Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.
The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
Access to the switch from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
The SNMPv3 security structure consists of security models, with each model having it‘s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to "groups" that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as "views." The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c.
Note: The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients that require access.
Use the Administration > SNMP (Configure Global) page to enable SNMPv3 service for all management clients (i.e., versions 1, 2c, 3), and to enable trap messages.
Enables SNMP on the switch. (Default: Enabled)
Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled)
Note: These are legacy notifications and therefore when used for SNMPv3 hosts, they must be enabled in conjunction with the corresponding entries in the Notification View.
Use the Administration > SNMP (Configure Engine - Set Engine ID) page to change the local engine ID. An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet. For example, the value "123456789" is equivalent to "1234567890".
The number of times that the engine has (re-)initialized since the snmp EngineID was last configured.
Use the Administration > SNMP (Configure Engine - Add Remote Engine) page to configure a engine ID for a remote management station. To allow management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host.
The engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet. For example, the value "123456789" is equivalent to "1234567890".
The IPv4 address of a remote management station which is using the specified engine ID.
Use the Administration > SNMP (Configure View) page to configure SNMPv3 views which are used to restrict user access to specified portions of the MIB tree. The predefined view "defaultview" includes access to the entire MIB tree.
Add ViewThe name of the SNMP view. (Range: 1-32 characters)
Specifies the initial object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. Use the Add OID Subtree page to configure additional object identifiers.
Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view.
Add OID Subtree
Lists the SNMP views configured in the Add View page. (Range: 1-32 characters)
Adds an additional object identifier of a branch within the MIB tree to the selected View. Wild cards can be used to mask a specific portion of the OID string. (Range: 1-64 characters)
Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view.
Use the Administration > SNMP (Configure Group) page to add an SNMPv3 group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
The name of the SNMP group to which the user is assigned. (Range: 1-32 characters)
The user security model; SNMP v1, v2c or v3.
The following security levels are only used for the groups assigned to the SNMP security model:
There is no authentication or encryption used in SNMP communications. (This is the default security level.)
SNMP communications use authentication, but the data is not encrypted.
SNMP communications use both authentication and encryption.
The configured view for read access. (Range: 1-32 characters)
The configured view for write access. (Range: 1-32 characters)
The configured view for notifications. (Range: 1-32 characters)
Use the Administration > SNMP (Configure User - Add Community) page to configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
A community string that acts like a password and permits access to the SNMP protocol.
Range: 1-32 characters, case sensitive
Default strings: "public" (Read-Only), "private"
(Read/Write)
Specifies the access rights for the community string:
Authorized management stations are only able to retrieve MIB objects.
Authorized management stations are able to both retrieve and modify MIB objects.
Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) page to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
The name of user connecting to the SNMP agent. (Range: 1-32 characters)
The name of the SNMP group to which the user is assigned. (Range: 1-32 characters)
The user security model; SNMP v1, v2c or v3.
The following security levels are only used for the groups assigned to the SNMP security model:
There is no authentication or encryption used in SNMP communications. (This is the default security level.)
SNMP communications use authentication, but the data is not encrypted.
SNMP communications use both authentication and encryption.
The method used for user authentication. (Options: MD5, SHA; Default: MD5)
A minimum of eight plain text characters is required.
The encryption algorithm use for data privacy; only 56-bit DES is currently available.
A minimum of eight plain text characters is required.
Use the Administration > SNMP (Configure User - Add SNMPv3 Remote User) page to identify the source of SNMPv3 inform messages sent from the local switch. Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
The name of user connecting to the SNMP agent. (Range: 1-32 characters)
The name of the SNMP group to which the user is assigned. (Range: 1-32 characters)
IPv4 address of the remote device where the user resides.
The user security model; SNMP v1, v2c or v3.
The following security levels are only used for the groups assigned to the SNMP security model:
There is no authentication or encryption used in SNMP communications. (This is the default security level.)
SNMP communications use authentication, but the data is not encrypted.
SNMP communications use both authentication and encryption.
The method used for user authentication. (Options: MD5, SHA; Default: MD5)
A minimum of eight plain text characters is required.
The encryption algorithm use for data privacy; only 56-bit DES is currently available.
A minimum of eight plain text characters is required.
Use the Administration > SNMP (Configure Trap) page to specify the host devices to be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
SNMP Version 1
IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient).
Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (Default: v1)
Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive)
Although you can set this string in the Configure Trap - Add page, we recommend defining it in the Configure User - Add Community page.
Specifies the UDP port number used by the trap manager. (Default: 162)
SNMP Version 2c
IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient).
Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (Default: v1)
Notifications are sent as trap messages.
Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used)
The number of seconds to wait for an acknowledgment before resending an inform message. (Range: 0-2147483647 centiseconds; Default: 1500 centiseconds)
The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3)
Specifies a valid community string for the new trap manager entry. (Range: 1-32 characters, case sensitive)
Although you can set this string in the Configure Trap - Add page, we recommend defining it in the Configure User - Add Community page.
Specifies the UDP port number used by the trap manager. (Default: 162)
SNMP Version 3
IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient).
Specifies whether to send notifications as SNMP v1, v2c, or v3 traps.
Notifications are sent as trap messages.
Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used)
The number of seconds to wait for an acknowledgment before resending an inform message. (Range: 0-2147483647 centiseconds; Default: 1500 centiseconds)
The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3)
The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch. (Range: 1-32 characters)
If an account for the specified user has not been created, one will be automatically generated.
The name of a remote user which is used to identify the source of SNMPv3 inform messages sent from the local switch. (Range: 1-32 characters)
If an account for the specified user has not been created, one will be automatically generated.
Specifies the UDP port number used by the trap manager. (Default: 162)
When trap version 3 is selected, you must specify one of the following security levels. (Default: noAuthNoPriv)
There is no authentication or encryption used in SNMP communications.
SNMP communications use authentication, but the data is not encrypted.
SNMP communications use both authentication and encryption.
Use the Administration > SNMP (Configure Notify Filter - Add) page to create an SNMP notification log.
Command Usage
Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or Informs that may be exceeding retransmission limits. The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged.
Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
If notification logging is not configured, when the switch reboots, some SNMP traps (such as warm start) cannot be logged.
To avoid this problem, notification logging should be configured as described in this section, and these commands stored in the startup configuration file using the System > File (Copy - Running-Config) page. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Based on the default settings used in RFC 3014, a notification log can contain up to 256 entries, and the entry aging time is 1440 minutes. Information recorded in a notification log, and the entry aging time can only be configured using SNMP from a network management station.
When a trap host is created using the Administration > SNMP (Configure Trap - Add) page, a default notify filter will be created.
Parameters
The IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the Administration > SNMP (Configure Trap - Add) page.
The notification log is stored locally. It is not sent to a remote device. This remote host parameter is only required to complete mandatory fields in the SNMP Notification MIB.
Notification log profile name. (Range: 1-32 characters)
Use the Administration > SNMP (Show Statistics) page to show counters for SNMP input and output protocol data units.