The chapter overviews SNMP agent configuration aspects, and provides detailed instructions for configuring SNMP agents on some network systems.
Agents Configuration
Typical SNMP agent is implemented as a software component running on a network device. The software component should be properly installed and configured. The installation/configuration procedure heavily depends on the type of network system and software environment the agent will be living in. Refer to the appropriate section listed below to setup SNMP on a particular type of network system.
|
The following information is required for configuration:
|
See the following chapters for detailed SNMP agent configuration instructions:
Common Parameters Settings
All SNMP devices share the following common configurable parameters:
Parameters |
Description |
sysLocation |
Physical location of the device being monitored. |
sysContact |
Identifies the primary contact person for the device. |
sysName |
Should be set to the fully qualified domain name (FQDN) of the managed device. In other words, it's the hostname associated with the managed device's IP address. |
Read-only access community string |
Read-only community string is used to get access for retrieving management information from SNMP agent. |
Read-write access community string |
Using read-write access community string, the manager can actually change MIB variables on the network element. |
Trap community string |
Trap community string will be included in the traps the device sends, and trap managers can use it to decide whether or not to process a trap received. |
Trap destination |
Addresses to which traps are sent. |
Devices can have variants of the access and trap parameters. For example, Cisco devices supports different community strings for different parts of the MIB to allow fine-grained access control for paticular groups of variables. Many vendors allow you to place restrictions on the hosts that are allowed to make SNMP requests, providing another level of security, additional to community strings.
There is a host of configuration options you can meet while managing network systems from various vendors. Refer to your device/software manuals, or other types of documentation available, like Request for Comments (RFC).
Security Issues
Don't forget to change default community strings to the values that are hard to guess. Don't choose dictionary words, use mixed-case letters and numbers instead. Use different strings for read and write communities.
A serious problem is that the read and write community strings are sent as a plain text via SNMPv1 and v2. Therefore, the community strings are potentially available to anyone with access to a packet sniffer, i.e. almost anyone on your network with a PC and widely available software.
You can limit the devices that can make SNMP requests, if your agent supports this. That way, even if someone gets the community strings, he'll have to spoof the IP address of one of your management stations to do any damage. This will reduce the risk, but does not guarantee safety. A better solution is to prevent the SNMP packets from being visible outside of your management network segment by configuring your routers and firewall accordingly. Unfortunately, it is not always possible to establish a separate management network, or use it from different locations. Consider VPN solutions or some form of tunneling to make your management traffic private.
|
Many devices can generate authentication-failure traps when someone attempts to access them using incorrect community strings. If your devices support this feature, use it to detect unsolicited access to your devices. |
Finally, SNMPv3 fixes most of the security problems. Particularly, it ensures that all the community strings are encrypted.