Teldat SA Manual

SNMP Agent
Teldat-Dm 712-I

Copyright© Version 11.03 Teldat SA

SNMP Agent 1
Manual Teldat SA

Legal Notice

Warranty

This publication is subject to change.

Teldat offers no warranty whatsoever for information contained in this manual.

Teldat is not liable for any direct, indirect, collateral, consequential or any other damage connected to the delivery,
supply or use of this manual.

2 SNMP Agent
Teldat SA Table of Contents

Table of Contents

Chapter 1 Introduction to the SNMP protocol . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 SNMP Protocol Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.3 SNMP Packet Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4.1 SNMPv1 and SNMPv2c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4.2 SNMPv3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4.3 View-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 2 Configuring the SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1 Displaying the SNMP Configuration Prompt . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 SNMP Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2.1 ? (HELP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2.2 ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.3 COMMUNITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.4 CONTEXT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.5 DEFAULT-CONFIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.6 DISABLE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.7 ENABLE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.8 ENGINED LOCAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.9 GROUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.10 HOST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.11 LIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.12 MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.13 NO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.14 SUBTREE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.15 TRAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.16 USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.17 EXIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 Monitoring the SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.1 Accessing the SNMP Monitoring Environment . . . . . . . . . . . . . . . . . . . . . . 21

3.2 SNMP Monitoring Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.2.1 ? (HELP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.2 LIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.3 EXIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 4 Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.1 SNMPv1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.2 SNMPv3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.3 SNMPv1/v2 multi-VRF consults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

SNMP Agent i
Table of Contents Teldat SA

4.4 SNMPv3 multi-VRF consults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

ii SNMP Agent
Teldat SA 1 Introduction to the SNMP protocol

Chapter 1 Introduction to the SNMP protocol

1.1 Introduction
SNMP is an OSI layer 7 (application layer) protocol for configuring and monitoring router different characteristics.

SNMP enables network hosts to read and modify some of the settings of the router’s operating characteristics. It al-
lows software running on a remote host to contact the router over a network and get updating information about the
router on request. Therefore you can carry out centralized management of the routers which are in the network.

SNMP’s basic functions include:

• Collecting information and modifying router operating characteristics on behalf of remote SNMP users.
• Sending and receiving SNMP packets via the IP protocol.

Protocol Layers of the SNMP Environment

The software that processes SNMP requests runs on the router and is called SNMP agent. The user program that
makes SNMP requests runs on the user’s machine elsewhere in the network, not on the router, and is known as SN-
MP manager. The SNMP agent at the router and the manager at the work station use the UDP/IP protocol to ex-
change packets.

For more information about SNMP, refer to RFC A Simple Network Management Protocol. Recommendations RFC
3410 to 3418, RFC 3584 and RFC 3826 all provide information on the latest SNMP version, the SNMPv3.

1.2 SNMP Protocol Versions

There are three versions of SNMP. The first one, SNMPv1, defines the SNMP basic operations such as an elemental
authentication mechanism based on communities.

The second version, SNMPv2, introduced new operations and data types that improved the efficiency of SNMP. In
this second version, they also tried to improve the security of the protocol; however the complexity of the proposed
solution meant in practice they continued to use the SNMPv1 authentication mechanism. SNMPv2 with this authen-
tication mechanism is usually known as SNMPv2c (c for community).

The third version, SNMPv2, established a complete security frame for SNMP. Additionally, on doing this, the SNMP
was separated into independent modules thus simplifying future developments.

1.3 SNMP Packet Types

There are three basic operations in SNMP:

• Requesting data from the agent.

• Configuring data in the agent.
• Notifications: information sent by the agent to the manager reporting some incident that has occurred in the agent.

