects.
rw (Optional) Specifies read-write access. Authorized management stations are able to retrieve and modify MIB objects.
number (Optional) Integer from 1 to 99 that specifies an access list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.
Figure 3-6 Communication Between SNMP Manager and SNMP Agent
The major difference between a trap and an inform packet is that an SNMP agent has no way of knowing if an SNMP trap was received by the SNMP manager. An inform request will be sent continually until an acknowledgment is received by the sending SNMP agent.
Table 3-2 defines some of the common terminology used in SNMP.
NOTE Managed devices are monitored and controlled using three common SNMP commands: read,
write, and trap.
The read command is used by an NMS to monitor managed devices. The NMS examines different variables that are maintained by managed devices.
The write command is used by an NMS to control managed devices. The NMS changes the
values of variables stored within managed devices.
The trap command is used by managed devices to asynchronously report events to the NMS. For example, Cisco IOS routers can be configured to report errors, such as emergencies alerts, to the NMS for urgent action, such as low memory resources or unauthorized access. When certain types of events occur, a managed device sends a trap to the NMS.
Table 3-2 SNMP Terminology
Term Description
Managed device A network node that contains an SNMP agent and resides on a managed network. Managed devices collect and store management information and make this information available to Network Management Systems using SNMP.
Agent A network management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP.
Network Management System (NMS)
Executes applications that monitor and control managed devices. Trap (no acknowledge) or Inform
Requests (acknowledgment sent) UDP 162 SNMP Agent SNMP Manager UDP 161
Management Information Base (MIB), a database of network management information, is used and maintained by a management protocol such as SNMP. The value of an MIB object can be changed or retrieved using SNMP commands, usually through a GUI network management system. Cisco supports a number of defined and proprietary MIB commands.
If the snmp-server community command is not used during the SNMP configuration session, it will automatically be added to the configuration after the snmp-server host command is used. In this case, the default password (string) for the snmp-server community is taken from
the snmp-server host command. You must always set the community string manually;
otherwise, your router could be left vulnerable to SNMP get commands.
Example 3-7 configures a Cisco IOS router for SNMP support.
The IOS command snmp-server community public RO enables SNMP on a Cisco router. This command is also used to restrict access via SNMP. The community string is defined as public and acts as a password protection mechanism against unauthorized users. The community string is sent in every SNMP packet, so an incorrect community string results in no authorized access to the SNMP agent. The read-only attribute means that no configuration changes will be permitted via an SNMP.
The IOS command snmp-server enable traps config advises the NMS of any configura- tion changes. The IOS command snmp-server host 131.108.255.254 isdn alerts the host 131.108.254.254 of any ISDN traps. ISDN traps can include link flapping or high link usage, for example. (See Table 3-2 for a comprehensive list of traps.)
To specify the recipient of an SNMP notification operation, use the snmp-server host global configuration command. To remove the specified host, use the no form of this command.
snmp-server host host-addr [traps | informs] [version {1 | 2c | 3
[auth | noauth | priv]}] community-string
[udp-port port] [notification-type]
Table 3-3 expands the snmp-server host IOS command and presents the full range of options, including MD5 authentication.
Example 3-7 Sample SNMP Configuration
snmp-server community public RO snmp-server enable traps config snmp-server host 131.108.255.254 isdn
Table 3-3 snmp-server host Command
Syntax Description Meaning
host-addr Name or Internet address of the host (the targeted recipient).
traps (Optional) Sends trap messages to this host. This is the default.
informs (Optional) Sends Inform messages to this host.
version (Optional) Version of the SNMP used to send the traps. Version 3 is the most secure model because it allowspacket encryption with the priv keyword. If you use the version keyword, one of the following must be specified:
1—SNMPv1. This option is not available with informs.
2c—SNMPv2C.
3—SNMPv3.
The following three optional keywords can follow the 3 keyword:
auth—(Optional) Enables Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) packet authentication.
noauth—(Default) The noAuthNoPriv security level. This is the default if the [auth | noauth | priv] keyword choice is not specified.
priv—(Optional) Enables Data Encryption Standard (DES) packet encryption (also called privacy).
community-string Password-like community string sent with the notification operation. Although you can set this string using the snmp-server host command by itself, it is recommended that you define this string using the snmp-server community command prior to using the snmp-server host command.
udp-portport (Optional) UDP port of the host to use. The default is 162.
notification-type (Optional) Type of notification to be sent to the host. If no type is specified, all notifications are sent. The notification type can be one or more of the following keywords:
bgp—Sends Border Gateway Protocol (BGP) state change notifications.
calltracker—Sends Call Tracker call-start/call-end notifications.
config—Sends configuration notifications.
dspu—Sends downstream physical unit (DSPU) notifications.
entity—Sends Entity MIB modification notifications.
envmon—Sends Cisco enterprise-specific environmental monitor notifications when an environmental threshold is exceeded.
frame-relay—Sends Frame Relay notifications.
hsrp—Sends Hot Standby Routing Protocol (HSRP) notifications.
SNMP is disabled by default on Cisco IOS routers.