Cisco Systems 15310-MA 12.8 SNMPv1/v2 Proxy Support Over Firewalls, 12.9 SNMPv3 Proxy Configuration

12-13

Cisco ONS 15310-MA SDH Reference Manual, Release 9.1 and Release 9.2

78-19417-01

Chapter 12 SNMP

SNMPv1/v2 Proxy Support Over Firewalls

12.8 SNMPv1/v2 Proxy Support Over Firewalls

Firewalls, often used for isolating security risks inside networks or from outside, have traditionally

prevented SNMP and other NMS monitoring and control applications from accessing NEs beyond a

firewall.

An application-level proxy is available at each firewall to transport SNMP protocol data units (PDU)

between the NMS and NEs. This proxy, integrated into the firewall NE SNMP agent, exchanges requests

and responses between the NMS and NEs and forwards NE autonomous messages to the NMS. The

usefulness of the proxy feature is that network operations centers (NOCs) can fetch performance

monitoring data such as remote monitoring (RMON) statistics across the entire network with little

provisioning at the NOC and no additional provisioning at the NEs.

The firewall proxy interoperates with common NMS such as HP-OpenView. It is intended to be used

with many NEs through a single NE gateway in a gateway network element (GNE)-end network element

(ENE) topology. Up to 64 SNMP requests (such as get, getnext, or getbulk) are supported at any time

behind single or multiple firewalls.

For security reasons, the SNMP proxy feature must be turned on at all receiving and transmitting NEs

to be enabled. For instructions to do this, refer to the Cisco ONS 15310-MA SDH Procedure Guide. The

feature does not interoperate with earlier releases.

12.9 SNMPv3 Proxy Configuration

The GNE can act as a proxy for the ENEs and forward SNMP requests to other SNMP entities (ENEs)

irrespective of the types of objects that are accessed. For this, you need to configure two sets of users,

one between the GNE and NMS, and the other between the GNE and ENE. In addition to forwarding

requests from the NMS to the ENE, the GNE also forwards responses and traps from the ENE to the

NMS.

The proxy forwarder application is defined in RFC 3413. Each entry in the Proxy Forwarder Table

consists of the following parameters:

• Proxy Type—Defines the type of message that may be forwarded based on the translation

parameters defined by this entry. If the Proxy Type is read or write, the proxy entry is used for

forwarding SNMP requests and their response between the NMS and the ENE. If the Proxy Type is

trap, the entry is used for forwarding SNMP traps from the ENE to the NMS.

• Context Engine ID/Context Name—Specifies the ENE to which the incoming requests should be

forwarded or the ENE whose traps should be forwarded to the NMS by the GNE.

• TargetParamsIn—Points to the Target Params Table that specifies the GNE user who proxies on

behalf of an ENE user. When the proxy type is read or write, TargetParamsIn specifies the GNE user

who receives requests from an NMS, and forwards requests to the ENE. When the proxy type is trap,

TargetParamsIn specifies the GNE user who receives notifications from the ENE and forwards them

to the NMS. TargetParamsIn and the contextEngineID or the contextName columns are used to

determine the row in the Proxy Forwarder Table that could be used for forwarding the received

message.

• Single Target Out—Refers to the Target Address Table. After you select a row in the Proxy

Forwarder Table for forwarding, this object is used to get the target address and the target parameters

that are used for forwarding the request. This object is used for requests with proxy types read or

write, which only requires one target.