SNMPv3 on Cisco Routers and Switches

SNMPv3 on Cisco Routers and Switches

SNMPv3 brings something to the game that everyone was waiting since the version 1… some kind of protection for this management protocol.
Version 3 allows the manager to decide if it wants to configure NoAuthNoPriv (no integrity and no encryption), authNoPriv (only integrity MD5 or SHA) or the authPriv (integrity MD5 or SHA and encryption DES, 3DES or AES).

But first things first. For those who aren’t familiarized with the protocol here is how it works.

Fundamental pieces: manager, agent and MIB

  • The manager is some kind of software that pools information from the network devices. This parameter are used to better control the equipments behaviour in a network infrastructure
  • The agent is responsible to retrieve the information asked from the manager and it runs inside each equipment.
  • MIB (Management Information Base) is all the information contained about a device. Imagine a shelf with thousands of numbered boxes (OID – Object Identifier), each one containing a piece of information about some parameter from the device which it belongs to. The manager has the availability to get or set the information inside these imaginary boxes.

MIB-2 Image

MIB-2.gif

SNMP Messages:

  • GET – used by the manager to get information from the agent. It appear in several flavour like snmpget, snmpgetnext, snmpwalk, snmpbulk, etc. The agent will respond with a respective snmp-get-response.
  • SET – used by the manager to change information in a OID.
  • TRAP/INFORM – used by the agent to autonomously inform the manager of some changes in determined OID. The main difference between TRAP and INFORM is that the INFORM must be acknowledge by the manager.

snmp_msg

R1 Configuration

The router and switch configuration are very similar so for the sake of time and space I will only demonstrate the router config.

hostname R1
!
! Old habits died hard
! There was no need to configure a dhcp server in the router for this config 
! But since it was here let it be :D
ip dhcp pool LocalLan
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.254 
 dns-server 8.8.8.8 
! 
! The description will be set by snmp later on        
interface Ethernet0/0
 description Local Lan
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 ip address dhcp
 ip nat outside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/1 overload
!
! This ACL is used to limit the scope of who can query the router agent
! For the example all inside network, but it should be limited to the manager IP address 
ip access-list standard ONLY-SNMP-ADMIN
 permit 10.0.0.0 0.0.0.255
 deny any
!
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.255 any
 deny ip any any
!
! SNMPv3 Group creation
snmp-server group GROUP v3 priv read ALL write ALL access ONLY-SNMP-ADMIN
snmp-server group GROUP1 v3 priv read ALL write DESCRIPTIONS access ONLY-SNMP-ADMIN
snmp-server group GROUP2 v3 priv read DESCRIPTIONS access ONLY-SNMP-ADMIN
! SNMP View Creation
snmp-server view ALL iso included
snmp-server view DESCRIPTIONS ifAlias included
! SNMP Message source
snmp-server trap-source Ethernet0/0
snmp-server source-interface informs Ethernet0/0
! Some OID Configuration... Change later on by snmp
snmp-server location "R1 Location"
snmp-server contact BSNetworking@local.com
! Trap message destination 
snmp-server host 10.0.0.2 bob 
snmp-server ifindex persist
!
! SNMP User creation
snmp-server user bob GROUP v3 auth sha cisco12345 priv aes 128 cisco12345
snmp-server user alice GROUP1 v3 auth md5 cisco67890 priv des cisco67890
snmp-server user eve GROUP2 v3 auth md5 ciscocisco priv 3des ciscocisco

SNMP commands explained

! SNMPv3 Group creation
snmp-server group GROUP v3 priv read ALL write ALL access ONLY-SNMP-ADMIN
snmp-server group GROUP1 v3 priv read ALL write DESCRIPTIONS access ONLY-SNMP-ADMIN
snmp-server group GROUP2 v3 priv read DESCRIPTIONS access ONLY-SNMP-ADMIN

The group creation will identify the access method (auth, noauth or priv) indicating if the access must be or not authenticate and encrypted.

