The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The SNMP Agent functionality remotely monitors Cisco UCS Central. You can also change the Cisco UCS Central host IP, and then restart the SNMP agent on the new IP. SNMP is run on both the active and standby Cisco UCS Central servers. The configuration persists on both. Cisco UCS Central offers read-only access to only the operating system managed information base (MIB). Through the Cisco UCS Central CLI you can configure the community strings for SNMP v1, v2c, and create and delete the SNMPv3 users.
The SNMP framework consists of three parts:
System used to control and monitor the activities of network devices using SNMP.
Software component within Cisco UCS Central. The managed device that maintains the data for Cisco UCS Central and reports the data, as needed, to the SNMP manager. Cisco UCS Central includes the agent and a collection of MIBs. To enable the SNMP agent and create the relationship between the manager and agent, enable and configure SNMP.
Collection of managed objects in the SNMP agent. Cisco UCS Central supports only the OS MIBs.
For information about the specific MIBs available for Cisco UCS and where you can obtain them, see the MIB Reference for Cisco UCS Manager for B-series servers, and MIB Reference for Cisco UCS Standalone C-Series Servers C-series servers.
RFC 3410 (http://tools.ietf.org/html/rfc3410)
RFC 3411 (http://tools.ietf.org/html/rfc3411)
RFC 3412 (http://tools.ietf.org/html/rfc3412)
RFC 3413 (http://tools.ietf.org/html/rfc3413)
RFC 3414 (http://tools.ietf.org/html/rfc3414)
RFC 3415 (http://tools.ietf.org/html/rfc3415)
RFC 3416 (http://tools.ietf.org/html/rfc3416)
RFC 3417 (http://tools.ietf.org/html/rfc3417)
RFC 3418 (http://tools.ietf.org/html/rfc3418)
RFC 3584 (http://tools.ietf.org/html/rfc3584)
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that the SNMP manager send the requests. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Cisco UCS Central generates SNMP notifications as traps. Traps are less reliable than Informs because the SNMP manager does not send any acknowledgment when it receives a trap. Therefore, Cisco UCS Central cannot determine if it received the trap.
An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If Cisco UCS Central does not receive the PDU, it can send the inform request again.
SNMPv3 provides secure access to devices through a combination of authenticating and encrypting frames over the network. SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages. The SNMPv3 user-based security model (USM) refers to SNMP message-level security and offers the following services:
Ensures that nothing has altered or destroyed any messages in an unauthorized manner. Also ensures that nothing has altered data sequences to an extent greater than can occur non-maliciously.
Confirms the claimed identity of the user who received the data.
Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.
SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. A security model is an authentication strategy that is set up for a user and the role in which the user resides. The security model combines with the selected security level to determine the security mechanism applied when Cisco UCS Central processes the SNMP message.
The security level determines the privileges required to view the message associated with an SNMP trap. The security level determines whether Cisco UCS Central must protect the message from disclosure, or authenticate it. The supported security level depends upon which security model is implemented. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet. SNMP security levels support one or more of the following privileges:
No authentication or encryption.
Authentication but no encryption.
Authentication and encryption.
SNMPv3 provides for both security models and security levels.
Model |
Level |
Authentication |
Encryption |
What Happens |
---|---|---|---|---|
v1 |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
v2c |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
v3 |
noAuthNoPriv |
Username |
No |
Uses a username match for authentication. |
v3 |
authNoPriv |
HMAC-MD5 or HMAC-SHA |
No |
|
v3 |
authPriv |
HMAC-MD5 or HMAC-SHA |
DES |
Provides authentication based on: |
Cisco UCS Central supports read-only access to OS MIBs. No set operations are available for the MIBs. The following MIBs are supported by Cisco UCS Central:
IP-MIB
IF-MIB
DISMAN-EVENT-MIB
SNMP MIB-2 snmp
Note | Cisco UCS Central does not provide support for IPV6 and Cisco UCS Central MIBs. |
Cisco UCS Central supports the following authentication protocols for SNMPv3 users:
Cisco UCS uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The privacy password, or priv option, offers a choice of DES or 128-bit AES encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, Cisco UCS Central uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters.
Create SNMP traps and users.
After creating an SNMP trap, you can edit the SNMP trap information as required.
Create an SNMP user.
After creating an SNMP user, you can edit the SNMP user information as required.