At8000 s usando snm_pv3

Marvell Confidential

SNMPv3

AT-8000S


Overview

• Simple Network Management Protocol Version (SNMPv3) is an interperable standars-based protocol for network mangement.

• SNMPv3 provides secure access to devices by a combination of authentication and encrypting packets over the network


Overview

• The following security features are included in SNMPv3:– Message integrity– Authentication– Encryption

• SNMPv3 also describes how to apply the access control and the new sending traps mechanism on SNMPv1 and SNMPv2 PDUs.


Local Engine Information

• Each SNMP agent maintains some local information to be used in SNMPV3 message exchanges.

• An SNMP agent is considered an authoritative SNMP engine.

• In incoming messages (Get, GetNext, GetBulk, Set), the agent receives, and in Trap messages, it sends to a manager.

• The agent’s local information is encapsulated in message fields.


Security

• RFC 2574 defines the user-based security model (USM) for SNMPv3.

• This specification includes:– Authentication– Privacy– Timeliness– Key management


Authentication

• Provides data integrity and data origin authentication.

• Using authentication for an SNMPV3 message involves an authentication code HMAC, with the hash function either MD5 or SHA-1.

• This code is created by the originator of the SNMP message and is written into the msgAuthenticationParameters field of the message.

• The receiver then uses this code to validate the message’s integrity and origin.

•The agent supports both HMAC-MD5 and HMAC-SHA protocols.


Privacy

• Protects against disclosure of the message’s payload.

• The cipher block-chaining (CBC) mode of DES is used for encryption.

• The user can either employ authentication on an SNMP message, or both authentication and privacy, but not privacy without authentication.


Timeliness

• Protects against message delay or replay.

• The SNMP agent does timeliness check on an incoming message by comparing the time information in the message.


Key management

• Defines procedures for key generation, update and use.

• The keys for authentication and privacy are not passed via the SNMP protocol.

• The NMS shares the keys with each agent it works with.

• The RFC defines a procedure for producing the key the NMS shares with a certain agent, by using an NMS password and that agent’s engineID.

• Changing an authentication or privacy key is done by changing the appropriate fields in the usmUserTable. The new key is calculated by the agent according to the old key.


Sending Traps

• Defined in RFC2573.

• The mechanism of sending traps defined in the SNMPv3 architecture includes the following phases:

– Identifying management targets for traps

– Filtering of a trap

– Choosing parameters to generate the trap message

– Access control checks


Access Control

• RFC 2575 defines the View-Based Access Control Model (VACM), which enables an SNMP agent to force a particular set of access rights to MIB data.

• Determining access rights depends on the following factors:

– The principal that initiates the access request. For example, a manager responsible for a whole network configuration may have wide authority to change MIB values, while a manager with monitoring responsibility may have read-only access or even no access at all to certain MIB objects.


Access Control (Cont.)

– The security level used for delivering the SNMP request in the network. Usually, a manager will obligate the use of authentication for set requests.

– The security model used for processing the SNMP request. The agent can define different levels of access for security models SNMPv1 and SNMPv2, in which no security policy has been used for the message, and the SNMPv3 User-Based Security Model.

– The MIB context in the request. A context is a notion, which can be defined as a named subgroup of MIB object instances.


Access Control (Cont.)– An SNMP agent can maintain one or more contexts,

and a MIB object or object instance can belong to one or more contexts.

– For example, an agent can maintain information of multiple devices, with each of them represented by a different context name.

– The originator of an SNMP request should fill the name of the context of the MIB data it wants to access in the contextName field of the message.

– The specific object instance for which access is requested. Some objects contain information, which is more sensitive than that of others.


Access Control (Cont.)

– The type of access, which is requested: read, write or notify.

– A different access control policy may be applied for each one of these management operations.


SNMPv3 Implementation

AT-8000S


SNMPv3 in AT-8000S

• MD5 keys and passwords are saved in the configuration file.

• Some checks are made on user entries, to facilitate correct configuration of SNMPv3 (and help the user avoid mistakes).

