The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language for monitoring and managing devices in a network.
The SNMP framework consists of three parts:
An SNMP manager—The system used to control and monitor the activities of network devices using SNMP.
An SNMP agent—The software component within Cisco UCS, the managed device that maintains the data for Cisco UCS, and reports the data as needed to the SNMP manager. Cisco UCS includes the agent and a collection of MIBs. To enable the SNMP agent and create the relationship between the manager and agent, enable and configure SNMP in Cisco UCS Manager.
A managed information base (MIB)—The collection of managed objects on the SNMP agent. Cisco UCS release 1.4(1) and higher supports a larger number of MIBs than earlier releases.
Cisco UCS supports SNMPv1, SNMPv2c and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security. SNMP is defined in the following:
RFC 3410 (http://tools.ietf.org/html/rfc3410)
RFC 3411 (http://tools.ietf.org/html/rfc3411)
RFC 3412 (http://tools.ietf.org/html/rfc3412)
RFC 3413 (http://tools.ietf.org/html/rfc3413)
RFC 3414 (http://tools.ietf.org/html/rfc3414)
RFC 3415 (http://tools.ietf.org/html/rfc3415)
RFC 3416 (http://tools.ietf.org/html/rfc3416)
RFC 3417 (http://tools.ietf.org/html/rfc3417)
RFC 3418 (http://tools.ietf.org/html/rfc3418)
RFC 3584 (http://tools.ietf.org/html/rfc3584)
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Cisco UCS Manager generates SNMP notifications as either traps or informs. Traps are less reliable than informs because the SNMP manager does not send any acknowledgment when it receives a trap, and Cisco UCS Manager cannot determine if the trap was received. An SNMP manager that receives an inform request acknowledges the message with an SNMP response Protocol Data Unit (PDU). If the Cisco UCS Manager does not receive the PDU, it can send the inform request again.
SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. The security model combines with the selected security level to determine the security mechanism applied when the SNMP message is processed.
The security level determines the privileges required to view the message associated with an SNMP trap. The privilege level determines whether the message requires protection from disclosure or whether the message is authenticated. The supported security level depends on which security model is implemented. SNMP security levels support one or more of the following privileges:
noAuthNoPriv—No authentication or encryption
authNoPriv—Authentication but no encryption
authPriv—Authentication and encryption
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.
The following table identifies the combinations of security models and levels.
|
Model |
Level |
Authentication |
Encryption |
What Happens |
|---|---|---|---|---|
|
v1 |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
|
v2c |
noAuthNoPriv |
Community string |
No |
Uses a community string match for authentication. |
|
v3 |
noAuthNoPriv |
Username |
No |
Uses a username match for authentication. |
|
v3 |
authNoPriv |
HMAC-MD5 or HMAC-SHA |
No |
Provides authentication based on the Hash-Based Message Authentication Code (HMAC) Message Digest 5 (MD5) algorithm or the HMAC Secure Hash Algorithm (SHA). |
|
v3 |
authPriv |
HMAC-MD5 or HMAC-SHA |
DES |
Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard. |
SNMPv3 provides secure access to devices through a combination of authenticating and encrypting frames over the network. SNMPv3 authorizes only configured users to perform management operations and encrypts SNMP messages. The SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:
Message integrity—Ensures that messages are not altered or destroyed in an unauthorized manner, and that data sequences are not altered beyond what can occur non-maliciously.
Message origin authentication—Ensures that the identity of a message originator is verifiable.
Message confidentiality and encryption—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Cisco UCS provides the following support for SNMP:
Cisco UCS supports read-only access to MIBs.
For information about the specific MIBs available for Cisco UCS and where you can obtain them, see the http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/mib/b-series/b_UCS_MIBRef.html for B-series servers, and http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/mib/c-series/b_UCS_Standalone_C-Series_MIBRef.html C-series servers.
Cisco UCS supports the following authentication protocols for SNMPv3 users:
HMAC-MD5-96 (MD5)
HMAC-SHA-96 (SHA)
Cisco UCS uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The privacy password, or priv option, offers a choice of DES or 128-bit AES encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, Cisco UCS Manager uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters.
