SNMP

This chapter covers some aspects related to the service snmp tool, which allows you to configure the Simple Network Management Protocol (SNMP) service (versions v1, v2c and v3) in OSDx.

By default, SNMP is configured to listen on all interfaces (port 161) and to accept both IPv4/IPv6 connections. This can be changed using the listen field.

  • address: to configure multiple IPv4/IPv6 addresses to listen for incoming requests.

    • port: to configure multiple ports to listen for incoming requests to these addresses (161 by default).

  • port: to configure multiple ports to listen for incoming requests on all interfaces.

Moreover, SNMP can also be configured to listen only on a specific VRF, using the local-vrf field.

In addition, SNMP can be configured with multiple OID-rules to control and restrict the information that is exposed and accessible on incoming requests, using the view field.

  • oid: to indicate the OID to be controlled.

    • mask: to set significant sub-identifiers for an OID.

    • type: to indicate whether an OID should be excluded or included (included by default).

SNMPv1 and SNMPv2c rely on the use of communities. In OSDx, a community can be created using the community field.

  • client: to indicate IPv4/IPv6 addresses and subnets that are allowed access in a community (all interfaces by default).

  • view: to indicate the view that affects a community.

  • notify-traps: In OSDx, updates in interfaces, alarms and/or advisors can be notified through SNMP traps. This field is to indicate the traps to be notified in a community. In the case of alarm/advisor, multiple names or the label all can be indicated.

SNMPv3 relies on the use of users, which offer a much more powerful security profile than communities. In OSDx, a user can be created using the user field.

  • view: same as for communities.

  • notify-traps: same as for communities.

  • authentication: to enable authentication for a user. SNMPv3 provides two different authentication mechanisms: SHA1 and MD5, which can be selected using the protocol field. The authentication password must also be configured via the password field.

  • privacy: to enable privacy (encryption) for a user. SNMPv3 provides two different encryption schemes: AES and DES, which can be selected using the protocol field. The privacy password must also be configured via the password field. This field can not be configured without specifying authentication parameters.

Users can be configured using three different security models:

  • noAuthNoPriv: without authentication and privacy.

  • authNoPriv: with authentication, but without privacy.

  • authPriv: with both authentication and privacy.

SNMPv3 also lets you specify the engine identifier, using the engine-id field.

The usual behavior of an SNMP agent is to wait for incoming SNMP requests and respond to them. However, SNMP can be configured to take a more active role. In OSDx, notification sending can be enabled via the trap-target field.

First, the version of SNMP for sending notifications must be selected. Then, depending on the selected version, OSDx offers different fields to configure:

  • SNMPv1:

    • community: to indicate the community used for notifications.

    • port: to configure the destination port used for notifications.

    • source: to configure the local IPv4/IPv6 address used for notifications.

  • SNMPv2c:

    • community: same as for SNMPv1.

    • port: same as for SNMPv1.

    • type: to configure the type of notification to send (see details below).

  • SNMPv3:

    • user: to indicate the user used for notifications.

    • port: same as for SNMPv1.

    • type: same as for SNMPv2c.

There are two different types of notfication that can be sent: traps and inform. For versions v2c and v3, the notification type can be selected using the type field (for version v1, only trap notifications are possible).

  • traps: one-way communication (these are used by default).

  • inform: these notifications require an acknowledgement from the receiver.

By default, the source address used in notifications is the one corresponding to the interface through which they are sent. This can be changed using the local-address field.

Configuration

This is the syntax to create a service snmp:

set service snmp [ ... ]

Examples

Enabling incoming SNMPv1 and SNMPv2c requests

Imagine that you want to configure the SNMP service to allow receiving incoming requests from any host on the 10.0.0.0/24 subnet, using either SNMPv1 or SNMPv2c.

In OSDx, this can be achieved by setting the following commands:

set service snmp community PUBLIC client 10.0.0.0/24

Enabling SNMPv2c notification sending

Imagine that you want to configure the SNMP service to allow sending notifications to host 10.0.0.2, using SNMPv2c.