• Definition of a username and community are contingent upon definition of a group name.


User controls

The user can configure the following per SNMP manager and trap receiver:

• Mode of operation (version of SNMP to use).

• Authentication and encryption facilities used.

• MIB access rights (read, write, notify).

The user can configure the following per system:• SNMPv3 Engine ID.


SNMPv3 – CLI Commands

AT-8000S


Enabling SNMP community

• Use the following global configuration command to set up the community access string to permit access to the SNMP command.

snmp-server community community [ro | rw | su] [ip-address] [view view-name]

snmp-server community-group community group-name [ip-address]

community Community string that acts like a password and permits access to the SNMP protocol(up to 20 chars).


Enabling SNMP community (Cont.)

• To remove a specified community string use:no snmp-server community community [ip-address]


Creating/updating a View Entry

• Use the following global configuration command to create or update a view entry. To remove the specified SNMP server view entry, use the “no” form of this command.

snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name [oid-tree]

view-name Label for the view record that you are updating or creating. The name is used to reference the record.

oid-tree Object identifier of the ASN.1 subtree to be included or excluded from the view.

Included The view type is included.excluded The view type is excluded.


Creating/updating a View Entry (Cont.)

Example:

console(config)# snmp-server view user-view system includedconsole(config)# snmp-server view user-view system.7 excludedconsole(config)# snmp-server view user-view ifEntry.*.1 included


Mapping SNMP Users to SNMP Views

• Use the following global configuration command to configure a new SNMP group, or a table that maps SNMP users to SNMP views. To remove a specified SNMP group, use the no form of this command.

snmp-server group groupname {v1 | v2 | v3 {noauth | auth | priv}} [notify notifyview ] [read readview] [write writeview]

no snmp-server group groupname [v1 | v2 | v3 [noauth | auth | priv]

Console (config)# snmp-server group user-group v3 priv read user-view


SNMP engineID

• Use the following Global Configuration mode command to specifies the SNMP engineID on the local device. To remove the configured engine ID, use the no form of this command.

snmp-server engineID local { engineid-string | default}no snmp-server engineID local

engineid-string—Specifies a character string that identifies the engine ID. (Range: 9-64 hexa characters)

default—The engine ID is created automatically based on the device MAC address.

console(config)# snmp-server engineid local default


Configure SNMPv3 User

• Use the following global configuration command to configure a new SNMP Version 3 user. To remove a user, use the no form of the command.

snmp-server user username groupname [remote engineid-string] [ auth-md5 password |auth-sha password | auth-md5-key md5-des-keys | auth-sha-key sha-des-keys ]

no snmp-server user username

username The name of the user on the host that connects to the agent.

groupname The previously-defined name of the group to which the user belongs.

engineid-string—Specifies the engine ID of the remote SNMP entity to which the user belongs.


Configure SNMPv3 User (Cont.)

• If auth-md5 or auth-sha is specified, both authentication and privacy are enabled for the user.

• When you enter a “show running-config” command, you will not see a line for this user.

• To see if this user has been added to the configuration, type the “show snmp user” command.

• An SNMP EnginID has to be defined to add SNMP users to the device


Enable Sending Traps

• Use the following Global Configuration command to enable the device to send SNMP traps. To disable SNMP traps, use the no form of the command.

snmp-server enable trapsno snmp-server enable traps


Enable Authentication Traps

• Use the following Global Configuration command to enable the device to send SNMP traps when authentication fails. To disable these SNMP traps, use the no form of the command.

snmp-server traps authenticationno snmp-server traps authentication


SNMP Filter Entry

• Use the following global configuration command to create or update a filter entry. To remove the specified SNMP server filter entry, use the no form of this command:

snmp-server filter filter-name oid-tree {included | excluded}no snmp-server filter filter-name [oid-tree]

console(config)# snmp-server filter filter-name system includedconsole(config)# snmp-server filter filter-name system.7 excludedconsole(config)# snmp-server filter filter-name ifEntry.*.1 included


Recipient of SNMPv3 Notification

• Use the following global configuration command to specify the recipient of SNMP V3 notification operation:

snmp-server v3-host {ipaddr|hostname} username [traps | informs] {noauth | auth | priv} [udp-port port] [filter filtername] [timeout seconds] [retries retries]

To delete the recipient use:no snmp-server v3-host host-addr [traps | informs] [username]


Recipient of SNMPv3 Notification (Cont.)

