SNMP
As with Netflow, I’m assuming most readers are familiar with SNMP. This blogpost will serve as a refresher, and perhaps you will learn some details about SNMP that you haven’t seen before.
SNMP (Simple Network Management Protocol) is used for communication between a Network Management System (NMS) and a network device (such as a router or switch). SNMP uses a heirarchical MIB structure to allow an NMS to poll a network device to periodically gather information and statstics. SNMP also provides a way for an NMS to set configuration parameters on a device but this is seldom used. SNMP runs over UDP port 161 and 162.
SNMP Components
SNMP Manager
The manager is the NMS that preforms SNMP polling and receives SNMP notifications from SNMP agents. The NMS listens on UDP/162 for SNMP Traps and Informs.
SNMP Agent
An SNMP agent is the software running on a managed device which enables SNMP functionality. An SNMP agent responds to SNMP messages from an NMS, and optionally sends notifications to the NMS. The SNMP agent listens on UDP/161 for GETs and SETs.
SNMP MIB (Management Information Base)
SNMP variables are stored in MIBs, which are essentially well-known object identifiers. An NMS sends a GET request to obtain the values for certain MIBs, such as interface counters.
SNMP Messages
SNMP GET
Used by the NMS to obtain information from a SNMP agent. It includes the MIB that the NMS wants to get the current value of.
SNMP SET
Used by the NMS to change the value of an object on an SNMP agent. This is not often used.
SNMP Notifications
Used by the agent to alert the NMS that an event has occured. There are two types of notifications:
Traps
Does not require an acknowledgment from the NMS
Informs
Requires the NMS to acknowledge the receipt of the notification
Traps are normally used over informs, because an inform requires extra overhead. An inform must be held in memory on the SNMP agent until it is acknowledged, and might need to be retransmitted.
SNMP Versions
SNMPv2c
SNMPv2c uses a community-based security model which is quite weak. The community string used on the NMS must match the community string configured on the router. The community string is sent in plain-text over the wire.
Here the NMS is requesting the value of the object 1.3.6.1.2.1.1.5.0. The community string public is present in clear text.
Because the community string public matches what is configured on the router, the router responds with the value of that object:
Usually when companies use v2c, they bind an ACL to the SNMP agent so that SNMP requests are only permitted from the IP address of the NMS.
SNMPv3
SNMPv3 adds robust authentication and encryption features. You can use three levels of security with v3:
noAuthNoPriv
Neither authentication nor privacy (encryption) is used. The username must match for authentication. This is a poor authentication mechanism that is very similar to v2c community strings.
Below the username was set to NOAUTHNOPRIV. There is no authentication nor privacy. The message is in plain text.
authNoPriv
Authentication is provided based on a MD5 or SHA signature. The message is still in plaintext. When you configure authNoPriv, you associate a password with the v3 username.
Below we see an authentication parameter. This is used by the agent and NMS to ensure that each end has the correct password configured. The message is still in plaintext.
authPriv
Authentication uses MD5 or SHA as before. Additionally the message is encrypted using DES or AES.
The message is now encrypted, so we cannot even tell if this is an SNMP GET request or reply.
SNMPv3 security level summary:
Security Level
Description
noAuthNoPriv
Uses only username for authentication. The username is in plain text.
authNoPriv
Uses authentication based on MD5 or SHA. The password associated with the username is hashed. The message body is in plain text.
authPriv
Uses the same authentication as above, plus encryption of the message body based on DES or AES.
EngineID
The EngineID is an important aspect of SNMPv3. The password for the user is hashed based on the EngineID. The EngineID is automatically generated.
By default there is no EngineID on the device. If you enable SNMP, an EngineID is generated. Even enabling SNMPv2 generates an EngineID, although the EngineID is only used for SNMPv3.
The EngineID is generated based on the BIA (burned-in address) of the first physical interface:
If you are curious, the “800000090300” means that the organization is Cisco and the EngineID is based on the MAC address. 00:00:00:09 is Cisco, but the first bit must be 8, yeilding 80:00:00:09. 03 indicates MAC address scheme.
If you change the EngineID, the previously configured users will still have the old EngineID. You will have to delete and re-add the users. New users will have the new EngineID.
The EngineID of the network device is automatically gathered by the NMS. In both my lab and the pcaps provided by Nick Russo, the NMS first sends a blank GET request with no MIB or authentication/privacy.
The Cisco device then responds with a Report for MIB 1.3.6.1.6.3.15.1.1.4.0 which is a counter for UnknownEngineIDs. This Report also contains the device’s EngineID (msgAuthoritativeEngineID) and no auth/priv parameters. Each time the device sends this MIB, the value increments by one.
The subsequent packets are now encrypted because the NMS has learned the EngineID of the device and can use this to calculate the hashes.