In OSDx, this can be achieved by setting the following commands:

set service snmp community PUBLIC
set service snmp trap-target 10.0.0.2 version v2c community PUBLIC

Enabling SNMPv3 notification sending when alarms are updated

Imagine that you want to configure the SNMP service to allow sending notifications to host 10.0.0.2 when an alarm has been updated, using SNMPv3.

In OSDx, this can be achieved by setting the following commands:

set service snmp user USERv3 notify-traps alarm ALARM1
set service snmp user USERv3 authentication protocol SHA
set service snmp user USERv3 authentication password auth_pass_12345
set service snmp user USERv3 privacy protocol AES
set service snmp user USERv3 privacy password priv_pass_12345
set service snmp engine-id 0x80000009010a0101c1
set service snmp trap-target 10.0.0.2 version v3 user USERv3

Monitoring

The following operational commands can be used to retrieve a subtree of information from local or remote agents: * service snmp walk local-agent v1 <txt>. * service snmp walk local-agent v2c <txt>. * service snmp walk local-agent v3 <txt>. * service snmp walk remote-agent <ipv4|ipv6|txt> v1 <txt>. * service snmp walk remote-agent <ipv4|ipv6|txt> v2c <txt>. * service snmp walk remote-agent <ipv4|ipv6|txt> v3 <txt>.

Example:

admin@DUT1$ service snmp walk remote-agent 10.0.0.1 v1 PUBLIC oid ifTable | head

IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: Intel Corporation 82540EM Gigabit Ethernet Controller
IF-MIB::ifDescr.3 = STRING: Intel Corporation 82540EM Gigabit Ethernet Controller
IF-MIB::ifDescr.4 = STRING: Intel Corporation 82540EM Gigabit Ethernet Controller
IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)

Operational command snmp table [ ... ] can be used to retrieve information from local or remote agents and display it in a table.

Example:

admin@DUT1$ snmp table remote-agent 10.0.0.1 v2c PUBLIC oid ifTable

SNMP table: IF-MIB::ifTable

 ifIndex                                               ifDescr           ifType ifMtu    ifSpeed
       1                                                    lo softwareLoopback 65536   10000000
       2 Intel Corporation 82540EM Gigabit Ethernet Controller   ethernetCsmacd  1500 1000000000
       3 Intel Corporation 82540EM Gigabit Ethernet Controller   ethernetCsmacd  1500 1000000000
       4 Intel Corporation 82540EM Gigabit Ethernet Controller   ethernetCsmacd  1500 1000000000

SNMP table IF-MIB::ifTable, part 2

   ifPhysAddress ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts
                            up           up 0:0:00:00.00       2200            44              0
 8:0:27:ff:f6:f1            up           up 0:0:00:00.00      88209           736              0
 8:0:27:84:f2:61          down         down 0:0:00:00.00          0             0              0
 8:0:27:ad:c9:a0            up           up 0:0:00:00.00    1552165         15972             92

SNMP table IF-MIB::ifTable, part 3

 ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards
            0          0                 0        2200             44               0             0
            0          0                 0      148777            762               0             0
            0          0                 0           0              0               0             0
            4          0                 0      640599           5265               0             0

SNMP table IF-MIB::ifTable, part 4

 ifOutErrors ifOutQLen              ifSpecific
           0         0 SNMPv2-SMI::zeroDotZero
           0         0 SNMPv2-SMI::zeroDotZero
           0         0 SNMPv2-SMI::zeroDotZero
           0         0 SNMPv2-SMI::zeroDotZero

Additionally, operational commands service snmp monitor traps community <txt> and service snmp monitor traps user <txt> can be used to monitor SNMP traps.

Example:

admin@DUT1$ service snmp monitor traps user USERv3 auth-key auth_pass_12345 auth-protocol SHA priv-key priv_pass_12345 priv-protocol AES engine-id 0x80000009010a0101c1

NET-SNMP version 5.7.3
2022-09-22 07:20:59 <UNKNOWN> [UDP: [10.0.0.1]:38763->[10.0.0.2]:162]:
SNMPv2-MIB::sysUpTime.0 = Timeticks: (3) 0:00:00.03   SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-MIB::coldStart  SNMPv2-MIB::snmpTrapEnterprise.0 = OID: NET-SNMP-TC::linux

Configuration commands