Send documentation comments to mdsfeedback-doc@cisco.com.
26-2
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 26 SNMP Configuration
About SNMP

SNMP Version 1 and Version 2c

SNMPv1 and SNMPv2c use a community string match for user authentication. Community strings
provided a weak form of access control in earlier versions of SNMP. SNMPv3 provides much improved
access control using strong authentication and should be preferred over SNMPv1 and SNMPv2c
wherever it is supported.

SNMP Version 3

SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 provides
secure access to devices by a combination of authenticating and encrypting frames over the network. The
security features provided in SNMPv3 are:
Message integrity—Ensures that a packet has not been tampered with in-transit.
Authentication—Determines the message is from a valid source.
Encryption—Scrambles the packet contents to prevent it from being seen by unauthorized sources.
Uses DES or AES.
SNMPv3 provides for both security models and security levels. A security model is an authentication
strategy that is set up for a user and the role in which the user resides. A security level is the permitted
level of security within a security model. A combination of a security model and a security level
determines which security mechanism is employed when handling an SNMP packet.
Note Fabric Manager Release 2.1(2) or later supports forcing Fabric Manager or Device Manager to use
SNMPv3 only. You must edit the batch or shell scripts in the bin directory where you installed Fabric
Manager or Device Manager to uncomment the line that contains “snmp.voOnly”. When you open Fabric
Manager or Device Manager, The Open dialog box shows only SNMPv3 login options.

SNMP v3 CLI User Management and AAA Integration

The Cisco MDS SAN-OS software implement RFC 3414 and RFC 3415, including user-based security
model (USM) and role-based access control. While SNMP and the CLI have common role management
and share the same credentials and access privileges, the local user database was not synchronized in
earlier releases.
As of Cisco MDS SAN-OS Release 2.0(1b), SNMP v3 user management can be centralized at the AAA
server level. This centralized user management allows the SNMP agent running on the Cisco MDS
switch to leverage the user authentication service of AAA server. Once user authentication is verified,
the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group
names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.

CLI and SNMP User Synchronization

In Cisco MDS SAN-OS Release 2.0(1b) or later, all updates to the CLI security database and the SNMP user
database are synchronized. You can use the CLI password for accessing Fabric Manager or Device Manager
and CLI. After you upgrade to Cisco MDS SAN-OS Release 2.0(1b) or later, you can continue using the
SNMP password for Fabric Manager or Device Manager. If you use the CLI password for Fabric Manager or
Device Manager login, you need to use the CLI password for future logins as well.