R1(config)#snmp-server group GROUP v3 ?
  auth    group using the authNoPriv Security Level
  noauth  group using the noAuthNoPriv Security Level
  priv    group using SNMPv3 authPriv security level

Then, using the views, the read and write permissions are set. Finally the implementation of an acl will restrict the manager access to the snmp agent using this group.

! SNMP View Creation
snmp-server view ALL iso included
snmp-server view DESCRIPTIONS ifAlias included

The view will limit the MIB scope. the first view created (ALL) is very wide and will allow access from the iso point of the MIB down. On the other hand the DESCRIPTION view is very restrictive and will only allow access to interface alias OID.

! SNMP Message source
snmp-server trap-source Ethernet0/0
snmp-server source-interface informs Ethernet0/0

It is important to make sure that the agent communicates to the manager always using the same source address to easily organize all registers. It is usual, in devices that can communicate through several interfaces, to create a specific loopback for this end.

snmp-server ifindex persist

All interfaces are given a number inside the interfaces OID, and this numeration is dynamic which means that if an interfaces is added it can disrupt the previous interface order. To avoid this command make the OID attribution persistent.

snmp-server user bob GROUP v3 auth sha cisco12345 priv aes 128 cisco12345
snmp-server user alice GROUP1 v3 auth md5 cisco67890 priv des cisco67890
snmp-server user eve GROUP2 v3 auth md5 ciscocisco priv 3des ciscocisco

bob belongs to a group that requires authentication and encryption (priv). So bob is using SHA as an integrity algorithm with the password cisco12345 and AES 128 as an encryption algorithm with the same password. The group that bob belongs will allow him to access all OID with read an write privileges.

alice and eve also belong to a group that requires authentication and encryption, but they will use a different algorithms then bob. They will use MD5 for integrity and DES for encryption. alice belongs to a group that will allow her to read all OID but will only allow her to change the configuration of the ifAlais OIDs. eve belongs to a group that does no have any write permissions and only read access to the ifAlias OIDs.

Verification commands

R1#show running-config | section snmp
mmi snmp-timeout 180
snmp-server group GROUP v3 priv read ALL write ALL access ONLY-SNMP-ADMIN
snmp-server group GROUP1 v3 priv read ALL write DESCRIPTIONS access ONLY-SNMP-ADMIN
snmp-server group GROUP2 v3 priv read DESCRIPTIONS access ONLY-SNMP-ADMIN
snmp-server view ALL iso included
snmp-server view DESCRIPTIONS ifAlias included
snmp-server trap-source Ethernet0/0
snmp-server source-interface informs Ethernet0/0
snmp-server location "R1 Location"
snmp-server contact BSNetworking@local.com
snmp-server host 10.0.0.2 bob
R1#show snmp user

User name: bob
Engine ID: 800000090300AABBCC000100
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: GROUP

User name: eve
Engine ID: 800000090300AABBCC000100
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: GROUP2

User name: alice
Engine ID: 800000090300AABBCC000100
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: GROUP1

Test configuration

Test communication from the Ubuntu server to the router and switch that we want to manage.

svrcomm

Require information from the router snmp agent regarding the OID 1.3.6.1.2.1.1.4.0 (sysContact) using all the previous created user. bob and alice have read permission, so a string with the sysContact is retrieved. eve however only has read permissions to read the ifAlias, so a message stating that the specified object is not available is retrieved by the agent

srv-get

When alice tries to set the sysContact an error message is displayed, because she only has permission to write on the ifAlias OIDs. When bob tries the same procedure it is successful because his group is allow to write on all OIDs.

The same happens when eve tries to change the ifAlias (OID 1.3.6.1.2.1.31.1.1.1.18) of interface ethernet 0/0 (OID 1.3.6.1.2.1.31.1.1.18.1). But eve fails, alice succeeds due to their group permissions.

srv-set

Change verification

R1#show interface description 
Interface                      Status         Protocol Description
Et0/0                          up             up       Changed description
Et0/1                          up             up       
Et0/2                          admin down     down     
Et0/3                          admin down     down     
NV0                            up             up       
R1#

Until the next post… Stay good.

Advertisements