These three operations are executed, in SNMPv1, through the following types of packets:

• GET-REQUEST: the manager uses this command to ask the agent for the state of one or various variables. The
manager waits for the response from the agent.
• GET-NEXT: the manager uses this command to ask the agent for the state of the variable, which, on the manage-
ment tree, follows the indicated variable. This command is useful to run through tables or to get a subset from the
management tree. The manager waits for the response from the agent.
• SET-REQUEST: the manager uses this command to configure the value of one or various variables in the agent.
The manager waits for the response from the agent.
• GET-RESPONSE (known simply as RESPONSE from version 2 onwards): the agent uses this command to re-
spond to requests from the manager. In cases regarding the GET-REQUEST and GET-NEXT commands, the
agent responds with the value of the requested variable (in cases regarding the GET-NEXT command, the said
variable is also identified). In cases regarding a SET-REQUEST command, the agent responds by indicating if the
operation was successfully carried out or not.
• TRAP: the agent uses this command to tell the manager about a significant event. The agent does not expect a re-
sponse from the manager.

In versions 2 and 3 new commands were introduced:

SNMP Agent 1
1 Introduction to the SNMP protocol Teldat SA

• GET-BULK: the manager uses this command to ask the agent about the state of various variables. The definition
of this command makes it especially useful in order to obtain the state of all the variables in a table.
• INFORM: a manager uses this command to send information to another manager about a significant event. The
difference between this and the TRAP command is that in this case the manager is expected to respond with a RE-
SPONSE command.
• NOTIFICATION: this command substitutes the TRAP command found in version 1.
• REPORT: the agent uses this command to tell the manager about some unusual error in the treatment of the re-
quest made by the manager. This command is used in SNMP version 3 as part of the discovery process for the
data needed from the agent.

1.4 Security

1.4.1 SNMPv1 and SNMPv2c

In SNMPv1 and SNMPv2c, the security mechanism is very simple: there is no data encryption and the authentication
used is very basic.

Each SNMP packet includes a field indicating the community being referred to. The community is simply a set of
characters. It’s possible to specify the following in the agent for each community:

• The access level, be this read or write

• The view, i.e. the set of accessible variables using the said community.
• The IP addresses pertaining to this community. I.e. the IP addresses for the managers that can access the agent
using this community.

Each SNMP packet arriving at the router is validated or dropped depending on whether it complies with the restric-
tions imposed by the authentication schema or not. Specifically, the accessed variable, its type of access and the
source IP address of the SNMP packet must be included in those associated to the SNMP packet community name.

Given that the community information is routed in clear (not encrypted) in the SNMP packet it is obviously very easy
to find out the community name and access the agent. The lack of security in SNMPv1 (and by extension SNMPv2c)
means that in practice it is mainly used for monitoring the status of the router, not for configuring write permissions.

1.4.2 SNMPv3
As already said, SNMPv3 has tried to solve the security problems existing in the other two versions. For this robust
mechanisms have been defined both for authentication as well as encryption. Additionally, the modularity in this ver-
sion means new encryption or authentication algorithm mechanisms can be added to the protocol. Currently there
are two authentication mechanisms, HMAC-MD5 and HMAC-SHA and two encryption mechanisms, DES and AES-
128.

In SNMPv3, a security model has been identified, a model applied to the SNMP packets and a security level within
this model.

The currently existing security models are:

• SNMPv1
• SNMPv2c
• SNMPv3 USM: User Security Model.

The security levels that can be distinguished are as follows:

• noAuthNoPriv: the packets don’t use either authentication or encryption. It’s the only level of security applied to the
SNMPv1 and SNMPv2 security model packets.
• AuthNoPriv: the packets use authentication but are not encrypted.
• AuthPriv: the packets use authentication and encryption.

Note

Please note that the possibility of encrypted packets without authentication is not contemplated here.

1.4.3 View-based Access Control

The access control determines whether an SNMP manager has access to a determined variable or not.

2 SNMP Agent
Teldat SA 1 Introduction to the SNMP protocol

In SNMPv1 and SNMPv2, the community is used (and maybe the manager’s IP address) to determine if access is
permitted to a determined variable.

In SNMPv3, the access control mechanism is generalized introducing more variables when making the decision. The
variables used are as follows:

• Group: this is a set of tuples <securityName, securityModel>. The securityName is the SNMP manager identifier
(the community in cases regarding SNMPv1 and SNMPv2, the user in SNMPv3). All the members of a group have
the same access levels to the agent’s variables. A combination of <securityName, securityModel> can only pertain
to one group.
• Context: this is a set of manageable variables accessed by an SNMP entity. A manageable variable can appear in
more than one context. For further information on the concept of contexts, please see RFC 3411.
• Security level: the access levels can be different for a non-encrypted message and for an encrypted message. You
can, for example, demand that the message is encrypted in order to admit write accesses to a variable.

