Catalyst 6500 Series Switch Soft
78-15381-01
C H A P T E R38
Configuring SNMP
This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the
Catalyst 6500 series switches.
This chapter consists of these sections:
• SNMP Terminology, page 38-1
• Understanding How SNMP Works, page 38-4
• Understanding How SNMPv1 and SNMPv2c Work, page 38-5
• Understanding How SNMPv3 Works, page 38-7
• Enabling and Disabling SNMP Processing, page 38-10
• Configuring SNMPv1 and SNMPv2c on the Switch, page 38-11
• SNMPv1 and SNMPv2c Enhancements in Software Release 7.5(1), page 38-12
• Configuring SNMPv3 on the Switch, page 38-16
Note For complete syntax and usage information for the commands used in this chapter, refer to the
Catalyst 6500 Series Switch Command Reference publication.
SNMP Terminology
Table 38-1 lists the terms that are used in SNMP technology.
38-1
ware Configuration Guide—Release 7.6
Chapter 38 Configuring SNMP
SNMP Terminology
Table 38-1 SNMP Terminology
Term Definition
authentication The process of ensuring message integrity and protection against
message replays, including both data integrity and data origin
authentication.
authoritative SNMP engine One of the SNMP copies involved in network communication is
designated the allowed SNMP engine to protect against message
replay, delay, and redirection. The security keys used for
authenticating and encrypting SNMPv3 packets are generated as
a function of the authoritative SNMP engine’s ID and user
passwords. When an SNMP message expects a response (for
example, get exact, get next, set request), the receiver of these
messages is authoritative. When an SNMP message does not
expect a response, the sender is authoritative.
community string A text string used to authenticate messages between a
management station and an SNMPv1 or SNMPv2c engine.
data integrity A condition or state of data in which a message packet has not
been altered or destroyed in an unauthorized manner.
data origin authentication The ability to verify the identity of a user on whose behalf the
message is supposedly sent. This ability protects users against
both message capture and replay by a different SNMP engine and
against packets received or sent to a particular user that uses an
incorrect password or security level.
encryption A method of hiding data from an unauthorized user by scrambling
the contents of an SNMP packet.
group A set of users belonging to a particular security model. A group
defines the access rights for all the users belonging to it. Access
rights define the SNMP objects that can be read, written to, or
created. In addition, the group defines the notifications that a user
is allowed to receive.
notification host An SNMP entity to which notifications (traps and informs) are to
be sent.
notify view A view name (not to exceed 64 characters) for each group; the
view name defines the list of notifications that can be sent to each
user in the group.
privacy An encrypted state of the contents of an SNMP packet; in this
state the contents are prevented from being disclosed on a
network. Encryption is performed with an algorithm called
CBC-DES (DES-56).
read view A view name (not to exceed 64 characters) for each group; the
view name defines the list of object identifiers (OIDs) that can be
read by users belonging to the group.
38-2
Catalyst 6500 Series Switch Software Configuration Guide—Release 7.6
78-15381-01
Chapter 38 Configuring SNMP
SNMP Terminology
security level A type of security algorithm that is performed on each SNMP
packet. There are three levels: noauth, auth, and priv. The noauth
level authenticates a packet by a string match of the username.
The auth level authenticates a packet by using either the HMAC
MD5 or SHA algorithms. The priv level authenticates a packet by
using either the HMAC MD5 or SHA algorithms and encrypts the
packet using the CBC-DES (DES-56) algorithm.
security model The security strategy used by the SNMP agent. Currently, Cisco
IOS software supports three security models: SNMPv1,
SNMPv2c, and SNMPv3.
Simple Network Management
Protocol (SNMP)
A network management protocol that provides a method to
monitor and control network devices and to manage
configurations, statistics collection, performance, and security.
Simple Network Management
Protocol Version 2c
(SNMPv2c)
Second version of SNMP. This protocol supports centralized and
distributed network management strategies and includes
improvements in the structure of management information (SMI),
protocol operations, management architecture, and security.
SNMP engine A copy of SNMP that can reside on the local or remote device.
SNMP entity Unlike SNMPv1 and SNMPv2c, in SNMPv3 the terms SNMP
Agents and SNMP Managers are no longer used. These concepts
have been combined and are called an SNMP entity. An SNMP
entity is made up of an SNMP engine and SNMP applications.
