Académique Documents
Professionnel Documents
Culture Documents
The Simple Network Management Protocol (SNMP) is used by many organizations to keep
a good management and monitoring capability for all their devices. SNMP can be used for a
number of different things, from the monitoring and triggering of alerts to device
configuration.
SNMP is broken down into three components:
SNMP manager: The SNMP manager controls and monitors the devices within the network
using SNMP.
SNMP agent: The SNMP agent is the component that is run directly on the device and
maintains data and reports this data (if needed) to the SNMP manager.
MIB: The Management Information Base (MIB) is a virtual information storage location
that contains collections of managed objects. Within the MIB, there are objects that relate to
different defined MIB modules
The use of these three components can make a network easy to monitor and maintain. To obtain
information from the MIB on the SNMP agent, several different operations can be used:
Get: Used to get information from the MIB from an SNMP agent
Set: Used to set information to the MIB from an SNMP manager
Walk: Used to list information from successive MIB objects within a specified MIB
Trap: Used by the SNMP agent to send a triggered piece of information to the SNMP manager
Inform: The same as a trap, but adds an acknowledgment that is not provided with a trap.
There are also three main versions of SNMP that have been defined:
Version 1: This version was defined in RFC 1157 and utilizes community-based security.
Version 2c: This version was defined in RFCs 1901, 1905, and 1906 and utilizes communitybased security. Version 2c added some additional protocol operations and data types to version
1; these include a bulk retrieval mechanism.
Version 3: This version was defined in RFCs 3413 through 3415 and defines a new security
model that includes features that support message integrity, authentication and, encryption.
The community-based security method is known to be a large security vulnerability to
versions 1 and 2 because of its lack of encryption and authentication (other than a simple
community name). While the configuration of SNMP version 3 is more intensive, it should be
preferred when traffic is routed over untrusted networks.
server when exchanging packets (remote EngineID). Remote users can also be configured, but
the remote EngineID is required before these users can be created to ensure proper security
exchange information. These are the commands that are required to create and configure SNMPv3
users and groups.
Create and configure an SNMP v3 group.
Router(config)# snmp-server group group-name {v3 {auth | noauth | priv}} [read read-view]
[write write-view] [notify notify-view] [access [acl-number | acl-name]]
Create and configure an SNMP v3 user
Router(config)# snmp-server user <username> <group-name> [remote host [udp-port port]]
{v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 |
192 | 256}} privpassword]
Configure the local EngineID
Router(config)# snmp-server engineID local engineid-string
Configure a remote EngineID
Router(config)# snmp-server engineID remote {ipv4-ip-address | ipv6-address}[udp-port udpport-number]vengineid-string
Display the currently configured SNMP groups
Router# show snmp group
Display the currently configured SNMP users
Router# show snmp user
Display the currently configured EngineIDs
Router# show snmp engineID
Basic Notification Configuration
One of the main capabilities with SNMP is the ability to have the devices send messages
to a central server for recording purposes or to alert a device of a problem. These messages
can be in the form of a trap or inform; the difference between the two is that an inform
requires an acknowledgment from the server while a trap does not. An SNMP version 3 inform
also requires that a remote EngineID is configured to ensure that the acknowledgment
security information is able to be correctly calculated.
Configure a remote SNMP v3 user
Router(config)# snmp-server user username group-name remote host [udp-port port]{v3
[encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192
|256}} privpassword]
Configure an SNMP notification host (trap or inform)
Router(config)# snmp-server host {hostname | ipaddress} [traps | informs] [version {1 | 2c | 3
[auth | noauth | priv]}] {community-string | username}[udp-port port] [notification-type]
Configure the notification types to be sent in a trap or inform (this command works with both traps
and informs; the configuration of the snmp-server host command dictates which type is sent)
Router(config)# snmp-server enable traps [notificationtype]
Display the currently configured notification hosts
Router# show snmp host
CPU and Memory Thresholding
One of the ways to monitor whether an attack is occurring on a device is through the simple
monitoring of device resources, including CPU and memory utilization. This is done by configuring
the use of CPU or memory threshold monitoring. Both of these features can be combined with a
remote management server to notify an organization when the CPU and memory conditions on a
device become critical.
CPU Thresholding Configuration
The configuration of CPU thresholding utilizes two different types of threshold: rising and
falling. The rising threshold is triggered when the CPU utilization exceeds a configured threshold. A
falling threshold is triggered when the CPU utilization falls back below a configured threshold.
Configure the use of a rising (and falling, if needed) CPU threshold
Router(config)# process cpu threshold type {total | process | interrupt} percentage
interval seconds [falling fall-percentage interval seconds]
Configure the use of an SNMP trap (or inform) should a CPU threshold message be triggered
Router(config)# snmp-server enable traps cpu threshold
Memory Threshold Configuration
The memory threshold feature also has two different options that can be configured. These
include an ability to trigger a message when the device memory goes below a configured level
and/or the ability to reserve an amount of memory to be used for critical notifications.
Configure the use of a memory threshold message should the device memory go below the
configured level
Router(config)# memory free low-watermark {processor <threshold> | io <threshold>}
Configure a memory reserve that is used to ensure that critical notifications can be sent
Router(config)# memory reserve critical <kilobytes>
Cisco IOS Flexible Packet Matching (FPM)
Networks are experiencing increasing sophisticated attacks that require mitigating tools that
are as flexible as possible. Cisco IOS Flexible Packet Matching (FPM) is a set of classes and
policies that provides pattern matching capability for more granular and customized packet filters
for Layer 2 to 7bit/byte matching capability deep into the packet at any offset within the packet
header and payload.
It is a powerful, easy, and rapid deployment mechanism that enables users to specify criteria
to match against any part of a packet (header and payload) and define the action to take. In short,
FPM is able to classify a packet based on its characteristics and take appropriate action.
Why Needed
There are three main reasons for Cisco IOS Flexible Packet Matching (FPM):
Sophisticated attacks: characteristics of common attacks have evolved beyond current filtering
tools like ACLs (i.e. limited matching criteriaprotocol, port, ip address, etc.)
Rapid Mitigation: customers must stop attacks immediately without waiting for a vendor to
match start {l2-start | l3-start} offset number size number {eq | neq | gt | lt | range range | regex