SNMP
SR Linux supports the Simple Network Management Protocol (SNMP) versions SNMPv2c and SNMPv3, which allow SNMP managers to read information about the system for device monitoring.
SNMP architecture
SNMP is an application-layer protocol that enables communication between managers (the management system) and agents (the network devices). It provides a standard framework to monitor devices in a network from a central location.
An SNMP manager can get a value from an SNMP agent. The manager uses definitions in the management information base (MIB) to perform operations on the managed device such as retrieving values from variables and processing traps.
-
The manager gets information from the agent.
-
The agent sends traps to notify the manager of significant events that occur on the system.
Management information base
A management information base (MIB) is a formal specifications document with definitions of management information used to remotely monitor, configure, and control a managed device or network system. The agent’s management information consists of a set of network objects that can be managed with SNMP. Object identifiers are unique object names that are organized in a hierarchical tree structure. The main branches are defined by the Internet Engineering Task Force (IETF). When requested, the Internet Assigned Numbers Authority (IANA) assigns a unique branch for use by a private organization or company. The branch assigned to Nokia (TiMetra) is 1.3.6.1.4.1.6527.
The SNMP agent provides management information to support a collection of IETF specified MIBs and a number of MIBs defined to manage devices and network data unique to the Nokia router.
MIB files are packaged with each release and are available on the Nokia support portal or in /opt/srlinux/snmp/MIBs.zip.
SNMP network instance configuration
The SNMP agent must first be configured to run in each network instance used to monitor the system. Then, access groups can be configured to read information or trap groups can be configured to send traps.
To configure the SNMP agent, use the system snmp commands.
SNMP network instance configuration
In the following example, the SNMP agent is running in the default network instance.
--{ * candidate shared default }--[ ]--
# info system snmp
system {
snmp {
network-instance default {
admin-state enable
}
}
}SNMP versions and configuration
-
SNMPv2c is a community-based administrative framework for SNMPv2. SNMPv2c uses a community string for authentication.
-
SNMPv3 uses the User-based Security Model (USM) for user authentication with passwords.
SNMPv3 authentication and privacy protocols
The User-based Security Model (USM) for the authentication, encryption, and decryption of SNMPv3 packets is supported with configurable authentication and privacy protocols.
SNMPv3 authentication protocols
- HMAC-MD5-96
- HMAC-SHA-96
- HMAC-SHA-224
- HMAC-SHA-256
- HMAC-SHA-384
- HMAC-SHA-512
SNMPv3 privacy protocols
- CBC-DES
- CFB128-AES-128
- CFB128-AES-192
- CFB128-AES-256
SNMPv3 authentication and privacy protocol combinations
- HMAC-MD5-96 (16 bytes) and CFB128-AES-192 (24 bytes)
- HMAC-MD5-96 (16 bytes) and CFB128-AES-256 (32 bytes)
- HMAC-SHA1-96 (20 bytes) and CFB128-AES-192 (24 bytes)
- HMAC-SHA1-96 (20 bytes) and CFB128-AES-256 (32 bytes)
- HMAC-SHA2-224 (28 bytes) and CFB128-AES-256 (32 bytes)
Configuring SNMPv2c
SR Linux supports SNMPv2c, which allows SNMP managers to read information about the system for device monitoring.
To configure the SNMP agent, use the system snmp commands.
SNMPv2c access group configuration
In SNMPv2c, the community value is mandatory and cannot contain spaces.
Optionally, the prefix-list value defines which managers can use the community (both IPv4 and IPv6 addresses) and is only supported in SNMPv2c.
The community-entry value cannot be the same as the community value because this reveals the plaintext value of the community.
In the following example, the SNMPv2c agent uses an access group for get requests. The minimum security level is configured.
--{ * candidate shared default }--[ ]--
# info system snmp
system {
snmp {
access-group ag1 {
admin-state enable
security-level no-auth-no-priv
community-entry ce1 {
community $aes1$AW/5wLmAOcTPhG8=$aFJfMhdHwSGTplCfsDgBPA==
prefix-list [
10.1.1.1/32
]
}
}
network-instance default {
admin-state enable
}
}
}SNMPv2c trap group configuration
In the following example,
the
SNMPv2c agent
uses
a trap group within the
default
network instance. The minimum security level is
configured. The
SNMPv2c community value is configured using the
community-entry parameter.
--{ * candidate shared default }--[ ]--
# info system snmp
system {
snmp {
trap-group tg1 {
admin-state enable
network-instance default
destination destination1 {
admin-state enable
address 10.2.2.2
security-level no-auth-no-priv
community-entry ce1 {
community $aes1$AWOTWOQo41n22m8=$XD4pX1F7pWJFtTdgwjf23w==
}
}
}
network-instance default {
admin-state enable
}
}
}Configuring SNMPv3
SR Linux supports SNMPv3, which allows SNMP managers to read information about the system for device monitoring.
To configure the SNMP agent, use the system snmp commands.
SNMPv3 access group configuration
In the following example, the SNMPv3 agent uses an access group for get requests. The SNMPv3 user authentication and privacy protocols are configured using the security-entry parameter. The value of password cannot contain spaces.
--{ * candidate shared default }--[ ]--
# info system snmp
system {
snmp {
access-group ag1 {
admin-state enable
security-level auth-priv
security-entry se1 {
user user1 {
authentication {
protocol hmac-md5-96
password $aes1$AW8qEdNV+4KmIm8=$F2zgIDAO4DkcFh+6oLyd2w==
}
privacy {
protocol cbc-des
password $aes1$AW+ZudVoGPQP5W8=$1UMEKehkoPqo8zGFE0KzxA==
}
}
}
network-instance default {
admin-state enable
}
}
}SNMPv3 trap group configuration
In the following example, the SNMPv3 agent uses a trap group within the default network instance. The SNMPv3 user authentication and privacy protocols are configured using the security-entry parameter. The value of password cannot contain spaces.
--{ * candidate shared default }--[ ]--
# info system snmp
system {
snmp {
trap-group tg1 {
admin-state enable
network-instance default
destination destination1 {
admin-state enable
address 10.2.2.2
security-level auth-priv
security-entry se1 {
user user1 {
authentication {
protocol hmac-md5-96
password $aes1$AW/ZYq/e/AbNS28=$Dw3ipXdBawX9P10lfe/zAw==
}
privacy {
protocol cbc-des
password $aes1$AW9Bvh9EbJcvwm8=$V214DJcpHCvdxkWbewDVuQ==
}
}
}
}
network-instance default {
admin-state enable
}
}
}