Understanding SNMP
SNMP is an interoperable standards-based protocol that allows for external monitoring of Cisco WAAS devices through an SNMP agent.
An SNMP-managed network consists of the following primary components:
-
Managed device: A network node that contains an SNMP agent and resides on a managed network. Managed devices include routers, access servers, switches, bridges, hubs, computer hosts, and printers. Each WAAS device running the WAAS software has an SNMP agent.
-
SNMP agent: A software module that resides on a managed device. An agent has local knowledge of management information and translates that information into a form that is compatible with SNMP. The SNMP agent gathers data from the MIB, which is the repository for information about device parameters and network data. The agent can also send traps, or notification of certain events, to the management system.
-
Management station: Also known as the SNMP host, the management station uses SNMP to send the agent an SNMP Get request to obtain information from the WAAS device. The managed devices then collect and store management information and use SNMP to make this information available to the management station.
Before you can access this SNMP information, you must have deployed an SNMP management application on a management station. This SNMP management station is referred to as the SNMP host because it uses SNMP to send the device agent an SNMP Get request to obtain information from the WAAS device.
This section contains the following topics:
SNMP Communication Process
The SNMP management station and the SNMP agent that resides on a Cisco WAAS device use SNMP to communicate as follows:
-
The SNMP management station (the SNMP host) uses SNMP to request information from the Cisco WAAS device.
-
After receiving these SNMP requests, the SNMP agent on the Cisco WAAS device accesses a table that contains information about the individual device. This table, or database, is called a MIB.
Note |
The SNMP agent on the Cisco WAAS device only initiates communication with the SNMP host under unusual conditions; it will initiate communication when it has a trap it needs to send to the host. For more information on this topic, see Enabling SNMP Traps. |
-
After locating the specified information in the MIB, the agent uses SNMP to send the information to the SNMP management station.
The following figure illustrates these SNMP operations for an individual Cisco WAAS device.
Supported SNMP Versions
The Cisco WAAS software supports the following versions of SNMP:
-
Version 1 (SNMPv1): This is the initial implementation of SNMP. See RFC 1157 for a full description of its functionality.
-
Version 2 (SNMPv2c): This is the second release of SNMP, described in RFC 1902. It provides additions to data types, counter size, and protocol operations.
-
Version 3 (SNMPv3): This is the most recent version of SNMP, defined in RFC 2271 through RFC 2275.
Each Cisco device running Cisco WAAS software contains the software necessary to communicate information about device configuration and activity using SNMP.
SNMP Security Models and Security Levels
SNMPv1 and SNMPv2c do not have any security (that is, authentication or privacy) features to keep SNMP packet traffic confidential. As a result, packets on the wire can be detected and SNMP community strings compromised.
To solve the security shortcomings of SNMPv1 and SNMPv2c, SNMPv3 provides secure access to WAAS devices by authenticating and encrypting packets over the network. The SNMP agent in the WAAS software supports SNMPv3 as well as SNMPv1 and SNMPv2c.
The following security features are provided in SNMPv3:
-
Message integrity: Ensures that nothing has interfered with a packet during transmission.
-
Authentication: Determines that the message is from a valid source.
-
Encryption: Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.
SNMPv3 provides security models as well as security levels. A security model is an authentication process that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security process is used when an SNMP packet is handled. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3.
The following table describes the combinations of security models and security levels.
Model |
Level |
Authentication |
Encryption |
Process |
---|---|---|---|---|
v1 |
noAuthNoPriv |
Community string |
No |
Uses a community string match for user authentication. |
v2c |
noAuthNoPriv |
Community string |
No |
Uses a community string match for user authentication. |
v3 |
noAuthNoPriv |
Username |
No |
Uses a username match for user authentication. |
v3 |
AuthNoPriv |
Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) |
No |
Provides authentication based on the Hash-Based Message Authentication Code (HMAC)-MD5 or HMAC-SHA algorithms. |
v3 |
AuthPriv |
MD5 or SHA |
Yes |
Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption (packet authentication) based on the cipher block chaining (CBC)-DES (DES-56) standard. |
The SNMPv3 agent can be used in the following modes:
-
noAuthNoPriv mode (that is, no security mechanisms turned on for packets)
-
AuthNoPriv mode (for packets that do not have to be encrypted using the privacy algorithm [DES 56])
-
AuthPriv mode (for packets that must be encrypted; privacy requires that authentication be performed on the packet)
Using SNMPv3, users can securely collect management information from their SNMP agents without worrying that the data has been tampered with. Also, confidential information, such as SNMP set packets that change a Content Engine’s configuration, can be encrypted to prevent their contents from being exposed on the wire. Also, the group-based administrative model allows different users to access the same SNMP agent with varying access privileges.