SNMP
SNMP
1. Function Overview
Setting SNMP (Simple Network Management Protocol) makes it possible to monitor and change network management information for SNMP management software.
In this instance, this product will operate as an SNMP agent.
This product supports communication using SNMPv1, SNMPv2c, and SNMPv3. In terms of management information bases (MIB), it supports RFC1213 (MIB-II) and private MIBs (Yamaha switches).
SNMPv1 and SNMPv2c notify the recipient of the group name (called a “community”), and communicate only with hosts that belong to that community. In this instance, different community names can be given for the two access modes, read-only and read-write.
In this sense, community names function as a kind of password; but since community names are sent over a network using plain text, they carry inherent security risks. The use of SNMPv3 is recommended when more secure communications are required.
SNMPv3 offers communication content authentication and encryption. SNMPv3 does away with the concept of community and instead uses security models called “USM” (User-based Security Model) and “VACM” (View-based Access Control Model). These models provide a higher level of security. This product does not use VACM for access control.
SNMP messages that notify the status of this product are called “traps.” This product transmits standard SNMP traps. In SNMPv1, trap requests that do not ask for an answer with the confirmation of receipt from the recipient are specified as the notification message format. However, with SNMPv2c and SNMPv3, either an “inform” request asking for an answer from the recipient, or a trap request can be selected.
Since this product does not specifically determine a default value for the read-only and community trap names used in SNMPv1 and SNMPv2c, you can specify a community name as appropriate. However, community names are sent over the network in plain text, so be careful to never use a login password or administrator password as the community name.
By default, no access is possible in each SNMP version. The transmission host for the trap is not set, so traps will not be sent anywhere.
This product can restrict access to the SNMP server. Specifying access restrictions can restrict access from unintended hosts.
3. Function Details
The main characteristics of each SNMP version and the SNMP setting policies are explained below.
For specific examples of settings, see “Examples of Command Execution” below.
3.1. SNMPv1
This is authentication between the SNMP manager and agent by using community names.
The controlling device (this product) is divided and managed by zones called “communities”.
-
Accessing the MIB objects
Community names specified using the snmp-server community command are used to permit access.
Access is possible from a VLAN interface whose IP address has been specified. -
SNMP traps
The status of switches can be sent to hosts specified using the snmp-server host command.
The snmp-server enable trap command is used to specify the kind of trap to send.
3.2. SNMPv2c
As with SNMPv1, community names are used for authentication between the SNMP manager and agents.
The snmp-server community command is used to specify the community names used to access switches by SNMPv2c.
The “GetBulk” and “Inform” requests are also now supported from this version.
These requests are used to efficiently retrieve multiple MIB objects, and to confirm replies to notification packets sent from this product.
-
Accessing the MIB objects
Community names specified using the snmp-server community command are used to permit access.
Access is possible from a VLAN interface whose IP address has been specified. -
SNMP traps
The status of switches can be sent to hosts specified using the snmp-server host command.
Also, the settings of this command can be used to select whether the transmitted message format is a trap or inform request.
Inform requests are used to request confirmation of reply to the recipient.
3.3. SNMPv3
In addition to all of the functions offered in SNMPv2, SNMPv3 offers more robust security functions.
SNMPv3 can authenticate and encrypt SNMP packets sent across the network to protect packets from eavesdropping, spoofing, falsification, replay attacks, and other risks and achieve security levels not possible with SNMPv1 or SNMPv2c functionality, such as community names or SNMP manager IP addresses.
-
Security
SNMPv3 offers the following security functions.-
USM (User-based Security Model)
USM is a model for maintaining security at the message level. It offers authentication and encryption based on shared key cryptography and prevents falsification of message streams.-
Security level
This product supports the following security levels. Communications are always authenticated and encrypted.-
AuthPriv : authentication and encryption
-
-
User authentication
For authentication, HMAC is used in the procedure to authenticate the integrity (whether data has been falsified or not) and the source.
A hash is used in the authentication key to confirm whether the message has been falsified, and whether the sender is the user themselves.
HMAC-SHA-96 is supported as the hash algorithm. -
Encryption
With SNMPv3, SNMP messages are encrypted for the purpose of preventing leakage of managed information.
The AES128-CFB encryption scheme is supported.
The snmp-server user command can be used to specify usernames, access privileges, and passwords.
This product allows you to set up one ReadOnly user and one ReadWrite user.
