Enabling SNMP

It should be obvious that since you're trying to manage a network, you should be able to use the network to help manage your network equipment. That's the goal of the Simple Network Management Protocol (SNMP) . This protocol enables network-management stations to gather information from network nodes. Network nodes can be almost anything, ranging from the simplest bridge to the largest router, and even including software running inside the servers. Virtually all modern network equipment includes an SNMP agent, which is the software that communicates with the management station. Network-management stations can run commercial management software, or they can use homegrown tools.

I will not try to give an introduction to SNMP, nor will I talk about management software.[*] In this section, I'll briefly describe how to configure the SNMP agent in a Cisco router. If you're not using SNMP, you can skip this sectionthough you should certainly investigate what SNMP can do for you.

[*] For more information about SNMP, see Essential SNMP by Douglas Mauro and Kevin Schmidt (O'Reilly).

By default, SNMP access is not enabled. To enable SNMP, use the command:

snmp-server community name mode access-list

The parameters are as follows:

 

name

The community string the management station will use to ask for information. This string acts like a password. SNMPv1's implementation is insecure because the string travels across the network in clear text. Anyone snooping on your network will be able to see the community string pass back and forth. To improve security, use the access-list option.

 

mode

Either RO for read-only access (unprivileged) or RW for read-write access (privileged). RO means that the management station can read information about the router but can't change anything; RW allows the management station to use SNMP to change the router's state. SNMP management stations typically use different community strings for read and write operations.

 

access-list

The name or number of a standard access list to control SNMP access. The router responds only to SNMP requests from hosts that are on the access list. Note that you can apply different access lists to different modes. For example, your RW (read-write) access list might allow only a small number of hosts, while your RO (read-only) access list might allow many more hosts. See Chapter 7 for access list commands.

It's a good policy to set up different community strings for read-only and read-write access and to give the read-write community string only to a few trusted people. If you enable SNMP, make sure that you change the community strings from their default values, not only on your router but on any other hosts you are monitoring. Almost all vendors configure their SNMP devices to use public as the default community string, so it is the first thing an outsider trying to break into your network will try. You should also use access lists to restrict which hosts can use SNMP to interact with your router.

Here is a simple configuration that allows basic SNMP access:

! Set up public access with a community string of "not-public" snmp-server community not-public RO ! ! Set up privileged access with a community string of "not-secure" snmp-server community not-secure RW

Now, we add some security. We allow public SNMP access only from the 10.10.1.0 network and allow privileged SNMP access only from host 10.10.1.35:

! Enable public access and apply access-list number 1 snmp-server community not-public RO 1 ! ! Enable privileged access and apply access-list number 2 snmp-server community highly-secure RW 2 ! ! Access-lists (See Chapter 7 for syntax and usage) access-list 1 permit 10.10.1.0 0.0.0.255 access-list 2 permit 10.10.1.35

There's one thing left to configure for basic SNMP capabilities. A trap is an asynchronous message generated by an SNMP agent and sent to an SNMP management station. SNMP defines a small number of standard traps, but traps can also carry vendor-specific (and even site-specific) information. To use traps, you must define the address of the management station that will receive them, plus a community string that will be sent with the traps; most SNMP management stations ignore traps that don't have an appropriate community string. Here's how to configure a Cisco router to send traps:

! Specify what SNMP management station will receive our traps ! Our community string is "little-secure" snmp-server host 10.10.1.2 little-secure traps

The management station, if it is configured properly, will know what to do with the traps when they arrive.

There's a lot more you can do with SNMP configuration, but this is enough to get you started.

Категории