SNMP group A collection of SNMP users that belong to a common SNMP list
that defines an access policy, in which object identification
numbers (OIDs) are both read-accessible and write-accessible.
Users belonging to a particular SNMP group inherit all of these
attributes defined by the group.
SNMP user A person for which an SNMP management operation is
performed. The user is the person on a remote SNMP engine who
receives the inform messages.
SNMP view A mapping between SNMP objects and the access rights that are
available for those objects. An object can have different access
rights in each view. Access rights indicate whether the object is
accessible by either a community string or a user.
write view A view name (not to exceed 64 characters) for each group; the
view name defines the list of object identifiers (OIDs) that can be
created or modified by the users of the group.
Table 38-1 SNMP Terminology (continued)
Term Definition
38-3
Catalyst 6500 Series Switch Software Configuration Guide—Release 7.6
78-15381-01
Chapter 38 Configuring SNMP
Understanding How SNMP Works
Understanding How SNMP Works
SNMP is an application-layer protocol that facilitates the exchange of management information between
network devices. SNMP enables network administrators to manage network performance, find and solve
network problems, and plan for network growth.
There are three versions of SNMP:
• Version 1 (SNMPv1)—This is the initial implementation of SNMP. Refer to RFC 1157 for a full
description of functionality. See the “Understanding How SNMPv1 and SNMPv2c Work” section
on page 38-5 for more information on SNMPv1.
• Version 2 (SNMPv2c)—The second release of SNMP, described in RFC 1902, has additions and
enhancements to data types, counter size, and protocol operations. See the “Understanding How
SNMPv1 and SNMPv2c Work” section on page 38-5 for more information on SNMPv2.
• Version 3 (SNMPv3)—This is the most recent version of SNMP and is fully described in RFC 2571,
RFC 2572, RFC 2573, RFC 2574, and RFC 2575. The SNMP functionality on the Catalyst
enterprise LAN switches for SNMPv1 and SNMPv2c remain intact; however, SNMPv3 has
significant enhancements to administration and security. See the “Understanding How SNMPv3
Works” section on page 38-7 for more information on SNMPv3.
Security Models and Levels
A security model is an authentication strategy that is set up for a user and the group in which the user
resides. A security level is the permitted level of security within a security model. A combination of a
security model and a security level determines which security mechanism is employed when handling
an SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. Table 38-2
identifies the combinations of security models and defines the levels for SNMPv1, SNMPv2c, and
SNMPv3.
Table 38-2 SNMP Security Levels
Model Level Authentication Encryption What Happens
v1 noAuthNoPriv Community
String
No Uses a community string
match for authentication.
v2c noAuthNoPriv Community
String
No Uses a community string
match for authentication.
v3 noAuthNoPriv Username No Uses a username match for
authentication.
v3 authNoPriv MD5 or SHA No Provides authentication based
on the HMAC-MD5 or
HMAC-SHA algorithms.
v3 authPriv MD5 or SHA DES Provides authentication based
on the HMAC-MD5 or
HMAC-SHA algorithms.
Provides DES 56-bit
encryption in addition to
authentication based on the
CBC-DES (DES-56) standard.
38-4
Catalyst 6500 Series Switch Software Configuration Guide—Release 7.6
78-15381-01
Chapter 38 Configuring SNMP
Understanding How SNMPv1 and SNMPv2c Work
Note the following about SNMPv3 objects:
• Each user belongs to a group
• A group defines the access policy for a set of users
• SNMP objects access an access policy for reading, writing, and creating
• A group determines the list of notifications its users can receive
• A group also defines the security model and security level for its users
SNMP ifindex Persistence Feature
The SNMP ifIndex persistence feature is always enabled. With the ifIndex persistence feature, the
ifIndex value of the port and VLAN is always retained and used after the following occurrences:
• Switch reboot
• High-availability switchover
• Software upgrade
• Module reset
• Module removal and insertion of the same type of module
For Fast EtherChannel and Gigabit EtherChannel interfaces, the ifIndex value is only retained and used
after a high-availability switchover.
Understanding How SNMPv1 and SNMPv2c Work
The components of SNMPv1 and SNMPv2c network management fall into three categories:
• Managed devices (such as a switch)
• SNMP agents and MIBs, including Remote Monitoring (RMON) MIBs, which run on managed
devices
• SNMP network management applications, such as CiscoWorks2000, which communicate with
agents to get statistics and alerts from the managed devices. See the “Using CiscoWorks2000”
section on page 38-6 for more information on CiscoWorks2000.
