SNMP

SR Linux supports the Simple Network Management Protocol (SNMP) versions SNMPv2c and SNMPv3, which allow SNMP managers to read information about the system for device monitoring.

SNMP architecture

SNMP is an application-layer protocol that enables communication between managers (the management system) and agents (the network devices). It provides a standard framework to monitor devices in a network from a central location.

An SNMP manager can get a value from an SNMP agent. The manager uses definitions in the management information base (MIB) to perform operations on the managed device such as retrieving values from variables and processing traps.

The following actions can occur between the agent and the manager:
  • The manager gets information from the agent.

  • The agent sends traps to notify the manager of significant events that occur on the system.

Management information base

A management information base (MIB) is a formal specifications document with definitions of management information used to remotely monitor, configure, and control a managed device or network system. The agent’s management information consists of a set of network objects that can be managed with SNMP. Object identifiers are unique object names that are organized in a hierarchical tree structure. The main branches are defined by the Internet Engineering Task Force (IETF). When requested, the Internet Assigned Numbers Authority (IANA) assigns a unique branch for use by a private organization or company. The branch assigned to Nokia (TiMetra) is 1.3.6.1.4.1.6527.

The SNMP agent provides management information to support a collection of IETF specified MIBs and a number of MIBs defined to manage devices and network data unique to the Nokia router.

MIB files are packaged with each release and are available on the Nokia support portal or in /opt/srlinux/snmp/MIBs.zip.

SNMP network instance configuration

The SNMP agent must first be configured to run in each network instance used to monitor the system. Then, access groups can be configured to read information or trap groups can be configured to send traps.

To configure the SNMP agent, use the system snmp commands.

SNMP network instance configuration

In the following example, the SNMP agent is running in the default network instance.

--{ * candidate shared default }--[  ]--
# info system snmp
    system {
        snmp {
            network-instance default {
                admin-state enable
            }
        }
    }

SNMP versions and configuration

The SNMP agent supports two versions of the SNMP protocol:
  • SNMPv2c is a community-based administrative framework for SNMPv2. SNMPv2c uses a community string for authentication.

  • SNMPv3 uses the User-based Security Model (USM) for user authentication with passwords.

SNMPv3 authentication and privacy protocols

The User-based Security Model (USM) for the authentication, encryption, and decryption of SNMPv3 packets is supported with configurable authentication and privacy protocols.

SNMPv3 authentication protocols

The following SNMPv3 authentication protocols are supported:
  • HMAC-MD5-96
  • HMAC-SHA-96
  • HMAC-SHA-224
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512

SNMPv3 privacy protocols

The following SNMPv3 privacy protocols are supported:
  • CBC-DES
  • CFB128-AES-128
  • CFB128-AES-192
  • CFB128-AES-256

SNMPv3 authentication and privacy protocol combinations

The following combinations of authentication and privacy protocols are not allowed because the hash does not produce enough bytes to use as a key:
  • HMAC-MD5-96 (16 bytes) and CFB128-AES-192 (24 bytes)
  • HMAC-MD5-96 (16 bytes) and CFB128-AES-256 (32 bytes)
  • HMAC-SHA1-96 (20 bytes) and CFB128-AES-192 (24 bytes)
  • HMAC-SHA1-96 (20 bytes) and CFB128-AES-256 (32 bytes)
  • HMAC-SHA2-224 (28 bytes) and CFB128-AES-256 (32 bytes)

Configuring SNMPv2c

SR Linux supports SNMPv2c, which allows SNMP managers to read information about the system for device monitoring.

To configure the SNMP agent, use the system snmp commands.

SNMPv2c access group configuration

In SNMPv2c, the community value is mandatory and cannot contain spaces.

Optionally, the prefix-list value defines which managers can use the community (both IPv4 and IPv6 addresses) and is only supported in SNMPv2c.

The community-entry value cannot be the same as the community value because this reveals the plaintext value of the community.

In the following example, the SNMPv2c agent uses an access group for get requests. The minimum security level is configured.

--{ * candidate shared default }--[  ]--
# info system snmp
    system {
        snmp {
            access-group ag1 {
                admin-state enable
                security-level no-auth-no-priv
                community-entry ce1 {
                    community $aes1$AW/5wLmAOcTPhG8=$aFJfMhdHwSGTplCfsDgBPA==
                    prefix-list [
                        10.1.1.1/32
                    ]
                }
            }
            network-instance default {
                admin-state enable
            }
        }
    }

SNMPv2c trap group configuration

In the following example, the SNMPv2c agent uses a trap group within the default network instance. The minimum security level is configured. The SNMPv2c community value is configured using the community-entry parameter.

--{ * candidate shared default }--[  ]--
# info system snmp
    system {
        snmp {
            trap-group tg1 {
                admin-state enable
                network-instance default
                destination destination1 {
                    admin-state enable
                    address 10.2.2.2
                    security-level no-auth-no-priv
                    community-entry ce1 {
                        community $aes1$AWOTWOQo41n22m8=$XD4pX1F7pWJFtTdgwjf23w==
                    }
                }
            }
            network-instance default {
                admin-state enable
            }
        }
    }

Configuring SNMPv3

SR Linux supports SNMPv3, which allows SNMP managers to read information about the system for device monitoring.

To configure the SNMP agent, use the system snmp commands.

SNMPv3 access group configuration

In the following example, the SNMPv3 agent uses an access group for get requests. The SNMPv3 user authentication and privacy protocols are configured using the security-entry parameter. The value of password cannot contain spaces.

--{ * candidate shared default }--[  ]--
# info system snmp
    system {
        snmp {
            access-group ag1 {
                admin-state enable
                security-level auth-priv
                security-entry se1 {
                    user user1 {
                    authentication {
                        protocol hmac-md5-96
                        password $aes1$AW8qEdNV+4KmIm8=$F2zgIDAO4DkcFh+6oLyd2w==
                    }
                    privacy {
                        protocol cbc-des
                        password $aes1$AW+ZudVoGPQP5W8=$1UMEKehkoPqo8zGFE0KzxA==
                    }
                }
            }
            network-instance default {
                admin-state enable
            }
        }
    }

SNMPv3 trap group configuration

In the following example, the SNMPv3 agent uses a trap group within the default network instance. The SNMPv3 user authentication and privacy protocols are configured using the security-entry parameter. The value of password cannot contain spaces.

--{ * candidate shared default }--[  ]--
# info system snmp
    system {
        snmp {
            trap-group tg1 {
                admin-state enable
                network-instance default
                destination destination1 {
                    admin-state enable
                    address 10.2.2.2
                    security-level auth-priv
                    security-entry se1 {
                        user user1 {
                        authentication {
                            protocol hmac-md5-96
                            password $aes1$AW/ZYq/e/AbNS28=$Dw3ipXdBawX9P10lfe/zAw==
                        }
                        privacy {
                            protocol cbc-des
                            password $aes1$AW9Bvh9EbJcvwm8=$V214DJcpHCvdxkWbewDVuQ==
                        }
                    }
                }
            }
            network-instance default {
                admin-state enable
            }
        }
    }