The securityName and the securityModel included in the SNMP packet are used to obtain the group. The group, con-
text, security model, security level and type of required access (read, write or notification) permit a determined view
to be selected.

A view is nothing more than a set of variables which it has access to. If the view selected includes the variable you
want to access, access is permitted. Contrariwise, access is denied.

SNMP Agent 3
2 Configuring the SNMP Agent Teldat SA

Chapter 2 Configuring the SNMP Agent

2.1 Displaying the SNMP Configuration Prompt

To access the SNMP configuration environment use the PROTOCOL SNMP command found in the general config-
uration menu.

Config>protocol snmp
-- SNMP user configuration --
SNMP Config>

2.2 SNMP Configuration Commands

This section summarizes the different SNMP configuration commands.

Command Function
? (HELP) Shows available commands or lists the options associated to specific commands.
ACCESS Configures the views associated to a determined group and security model.
COMMUNITY Creates a community or modifies the parameters for an existing community.
CONTEXT Creates a context or modifies an existing one.
DEFAULT-CONFIG Enables the default configuration.
DISABLE Disables the SNMP protocol.
ENABLE Enables the SNMP protocol.
ENGINEID Configures the EngineID used by SNMPv3.
GROUP Assigns a user and a security model to a group.
HOST Configures a host to which SNMP notifications are sent.
LIST Displays the SNMP configuration.
MIB Configure options for a MIB.
NO Deletes the configuration or configures parameters with their default values.
SUBTREE Specifies the MIB portions included or excluded from a determined view.
TRAP Configures parameters relative to sending notification.
USER Creates a user or modifies the parameters for an existing user.
EXIT Exits the SNMP configuration menu.

2.2.1 ? (HELP)
Displays the available commands or their options.

Syntax:

SNMP config>?

Example:

SNMP config>?
access Specify access views associated to a group and security
model
community Create a community or modify parameters of an existing one
context Create a context or modify an existing one
default-config Enable the SNMP default configuration
disable Disable SNMP
enable Enable SNMP
engineid Specify an SNMPv3 EngineID
group Assign a <user, securityModel> tuple to a group
host Specify a host to receive SNMP notification messages
list Display SNMP configuration

4 SNMP Agent
Teldat SA 2 Configuring the SNMP Agent

mib Configure options for a MIB

no Negate a command or set its defaults
subtree Create or modify a MIB view
trap Set trap parameters
user Create a SNMPv3 user or modify parameters of an existing one
exit Exit SNMP configuration menu
SNMP config>

2.2.2 ACCESS
Configures the views associated to a determined group and security model. This allows you to associate a read,
write and notification view to a determined group and a security model. You can also configure different views for dif-
ferent security models within the same group. Additionally, it’s possible to configure different views for the same
group and security models using different contexts.

Note

To obtain information from a secondary VRF through the context, you can only execute the following
petitions: over the MIB IP-FORWARD-MIB and more specifically over the ipCidrRouteNumber object
(OID: 1.3.6.1.2.1.4.24.3) and the ipCidrRouteTable table (OID: 1.3.6.1.2.1.4.24.4 and over the MIB2
ipAddrTable (OID: 1.3.6.1.2.1.4.20).

To obtain information from the main VRF, the petition is executed as normal, even though this is done
from a manager located in the secondary VRF.

Please see section View-based Access Control on page 2 for further information on access control based on views.

Syntax:

SNMP config>group <GroupName> [context <ContextName>] <securityModel> <securityLevel>

{read-view <view> | notify-view <view> | write-view <view>}

securityModel: This can be:

• any: any security model

• v1: SNMPv1
• v2c: SNMPv2c
• v3-usm: SNMPv3 User Security Model (currently this is the only security model defined for SNMPv3)

securityLevel: (only if you select v3-usm as the security model). This can be:

• auth: authentication, no encryption

• noauth: no authentication, no encryption
• authpriv: authentication and encryption

Note

In cases where none of the views have been specified, the view associated to all the OIDs is inter-
preted as being default. This view is always created and known internally as “_all_”. In cases where
you do not want to access all the OIDs, you can use the “_none_” view.