When configuring v3 traps, you can use a local user defined on the network device but you need to configure the device’s EngineID on the SNMP collector.
See https://www.youtube.com/watch?v=AyK7Yf4FVqk&ab_channel=DerpyNetworking and navigate to 6:20
When configuring v3 informs, it appears you must configure the remote EngineID of the collector.
How interfaces are handled in SNMP
In SNMP, an interface has three values:
ifIndex
This is a unique index number that identifies each interface on a device. In order for this to persist across reboots you use the command snmp ifmib ifindex persist. Without this command, the index values for each interface could change, potentially causing issues with displaying historical statistics in the NMS.
ifAlias
This is the description of the interface. By default it is limited to 64 characters. You must use the command snmp ifmib ifalias long to increase the limit to 255 characters.
ifName
This is the name of the interface in the configuration, such as “GigabitEthernet1”
IOS-XE Configuration
General SNMP system information
Configure the location, chassis-id and contact.
I kind of think of these parameters as meta data. They can be displayed in your NMS and aid with troubleshooting when the device goes down. These are all just strings.
SNMPv2
The configuration for v2 is quite basic. Simply configure the community string. Optionally you can specify read-only, read-write, a view, and associate an ACL. The ACL controls which IPs can poll the device. This is frequently used as a form of security because simply using a community string is so weak.
SNMPv3
To use SNMPv3, at a minimum you need two commands. You need to configure a group, and you need to configure a user (which references a group).
Configure a group as follows. Optionally you can associate a view and access-list.
The security level (auth|noauth|priv) defines the minimum level a user belonging to this group must have. For example, you can configure noauth on the group and priv on the user. But you cannot configure auth on the group and noauth on the user.
2. Configure a user. The user is where you specify the auth and priv passwords.
The user does not appear in the running or startup config. You can only view configured users using show snmp user but this does not display the auth/priv password. The snmp users are stored in nvram:private-config which you cannot access.
SNMPv3 Summary
The group configures the minimum security level for all users in the group. The group determines the read and write views, if configured.
Each user must be associated to a group. The user is where the auth and priv encryption settings are defined. The user can use a security level above the group but not below the group.
Configuring SNMP Views
A view can be associated with both a v2c community string and a v3 group. A view defines what level of the MIB the NMS has access to. You can configure this using a full OID path or the name of the MIB.
For example, ISO is the top level of the MIB tree. You could specify iso to allow access to the entire MIB. You can also specify 1.3.6.1.2.1 or mib-2 to allow access to the tree starting at mib-2.
Configure a view as follows:
If the MIB view does not exist, you will get an error message stating %Bad OID
Associate the view with the v2c community string or a group.
Configuring Notifications
Enable traps
Send traps/informs using v2c:
Send traps/informs using v3:
IOS-XR Configuration
SNMP configuration on IOS-XR is practically identical.
SNMPv2c
SNMPv3
View
Notifications
Lab
In order to poll virtual routers such as a CSR1000v or XRv, you will need a virtual linux server. In this lab I’ve provided instructions on running a LibreNMS container using Docker. In CML, I use the Ubuntu node type, with one connection to my external network (for internet access) and one to my router. Within just a few minutes you can start polling your devices and experiment with v2c and v3. I have omitted information about setting up the IP address on your server.
Installing LibreNMS as a container
Install Docker
2. Clone librenms docker repo and launch the containers
3. Navigate to http://host-ip:8000. You should be prompted to enter in an admin user/pass/email. The email does not need to be a real email address. Once I submitted this, it hung on that page. After a few minutes I gave up and rebooted my Ubuntu server. The docker containers came back automatically upon reboot, and I was presented with a login page at http://host-ip:8000. I was then able to login with the account I had previously entered.
On your CSR1000v you can now enable SNMP and add it to LibreNMS. The minimum command you need to enable SNMP v2c is the following:
In LibreNMS, go to Devices - Add Device
Enter the IP of your router, port 161, and the SNMP community string
It should add successfully and you should be able to navigate to the page for your router:
Using the gear wheel on the right, delete the device.
Configure SNMPv3 on the router. You will need to define two items at minimum:
The group
This defines a group and what view it has access to. The security level is defined here (auth, noauth, or priv).
The user
The user must be associated with a group.
Add the router again using SNMPv3. I used AES 256 in my lab, and had to use the AES-256-C option in LibreNMS to add the router.
Experiment with adding a XRv as well.
Further Reading/Watching
http://docs.logmatrix.com/nervecenter/guides/NC-SNMPv3-EngineIDs.pdf
http://socpuppet.blogspot.com/2013/06/snmpv3-traps-config-cisco.html
https://www.youtube.com/watch?v=_I7Jm_x35bQ&ab_channel=KeithBarker-TheOGofIT
Last updated