• If a trap and inform are defined on the same target, and an inform was sent, the trap would not be sent.

• A user and notification view are not automatically created. Use the snmp-server user, snmpserver group and snmp-server view Global Configuration mode commands to generate a user, group and notify group, respectively.


Review SNMP v.1, v.2 Commands


Snmp Server Host

• Use the following global configuration command to specify the recipient of Simple Network Management Protocol Version 1 or Version 2 notifications.

• snmp-server host {ip-address | hostname} community-string[traps | informs] [1 | 2] [udp-port port] [filter filtername] [timeout seconds] [retries retries]

To remove the specified host, use the no form of this command.

• no snmp-server host {ip-address | hostname} [traps | informs]


Snmp Server contact

• Use the following global configuration command to configure the system contact (sysContact) string.

• snmp-server contact text

To remove system contact information, use the no form of the command.

no snmp-server contact


Snmp Server Location

• Use the following global configuration command to configure the system location string.

snmp-server location text

To remove system contact information, use the no form of the command.

no snmp-server location


Snmp Server Set

• Use the following global configuration command to define the SNMP MIB value.

snmp-server set variable-name name1 value1 [ name2 value2 …]

• Although the CLI can set any required configuration, there might be a situation where a SNMP user sets a MIB variable that does not have an equivalent command. In order to generate configuration files that support those situations, the snmp-server set command is used.


Device Configuration


SNMPv3

View #1: MIB X includedMIB Y excluded

…

View #n: MIB X includedMIB Y excluded

…

…User_ID Group_ID …


View configuration

• Configuring 3 views: a1, a2, a3:console(config)# snmp-server view a1 ip includedconsole(config)# snmp-server view a1 ipForwarding excludedconsole(config)# snmp-server view a2 internet includedconsole(config)# snmp-server view a3 ipDefaultTTL includedconsole(config)# exitconsole# show snmp views

Name OID Tree Type------------------- ------------------------- --------

a1 ip includeda1 ipForwarding excludeda2 internet includeda3 ipDefaultTTL included

Default iso includedDefault snmpVacmMIB excludedDefault usmUser excludedDefault snmpCommunityTable excludedDefault rndCommunityTable excluded

DefaultSuper iso included


Group configuration

• Configuring 3 groups: b1, b2, b3:

console(config)# snmp-server group b1 v3 auth read Default write a1console(config)# snmp-server group b2 v3 noauth read a2 write a2console(config)# snmp-server group b3 v3 priv read a3console(config)# exitconsole# show snmp groupsName Security Views

Model Level Read Write Notify------------------ ------ ---------- -------- --------- -----------

b1 V3 auth Default a1 -b2 V3 noauth a2 a2 -b3 V3 priv a3 - -


Engine ID

• Specifies SNMP engine ID on the local device, automatically created EngineID based on the device MAC

console(config)# snmp-server engineid local default


Defining users

• Configuring 3 users:c1, c2, c3console(config)# snmp-server user c1 b1 auth-md5 password1console(config)# snmp-server user c2 b2console(config)# snmp-server user c3 b3 auth-sha password3

console# show snmp users

Name Group name Auth RemoteMethod

------------------- ----------------------- ------- -----------------------c1 b1 MD5c2 b2 noAuthc3 b3 SHA


NMS Configuration


Adding user c2

Device ip address


Selecting the object to get


Command results


Definning user c3


Selecting an object to set


Command results


Date post:	19-May-2015
Category:	Technology
Upload:	netplus
View:	908 times
Download:	3 times

At8000 s usando snm_pv3

Technology