SNMP
Authentication
SNMP Policies
The SNMP Agent functionality remotely monitors Cisco UCS Central. You can also change the Cisco UCS Central host IP, and then restart the SNMP agent on the new IP. SNMP is run on both the active and standby Cisco UCS Central servers. The configuration persists on both. Cisco UCS Central offers read-only access to only the operating system managed information base (MIB). Through the Cisco UCS Central CLI you can configure the community strings for SNMP v1, v2c, and create and delete the SNMPv3 users.
- SNMP Functional Overview
- SNMP Notifications
- SNMP Security Features
- SNMP Security Levels and Privileges
- SNMP Security Models and Levels
SNMP Functional Overview
The SNMP framework consists of three parts:
- SNMP Manager
-
System used to control and monitor the activities of network devices using SNMP.
- SNMP Agent
-
Software component within Cisco UCS Central. The managed device that maintains the data for Cisco UCS Central and reports the data, as needed, to the SNMP manager. Cisco UCS Central includes the agent and a collection of MIBs. To enable the SNMP agent and create the relationship between the manager and agent, enable and configure SNMP.
- Managed Information Base (MIB)
-
Collection of managed objects in the SNMP agent. Cisco UCS Central supports only the OS MIBs.
For information about the specific MIBs available for Cisco UCS and where you can obtain them, see the MIB Reference for Cisco UCS Manager for B-series servers, and MIB Reference for Cisco UCS Standalone C-Series Servers C-series servers.
-
RFC 3410 (http://tools.ietf.org/html/rfc3410)
-
RFC 3411 (http://tools.ietf.org/html/rfc3411)
-
RFC 3412 (http://tools.ietf.org/html/rfc3412)
-
RFC 3413 (http://tools.ietf.org/html/rfc3413)
-
RFC 3414 (http://tools.ietf.org/html/rfc3414)
-
RFC 3415 (http://tools.ietf.org/html/rfc3415)
-
RFC 3416 (http://tools.ietf.org/html/rfc3416)
-
RFC 3417 (http://tools.ietf.org/html/rfc3417)
-
RFC 3418 (http://tools.ietf.org/html/rfc3418)
-
RFC 3584 (http://tools.ietf.org/html/rfc3584)
SNMP Notifications
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that the SNMP manager send the requests. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Cisco UCS Central generates SNMP notifications as traps. Traps are less reliable than Informs because the SNMP manager does not send any acknowledgment when it receives a trap. Therefore, Cisco UCS Central cannot determine if it received the trap.
An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If Cisco UCS Central does not receive the PDU, it can send the inform request again.
SNMP Security Features
SNMPv3 provides secure access to devices through a combination of authenticating and encrypting frames over the network. SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages. The SNMPv3 user-based security model (USM) refers to SNMP message-level security and offers the following services:
- Message Integrity
-
Ensures that nothing has altered or destroyed any messages in an unauthorized manner. Also ensures that nothing has altered data sequences to an extent greater than can occur non-maliciously.
- Message Origin Authentication
-
Confirms the claimed identity of the user who received the data.
- Message Confidentiality and Encryption
-
Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.
SNMP Security Levels and Privileges
SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. A security model is an authentication strategy that is set up for a user and the role in which the user resides. The security model combines with the selected security level to determine the security mechanism applied when Cisco UCS Central processes the SNMP message.
The security level determines the privileges required to view the message associated with an SNMP trap. The security level determines whether Cisco UCS Central must protect the message from disclosure, or authenticate it. The supported security level depends upon which security model is implemented. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet. SNMP security levels support one or more of the following privileges:
- NoAuthNoPriv
-
No authentication or encryption.
- AuthNoPriv
-
Authentication but no encryption.
- AuthPriv
-
Authentication and encryption.
SNMPv3 provides for both security models and security levels.
SNMP Security Models and Levels
Model |
Level |
Authentication |
Encryption |
What Happens |
---|---|---|---|---|
v1 |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
v2c |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
v3 |
noAuthNoPriv |
Username |
No |
Uses a username match for authentication. |
v3 |
authNoPriv |
HMAC-MD5 or HMAC-SHA |
No |
|
v3 |
authPriv |
HMAC-MD5 or HMAC-SHA |
DES |
Provides authentication based on: |
SNMP Support in Cisco UCS Central
Support for MIBs
Cisco UCS Central supports read-only access to OS MIBs. No set operations are available for the MIBs. The following MIBs are supported by Cisco UCS Central:
- SNMP MIB-2 System
-
HOST-RESOURCES-MIB -
UCD-SNMP-MIB -
SNMP MIB-2 Interfaces -
IP-MIB
-
SNMP-FRAMEWORK-MIB -
IF-MIB
-
DISMAN-EVENT-MIB
-
SNMP MIB-2 snmp
Note | Cisco UCS Central does not provide support for IPV6 and Cisco UCS Central MIBs. |
Authentication Protocols for SNMPv3 Users
Cisco UCS Central supports the following authentication protocols for SNMPv3 users:
AES Privacy Protocol for SNMPv3 Users
Cisco UCS uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The privacy password, or priv option, offers a choice of DES or 128-bit AES encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, Cisco UCS Central uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters.
- Configuring an SNMP Policy
- Configuring an SNMP Trap
- Configuring an SNMP User
- Deleting an SNMP Policy
- Deleting an SNMP Trap
- Deleting an SNMP User
Configuring an SNMP Policy
You can configure policies in the domain group root. You can also create new policies.
