Cisco Systems 15310-MA manual Snmp Version Support, Snmp Message Types, SNMPv3 Support, 12-4

Chapter 12 SNMP

SNMP Version Support

12.3 SNMP Version Support

The ONS 15310-MA SDH support SNMP v1, SNMPv2c and SNMPv3 traps and get requests. The SNMP MIBs in the ONS 15310-MA SDH systems define alarms, traps, and status. Through SNMP, NMS applications can use a supported MIB to query a management agent. The functional entities include Ethernet switches and SDH multiplexers. Refer to the Cisco ONS 15310-MA SDH Procedure Guide for procedures to set up or change SNMP settings.

12.3.1 SNMPv3 Support

Cisco ONS 15310-MA SDH Software R9.0 and later supports SNMPv3 in addition to SNMPv1 and SNMPv2c. SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authentication and encryption packets over the network based on the User Based Security Model (USM) and the View-Based Access Control Model (VACM).

•User-Based Security Model—The User-Based Security Model (USM) uses the HMAC algorithm for generating keys for authentication and privacy. SNMPv3 authenticates data based on its origin, and ensures that the data is received intact. SNMPv1 and v2 authenticate data based on the plain text community string, which is less secure when compared to the user-based authentication model.

•View-Based Access Control Model—The view-based access control model controls the access to the managed objects. RFC 3415 defines the following five elements that VACM comprises:

–Groups—A set of users on whose behalf the MIB objects can be accessed. Each user belongs to a group. The group defines the access policy, notifications that users can receive, and the security model and security level for the users.

–Security level—The access rights of a group depend on the security level of the request.

–Contexts—Define a named subset of the object instances in the MIB. MIB objects are grouped into collections with different access policies based on the MIB contexts.

–MIB views—Define a set of managed objects as subtrees and families. A view is a collection or family of subtrees. Each subtree is included or excluded from the view.

–Access policy—Access is determined by the identity of the user, security level, security model, context, and the type of access (read/write). The access policy defines what SNMP objects can be accessed for reading, writing, and creating.

Access to information can be restricted based on these elements. Each view is created with different access control details. An operation is permitted or denied based on the access control details.

You can configure SNMPv3 on a node to allow SNMP get and set access to management information and configure a node to send SNMPv3 traps to trap destinations in a secure way. SNMPv3 can be configured in secure mode, non-secure mode, or disabled mode.

SNMP, when configured in secure mode, only allows SNMPv3 messages that have the authPriv security level. SNMP messages without authentication or privacy enabled are not allowed. When SNMP is configured in non-secure mode, it allows SNMPv1, SNMPv2, and SNMPv3 message types.

12.4 SNMP Message Types

The ONS 15310-MA SDH SNMP agents communicate with an SNMP management application using SNMP messages. Table 12-1describes these messages.

Cisco ONS 15310-MA SDH Reference Manual, Release 9.1 and Release 9.2