Configuring SNMP
SNMP messages from a Cisco UCS domain display the fabric interconnect name rather than the system name.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
UCS-A# scope monitoring |
Enters monitoring mode. |
| Step 2 |
UCS-A /monitoring # enable snmp |
Enables SNMP. |
| Step 3 |
UCS-A /monitoring # set snmp community |
Enters snmp community mode. |
| Step 4 |
UCS-A /monitoring # Enter a snmp community: community-name |
Specifies SNMP community. Use the community name as a password. The community name can be any alphanumeric string up to 32 characters. |
| Step 5 |
UCS-A /monitoring # set snmp syscontact system-contact-name |
Specifies the system contact person responsible for the SNMP. The system contact name can be any alphanumeric string up to 255 characters, such as an email address or name and telephone number. |
| Step 6 |
UCS-A /monitoring # set snmp syslocation system-location-name |
Specifies the location of the host on which the SNMP agent (server) runs. The system location name can be any alphanumeric string up to 512 characters. |
| Step 7 |
UCS-A /monitoring # commit-buffer |
Commits the transaction to the system configuration. |
The following example enables SNMP, configures an SNMP community named SnmpCommSystem2, configures a system contact named contactperson, configures a contact location named systemlocation, and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # set snmp community
UCS-A /monitoring* # Enter a snmp community: SnmpCommSystem2
UCS-A /monitoring* # set snmp syscontact contactperson1
UCS-A /monitoring* # set snmp syslocation systemlocation
UCS-A /monitoring* # commit-buffer
UCS-A /monitoring #
Create SNMP traps and users.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
UCS-A# scope monitoring |
Enters monitoring mode. |
| Step 2 |
UCS-A /monitoring # enable snmp |
Enables SNMP. |
| Step 3 |
UCS-A /monitoring # create snmp-trap {hostname | ip-addr | ip6-addr} |
Creates an SNMP trap host with the specified host name, IPv4 address, or IPv6 address. The host name can be a fully qualified domain name of an IPv4 address. |
| Step 4 |
UCS-A /monitoring/snmp-trap # set community community-name |
Specifies the SNMP community name to be used for the SNMP trap. |
| Step 5 |
UCS-A /monitoring/snmp-trap # set port port-num |
Specifies the port to be used for the SNMP trap. |
| Step 6 |
UCS-A /monitoring/snmp-trap # set version {v1 | v2c | v3 } |
Specifies the SNMP version and model used for the trap. |
| Step 7 |
(Optional) UCS-A /monitoring/snmp-trap # set notificationtype {traps | informs } |
(Optional)
The type of trap to send. If you select v2c or v3 for the version, this can be:
|
| Step 8 |
(Optional) UCS-A /monitoring/snmp-trap # set v3 privilege {auth | noauth | priv } |
(Optional)
If you select v3 for the version, the privilege associated with the trap can be
|
| Step 9 |
UCS-A /monitoring/snmp-trap # commit-buffer |
Commits the transaction to the system configuration. |
The following example enables SNMP, creates an SNMP trap using an IPv4 address, specifies that the trap will use the SnmpCommSystem2 community on port 2, sets the version to v3, sets the notification type to traps, sets the v3 privilege to priv, and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # create snmp-trap 100.10.111.112
UCS-A /monitoring/snmp-trap* # set community SnmpCommSystem2
UCS-A /monitoring/snmp-trap* # set port 2
UCS-A /monitoring/snmp-trap* # set version v3
UCS-A /monitoring/snmp-trap* # set notificationtype traps
UCS-A /monitoring/snmp-trap* # set v3 privilege priv
UCS-A /monitoring/snmp-trap* # commit-buffer
UCS-A /monitoring/snmp-trap #
The following example enables SNMP, creates an SNMP trap using an IPv6 address, specifies that the trap will use the SnmpCommSystem3 community on port 2, sets the version to v3, sets the notification type to traps, sets the v3 privilege to priv, and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # create snmp-trap 2001::1
UCS-A /monitoring/snmp-trap* # set community SnmpCommSystem3
UCS-A /monitoring/snmp-trap* # set port 2
UCS-A /monitoring/snmp-trap* # set version v3
UCS-A /monitoring/snmp-trap* # set notificationtype traps
UCS-A /monitoring/snmp-trap* # set v3 privilege priv
UCS-A /monitoring/snmp-trap* # commit-buffer
UCS-A /monitoring/snmp-trap #
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
UCS-A# scope monitoring |
Enters monitoring mode. |
| Step 2 |
UCS-A /monitoring # delete snmp-trap {hostname | ip-addr} |
Deletes the specified SNMP trap host with the specified hostname or IP address. |
| Step 3 |
UCS-A /monitoring # commit-buffer |
Commits the transaction to the system configuration. |
The following example deletes the SNMP trap at IP address 192.168.100.112 and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # delete snmp-trap 192.168.100.112
UCS-A /monitoring* # commit-buffer
UCS-A /monitoring #
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
UCS-A# scope monitoring |
Enters monitoring mode. |
| Step 2 |
UCS-A /monitoring # enable snmp |
Enables SNMP. |
| Step 3 |
UCS-A /monitoring # create snmp-user user-name |
Creates the specified SNMPv3 user. An SNMP username cannot be the same as a local username. Choose an SNMP username that does not match a local username. |
| Step 4 |
UCS-A /monitoring/snmp-user # set aes-128 {no | yes } |
Enables or disables the use of AES-128 encryption. |
| Step 5 |
UCS-A /monitoring/snmp-user # set auth {md5 | sha } |
Specifies the use of MD5 or DHA authentication. |
| Step 6 |
UCS-A /monitoring/snmp-user # set password |
Specifies the user password. After you enter the set password command, you are prompted to enter and confirm the password. |
| Step 7 |
UCS-A /monitoring/snmp-user # set priv-password |
Specifies the user privacy password. After you enter the set priv-password command, you are prompted to enter and confirm the privacy password. |
| Step 8 |
UCS-A /monitoring/snmp-user # commit-buffer |
Commits the transaction to the system configuration. |
The following example enables SNMP, creates an SNMPv3 user named snmp-user14, disables AES-128 encryption, specifies the use of MD5 authentication, sets the password and privacy password, and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # create snmp-user snmp-user14
UCS-A /monitoring/snmp-user* # set aes-128 no
UCS-A /monitoring/snmp-user* # set auth md5
UCS-A /monitoring/snmp-user* # set password
Enter a password:
Confirm the password:
UCS-A /monitoring/snmp-user* # set priv-password
Enter a password:
Confirm the password:
UCS-A /monitoring/snmp-user* # commit-buffer
UCS-A /monitoring/snmp-user #
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
UCS-A# scope monitoring |
Enters monitoring mode. |
| Step 2 |
UCS-A /monitoring # delete snmp-user user-name |
Deletes the specified SNMPv3 user. |
| Step 3 |
UCS-A /monitoring # commit-buffer |
Commits the transaction to the system configuration. |
The following example deletes the SNMPv3 user named snmp-user14 and commits the transaction:
UCS-A# scope monitoring
UCS-A /monitoring # delete snmp-user snmp-user14
UCS-A /monitoring* # commit-buffer
UCS-A /monitoring #
Feedback