Configuration Guide Vol. 1

18.1.1 SNMP Overview

<Structure of this section>

(1) Network management

Maintaining the operating environment and performance of a network system requires high-level network management. SNMP(simple network management protocol) is an industry-standard network management protocol. with which you can manage a multi-vendor network consisting of network devices that support SNMP. The servers that collect and manage administrative information are called SNMP Manager, and the networking devices that are managed are called SNMP Agents. The following figure provides an overview of network management.

Figure 18-1: Overview of network management

[Figure Data]

(2) SNMP agent-function

SNMP agent for the Switch is a program included on a switch on a network. An SNMP agent has functionality that provides the SNMP manager with information internal to the switch. Various data stored in the equipment is called MIB(Management Information Base. SNMP manager is software that retrieves the information on a switch, edits and processes it, and provides it to the network administrator for management of the network. The following figure shows an example of MIB retrieval.

Figure 18-2: Sample MIB Acquire

[Figure Data]

An SNMP command for displaying MIB information is included as an operation command on the Switch. This command displays an SNMP agent MIB on the local switch and a remote switch.

The switch supports SNMPv1 (RFC 1157), SNMPv2C (RFC 1901), and SNMPv3 (RFC 3410). To manage a network using an SNMP manager, use the SNMPv1, SNMPv2C, or SNMPv3 protocol. Note that the SNMPv1, SNMPv2C, and SNMPv3 protocols can be used simultaneously.

SNMP Agents also provide event notifications (primarily about failures) called traps (Trap) and informs (Inform). Traps and informs are referred to as SNMP notifications. By receiving SNMP notification, SNMP manager can detect changes without monitoring changes in the status of the switch on a regular basis. Note, however, that the SNMP manager cannot verify whether a trap has arrived from a switch because traps use UDP. Accordingly, some traps might not arrive at the SNMP manager due to network congestion. The following figure shows an example of a trap.

Figure 18-3: Trap example

[Figure Data]

Like a trap, an inform is an event notification function using UDP, but it requests a response from the SNMP manager. Therefore, you can verify whether an inform request has arrived by checking for a response. This allows you to deal with a problem such as network congestion by resending an inform.

The SNMP protocols for the Switch support IPv6. SNMP Manager IP address set in the configuration enables IPv4 or IPv6 address to request a MIB or send a notification to SNMP Manager. The following figure shows an example for a MIB request from the IPv4 and IPv6 SNMP managers and the response.

Figure 18-4: Sample MIB Requesting and Replying from IPv4/IPv6 SNMP Manager

[Figure Data]

(3) SNMPv3

In addition to having all SNMPv2C functionality, SNMPv3 includes functionality for improved management security. By authenticating and encrypting SNMP packets transmitted over a network, SNMP packets are protected from network risks such as sniffing, spoofing, defacing, and resending, security functionality that was not possible in SNMPv2C, which combined a community name and the IP address of an SNMP manager.

(a) SNMP entities

In SNMPv3, an SNMP manager and SNMP agent are collectively called an SNMP entity. SNMPv3 on the Switch supports SNMP entities equivalent to SNMP agents.

(b) SNMP engines

The SNMP engine provides services for sending and receiving authenticated and encrypted messages and for controlling access to managed objects. The SNMP engine and the SNMP entity are in a-one-to-one relationship. SNMP engines within the same management domain are identified by unique SNMP engine IDs.

(c) User authentication and encryption

SNMPv1 and SNMPv2C authenticate community names, but SNMPv3 authenticates users. Also, encryption features not found in SNMPv1,SNMPv2C are supported by SNMPv3. User authentication and encryption functions can be set for each user.

The Switch supports the following authentication protocols for user authentication.

HMAC-MD5-96

An authenticator that uses MD5 algorithms. The first 96 bits of the 128-bit digest are used.

HMAC-SHA-96

An authenticator that uses SHA-1 algorithms. The first 96 bits of the 160-bit digest are used.

HMAC-SHA-256

An authenticator that uses SHA-256 algorithms. The first 192 bits of the 256-bit digest are used.

HMAC-SHA-512

An authenticator that uses SHA-512 algorithms. The first 384 bits of the 512-bit digest are used.

The following protocols are supported as privacy protocols used for encryption functions.

CBC-DES

A privacy-protocol that combines DES algorithms with cryptographic utilization-mode CBC for encryption.

CFB128-AES-128

A privacy-protocol that combines AES algorithms with cryptographic utilization-mode CFB for encryption.

(d) Controlling Access with MIB Views

In SNMPv3, a collection of MIB objects that can be accessed can be set. This collection is called a MIB view. A MIB view is expressed by aggregating view subtrees that indicate the trees of MIB object IDs. When aggregating view subtrees, you can choose included (for inclusion in the MIB view) or excluded (for exclusion from the MIB view) for each view subtree. A MIB view can be set as a read view, write view, or notify view for individual users.

The figure below shows an example of a MIB view. MIB view sets up a group of MIB subtrees that are part of MIB tree, as shown in "Sample 18-5 MIB View." As shown in the figure, object ID 1.1.2.1.2 can be accessed in MIB view A because it is included in subtree 1.1.2.1. However, object ID 1.2.1 cannot be accessed because it is not included in any subtrees. Also, object ID 1.1.2.1.2.1.4 cannot be accessed because subtree 1.1.2.1.2.1 is excluded from view A.

Figure 18-5: Sample MIB View

[Figure Data]

[Product name label]

All Rights Reserved, Copyright(C), 2017, 2023, ALAXALA Networks, Corp.