Note An SNMP management application, together with the computer it runs on, is called a
Network Management System (NMS).
Using Managed Devices
Catalyst 6500 series switches are managed devices that support SNMP network management with the
following features:
• SNMP traps (see the “Configuring SNMPv1 and SNMPv2c from the CLI” section on page 38-11)
• RMON in the supervisor engine software (see Chapter 39, “Configuring RMON”)
• RMON and RMON2 on an external SwitchProbe device
38-5
Catalyst 6500 Series Switch Software Configuration Guide—Release 7.6
78-15381-01
Chapter 38 Configuring SNMP
Understanding How SNMPv1 and SNMPv2c Work
Using SNMP Agents and MIBs
SNMP network management uses these SNMP agent functions:
• Accessing a MIB variable—This function is initiated by the SNMP agent in response to a request
from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS
with that value.
• Setting a MIB variable—This function is also initiated by the SNMP agent in response to a message
from the NMS. The SNMP agent changes the value of the MIB variable to the value that is requested
by the NMS.
Note For more information about MIBs, refer to
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
• SNMP trap—This function is used to notify an NMS that a significant event has occurred at an
agent. When a trap condition occurs, the SNMP agent sends an SNMP trap message to any NMSs
that are specified as the trap receivers under the following conditions:
– When a port or module goes up or down
– When temperature limitations are exceeded
– When there are spanning tree topology changes
– When there are authentication failures
– When power supply errors occur
• SNMP community strings—SNMP community strings authenticate access to MIB objects and
function as embedded passwords:
– Read-only—Gives read access to all objects in the MIB except the community strings but does
not allow write access
– Read-write—Gives read and write access to all objects in the MIB but does not allow access to
the community strings
– Read-write-all—Gives read and write access to all objects in the MIB including the community
strings
Note The community string definitions on your NMS must match at least one of the three community
string definitions on the switch.
Using CiscoWorks2000
CiscoWorks2000 is a family of Web-based and management platform-independent products for
managing Cisco enterprise networks and devices. CiscoWorks2000 includes Resource Manager
Essentials and CWSI Campus, which allow you to deploy, configure, monitor, manage, and troubleshoot
a switched internetwork. For more information, refer to the following publications:
• Getting Started With Resource Manager Essentials
• Getting Started With CWSI Campus
38-6
Catalyst 6500 Series Switch Software Configuration Guide—Release 7.6
78-15381-01
Chapter 38 Configuring SNMP
Understanding How SNMPv3 Works
Understanding How SNMPv3 Works
SNMPv3 contains all the functionality of SNMPv1 and SNMPv2c, but SNMPv3 has significant
enhancements to administration and security. SNMPv3 is an interoperable standards-based protocol that
provides secure access to devices by authenticating and encrypting packets over the network. The
security features that are provided in SNMPv3 are as follows:
• Message integrity—Collects data securely without being tampered with or corrupted
• Authentication—Determines that the message is from a valid source
• Encryption—Scrambles the contents of a packet to prevent it from being seen by an unauthorized
source
SNMP Entity
Unlike SNMPv1 and SNMPv2c, in SNMPv3 the concept of SNMP Agents and SNMP Managers no
longer apply. These concepts have been combined into an SNMP entity. An SNMP entity consists of an
SNMP engine and SNMP applications. An SNMP engine consists of the following four components:
• Dispatcher
• Message processing subsystem
• Security subsystem
• Access control subsystem
Figure 38-1 shows an SNMP entity.
Dispatcher
The dispatcher is a traffic manager that sends and receives messages. After receiving a message, the
dispatcher tries to determine the version number of the message and then passes the message to the
appropriate message processing model. The dispatcher is also responsible for dispatching protocol data
units (PDUs) to applications and for selecting the appropriate transports for sending messages.
38-7
Catalyst 6500 Series Switch Software Configuration Guide—Release 7.6
78-15381-01
Chapter 38 Configuring SNMP
Understanding How SNMPv3 Works
Figure 38-1 SNMP Entity for Traditional SNMP Agents
Message Processing Subsystem
The message processing subsystem accepts outgoing PDUs from the dispatcher and prepares them for
transmission by wrapping them in a message header and returning them to the dispatcher. The message
processing subsystem also accepts incoming messages from the dispatcher, processes each message
header, and returns the enclosed PDU to the dispatcher. An implementation of the message processing
subsystem may support a single message format corresponding to a single version of SNMP (SNMPv1,
SNMPv2c, SNMPv3), or it may contain a number of modules, each supporting a different version of
SNMP.