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # enable snmp UCSC(policy-mgr) /domain-group/snmp* # set snmp community SNMPCommunity01 UCSC(policy-mgr) /domain-group/snmp* # set snmp syscontact SNMPSysAdmin01 UCSC(policy-mgr) /domain-group/snmp* # set snmp syslocation SNMPWestCoast01 UCSC(policy-mgr) /domain-group/snmp* # commit-buffer UCSC(policy-mgr) /domain-group/snmp #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group domaingroup01 UCSC(policy-mgr) /domain-group # create snmp UCSC(policy-mgr) /domain-group/snmp* # enable snmp UCSC(policy-mgr) /domain-group/snmp* # set snmp community SNMPCommunity01 UCSC(policy-mgr) /domain-group/snmp* # set snmp syscontact SNMPSysAdmin01 UCSC(policy-mgr) /domain-group/snmp* # set snmp syslocation SNMPWestCoast01 UCSC(policy-mgr) /domain-group/snmp* # commit-buffer UCSC(policy-mgr) /domain-group/snmp #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group domaingroup01 UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # disable snmp UCSC(policy-mgr) /domain-group/snmp* # commit-buffer UCSC(policy-mgr) /domain-group/snmp #
Configuring an SNMP Trap
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # create snmp-trap 0.0.0.0 UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set community snmptrap01 UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set notificationtype traps UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set port 1 UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set v3privilege priv UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set version v1 UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # commit-buffer UCSC(policy-mgr) /domain-group/snmp/snmp-trap #
-
Scopes into the domain group domaingroup01
-
Scopes the SNMP policy
-
Scopes the SNMP trap with IP address 0.0.0.0
-
Sets the SNMP community host string to snmptrap02
-
Sets the SNMP notification type to traps
-
Sets the SNMP port to 65535
-
Sets the v3privilege to auth
-
Sets the version to v2c
-
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group domaingroup01 UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # scope snmp-trap 0.0.0.0 UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set community snmptrap02 UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set notificationtype traps UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set port 65535 UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set v3privilege auth UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set version v2c UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # commit-buffer UCSC(policy-mgr) /domain-group/snmp/snmp-trap #
Configuring an SNMP User
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # scope snmp-user snmpuser01 UCSC(policy-mgr) /domain-group/snmp/snmp-user # set aes-128 yes UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set auth sha UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set password userpassword01 Enter a password: userpassword01 Confirm the password: userpassword01 UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set priv-password userpassword02 Enter a password: userpassword02 Confirm the password: userpassword02 UCSC(policy-mgr) /domain-group/snmp/snmp-user* # commit-buffer UCSC(policy-mgr) /domain-group/snmp/snmp-user #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # create snmp-user snmpuser01 UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set aes-128 yes UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set auth md5 UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set password userpassword01 Enter a password: userpassword01 Confirm the password: userpassword01 UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set priv-password userpassword02 Enter a password: userpassword02 Confirm the password: userpassword02 UCSC(policy-mgr) /domain-group/snmp/snmp-user* # commit-buffer UCSC(policy-mgr) /domain-group/snmp/snmp-user #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # scope snmp-user snmpuser01 UCSC(policy-mgr) /domain-group/snmp/snmp-user # set aes-128 no UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set auth md5 UCSC(policy-mgr) /domain-group/snmp/snmp-user* # commit-buffer UCSC(policy-mgr) /domain-group/snmp/snmp-user #
Deleting an SNMP Policy
You can delete an SNMP policy from a sub-domain group of the domain group root. You cannot delete SNMP policies that reside in the domain group root.
Deleting an SNMP policy removes all SNMP trap and SNMP user settings within that policy.
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group domaingroup01 UCSC(policy-mgr) /domain-group # delete snmp UCSC(policy-mgr) /domain-group* # commit-buffer UCSC(policy-mgr) /domain-group #
Deleting an SNMP Trap
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr) # scope domain-group domain-group |
Enters domain group root mode and (optionally) enters a sub-domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope snmp |
Scopes the default SNMP policy's configuration mode. |
Step 4 | UCSC(policy-mgr) /domain-group/snmp # delete snmp-trap snmp-trap-ip |
Deletes the snmp-trap IP address for that domain group. |
Step 5 | UCSC(policy-mgr) /domain-group/snmp* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # delete snmp-trap 0.0.0.0 UCSC(policy-mgr) /domain-group/snmp* # commit-buffer UCSC(policy-mgr) /domain-group #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group domaingroup01 UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # delete snmp-trap 0.0.0.0 UCSC(policy-mgr) /domain-group/snmp* # commit-buffer UCSC(policy-mgr) /domain-group #
Deleting an SNMP User
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr) # scope domain-group domain-group |
Enters domain group root mode and (optionally) enters a sub-domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope snmp |
Scopes the SNMP policy's configuration mode. |
Step 4 | UCSC(policy-mgr) /domain-group/snmp # delete snmp-user snmp-user |
Deletes the SNMP user. |
Step 5 | UCSC(policy-mgr) /domain-group/snmp* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # delete snmp snmpuser01 UCSC(policy-mgr) /domain-group/snmp* # commit-buffer UCSC(policy-mgr) /domain-group/snmp #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group domaingroup01 UCSC(policy-mgr) /domain-group # scope snmp UCSC(policy-mgr) /domain-group/snmp # delete snmp snmpuser02 UCSC(policy-mgr) /domain-group/snmp* # commit-buffer UCSC(policy-mgr) /domain-group/snmp #