-
-
VACM (View-based Access Control Model)
VACM is a model for controlling access to SNMP messages.-
This product does not use VACM for access control, so all MIB views are accessible.
-
-
-
SNMP traps
The status of switches can be sent to hosts specified using the snmp-server host command.
In order to transmit a trap, the snmp-server user command must first be used to configure the user.
Also, the settings of this command can be used to select whether the transmitted message format is a trap or inform request.
Inform requests are used to request confirmation of reply to the recipient.
3.4. Restricting SNMP server access
Hosts able to access the product’s SNMP server can be specified using the snmp-server access command.
Access from unintended hosts can be restricted by only allowing access from the intended SNMP manager.
Default settings accept access from all hosts. Specify access restrictions based on the operating environment.
For more information about access restrictions, refer to Remote Access Control.
3.5. Private MIBs
This product supports yamahaSW, which is a proprietary private MIB for switch management.
This private MIB allows the obtaining of information for Yamaha’s proprietary functions, and for more detailed information about the switch.
For information about supported private MIBs and how to obtain private MIBs, refer to SNMP MIB Reference.
4. Related Commands
Related commands are indicated below.
For details on the commands, refer to the Command Reference.
Operations | Operating commands |
---|---|
Set host that receives SNMP notifications |
snmp-server host |
Set notification type to transmit |
snmp-server enable trap |
Set system contact |
snmp-server contact |
Set system location |
snmp-server location |
Set SNMP community |
snmp-server community |
Set SNMP user |
snmp-server user |
Specify SNMP server access settings |
snmp-server access |
Show SNMP community information |
show snmp community |
Show SNMP user information |
show snmp user |
5. Examples of Command Execution
5.1. SNMPv1 setting example
This example makes SNMPv1-based network monitoring possible under the following conditions.
-
Set the read-only community name to “public”.
-
Set the trap destination as “192.168.100.11”, and set “snmptrapname” as the trap community name.
-
Hosts that can access communities named “public” are restricted to only 192.168.100.0/24.
Yamaha(config)# snmp-server community public ro ... 1 Yamaha(config)# snmp-server host 192.168.100.11 traps version 1 snmptrapname ... 2 Yamaha(config)# snmp-server access 192.168.100.0/24 community public ... 3
5.2. SNMPv2c setting example
This example makes SNMPv2c-based network monitoring possible under the following conditions.
-
Set the readable/writable community name as “private”.
-
Specify the notification message destination as “192.168.100.12”, the notification type as “inform” request format, and the notification destination community name as “snmpinformsname”.
-
Hosts that can access communities named “private” are restricted to only 192.168.100.12.
Yamaha(config)# snmp-server community private rw ...1 Yamaha(config)# snmp-server host 192.168.100.12 informs version 2c snmpinformsname ...2 Yamaha(config)# snmp-server access 192.168.100.12 community private ...3
5.3. SNMPv3 setting example
This example makes SNMPv3-based network monitoring possible under the following conditions.
-
Create a user “admin1” with the ReadWrite privilege.
The authentication algorithm is fixed to “HMAC-SHA-96”. Set the password “passwd1234”.
The encryption algorithm is fixed to “AES128-CFB”. Set the encryption password “passwd1234”. -
Create a user “user1” with the ReadOnly privilege.
The authentication algorithm is fixed to “HMAC-SHA-96”. Set the password “passwd5678”.
The encryption algorithm is fixed to “AES128-CFB”. Set the encryption password “passwd5678”. -
Send notifications in trap format (without response confirmation) to 192.168.10.3.
-
Send notifications in inform request format to 192.168.20.3.
Yamaha(config)# snmp-server user admin1 admin auth sha passwd1234 priv aes passwd1234 ... 1 Yamaha(config)# snmp-server user user1 guest auth sha passwd5678 priv aes passwd5678 ... 2 Yamaha(config)# snmp-server host 192.168.10.13 traps version 3 priv admin1 ... 3 Yamaha(config)# snmp-server host 192.168.20.13 informs version 3 priv admin1 ... 4
6. Points of Caution
-
Check the SNMP version that can be used with the SNMP manager beforehand. It is necessary to configure this product in accordance with the SNMP version that will be used.
-
The specifications of character strings for community name are as follows.
-
When enclosed in “”, the character string in “” is used.
-
The case where there is a character string outside the “” is not supported.
-
-
The use of \ is not supported.
-
The use of only double quotation marks is not supported.
-