Security Subsystem
The security subsystem authenticates and encrypts messages. Each outgoing message is passed to the
security subsystem from the message processing subsystem. Depending on the services required, the
security subsystem may encrypt the enclosed PDU and some fields in the message header. In addition,
the security subsystem may generate an authentication code and insert it into the message header. After
encryption, the message is returned to the message processing subsystem.
v1MP
v2cMP
v3MP
UDP IPX Other
Message Dispatcher
Proxy
foward
applications
MIB Instrumentation
Command
responder
applications
Notification
originator
applications
Transport Mapping
PDU Dispatcher
SNMP Entity
SNMP Engine
Access Control
Subsystem
Security
Subsystem
Message Processing
Subsystem
Dispatcher
View-based
access control
model
User-based
security
model
Other
security
model
Other
access control
model
SNMP Applications
58
56
8
otherMP
38-8
Catalyst 6500 Series Switch Software Configuration Guide—Release 7.6
78-15381-01
Chapter 38 Configuring SNMP
Understanding How SNMPv3 Works
Each incoming message is passed to the security subsystem from the message processing subsystem. If
required, the security subsystem checks the authentication code and performs decryption. The processed
message is returned to the message processing subsystem. An implementation of the security subsystem
may support one or more distinct security models. The only currently defined security model is the
user-based security model (USM) for SNMPv3, which is specified in RFC 2274.
The USM protects SNMPv3 messages from the following potential security threats:
• An authorized user sending a message that gets modified in transit by an unauthorized SNMP entity.
• An unauthorized user trying to masquerade as an authorized user.
• A user modifying the message stream.
• An unauthorized user listening to the message.
The USM currently defines the HMAC-MD5-96 and HMAC-SHA-96 as the authentication protocols and
CBC-DES as the privacy protocol.
SNMPv1 and SNMPv2c security models provide only community names for authentication and no
privacy.
Access Control Subsystem
The access control subsystem determines whether access to a managed object should be allowed. With
the view-based access control model (VACM), you can control which users and which operations can
have access to which managed objects.
Applications
SNMPv3 applications refer to internal applications within an SNMP entity. These internal applications
can do the following operations:
• Generate SNMP messages
• Respond to received SNMP messages
• Generate and receive notifications
• Forward messages between SNMP entities
There are currently five types of applications:
• Command generators—Generate SNMP commands to collect or set management data.
• Command responders—Provide access to management data. For example, processing get, get-next,
get-bulk, and set pdus are used in a command responder application.
• Notification originators—Initiate Trap or Inform messages.
• Notification receivers—Receive and process Trap or Inform messages.
• Proxy forwarders—Forward messages between SNMP entities.
38-9
Catalyst 6500 Series Switch Software Configuration Guide—Release 7.6
78-15381-01
Chapter 38 Configuring SNMP
Enabling and Disabling SNMP Processing
Enabling and Disabling SNMP Processing
This section describes how to use the set snmp enable | disable command to enable or disable the
processing of SNMP requests to the switch and SNMP traps from the switch.
If you set SNMP to enable mode, SNMP requests to the switch are processed and SNMP traps are sent
out if there is no conflict with other SNMP configurations on the switch.
If you set SNMP to disable mode, SNMP requests are ignored and no SNMP traps are sent out
independent of the other SNMP configurations on the switch.
In either SNMP mode (enabled or disabled), you can change other SNMP configurations. RMON-related
processes are not affected in either mode.
To enable SNMP processing from the command-line interface (CLI), perform this task in privileged
mode (enable mode is the default):
This example shows how to enable SNMP processing:
Console> (enable) set snmp enable
SNMP enabled.
Console> (enable)
This example shows how to disable SNMP processing:
Console> (enable) set snmp disable
SNMP disabled.
Console> (enable)
This example shows how to verify the SNMP configuration:
Console> (enable) show snmp
SNMP: Disabled
RMON: Disabled
Extended RMON Netflow Enabled : None.
Memory usage limit for new RMON entries: 85 percent
Traps Enab