Example:

Associating a teldatreadview read view and a teldatnotifyview notification view to the teldatgroup for SNMPv3 with
encryption and authentication.

SNMP config>access teldatgroup v3-usm priv read-view teldatreadview notify-view

teldatnotifyview
SNMP config>

Example:

Associating a teldatwriteview write view to theteldatgroup2 group for SNMPv1.

SNMP config>access teldatgroup2 v1 write-view teldatwriteview

SNMP config>

SNMP Agent 5
2 Configuring the SNMP Agent Teldat SA

2.2.3 COMMUNITY
Creates a community or modifies the parameters for an already existing community.

Syntax:

SNMP config>community <Community Name>

default Create a SNMP community with default values
access Set access permissions for this community
context Set a context for this community
subnet Specify subnet with access using this community string
view Set a view for this community
SNMP config>

Community Name Specifies the name of community (32 characters maximum). Special characters
such as spaces, tabs, and so on, are not accepted.

2.2.3.1 COMMUNITY community_name DEFAULT

Creates a community with the default parameters or reestablishes the said parameters for an already existing com-
munity. The default parameters are as follows:

• Read access and generation of traps

• view associated to all the MIB
• permitted access from all IP addresses

Example:

SNMP config>community public default

SNMP config>

2.2.3.2 COMMUNITY community_name ACCESS

Establishes the access level associated to a community. The possible access levels are as follows:

read-trap: Read and trap generation.

trap-only: Trap generation.

write-read-trap: Read-write and trap generation.

Syntax:

SNMP config>community public access ?

read-trap Read SNMP variables and generate traps
trap-only Generate traps only
write-read-trap Read and write SNMP variables and generate traps
SNMP config>

Default value: by default this permits read access and trap generation.

Example:

SNMP config>community public access write-read-trap

SNMP config>

2.2.3.3 COMMUNITY community_name CONTEXT

Specifies a context to be associated to a specific community. This context allows you to execute an association
between the community and a secondary VRF.

Note

To obtain information from a secondary VRF through the context, you can only execute the following
petitions: over the MIB IP-FORWARD-MIB and more specifically over the ipCidrRouteNumber object
(OID: 1.3.6.1.2.1.4.24.3) and the ipCidrRouteTable table (OID: 1.3.6.1.2.1.4.24.4 and over the MIB2
ipAddrTable (OID: 1.3.6.1.2.1.4.20).

6 SNMP Agent
Teldat SA 2 Configuring the SNMP Agent

To obtain information from the main VRF, the petition is executed as normal, even though this is done
from a manager located in the secondary VRF.

Syntax:

SNMP config>community public context ?

<1..32 chars> Context name
SNMP config>

Example:

SNMP config>community public context cntxt

SNMP config>

2.2.3.4 COMMUNITY community_name SUBNET

Specifies a subnet where access is permitted using the specified community

Note

SNMP requests may arrive for any of the router’s addresses

You can specify more than one subnet for a community. To do this you must repeat the operation as many times as
subnets you want to add.

SNMP requests will be accepted for one community if the outcome of the AND function between the IP address
which originated the request and the community network mask matches with the outcome of the AND function
between the community IP address and its mask, in some of the address configured in the community. I.e. petitions
will be accepted from any device in the subnets defined by the masks. If no address is specified for the community,
requests are accepted from any host.

Syntax:

SNMP config>community public subnet ?

<a.b.c.d> IP Address
SNMP config>community public subnet 192.6.2.168 ?
<a.b.c.d> Mask
SNMP config>community public subnet 192.6.2.168 255.255.255.0 ?
<cr>
SNMP config>

Default value: by default you can access from any IP address.

Example 1:

SNMP config>community public subnet 192.6.2.168 255.255.255.0

SNMP config>

Or:

This operation causes that public community requests will be accepted if they come from any host of the 192.6.2.0
network.

Example 2:

SNMP config>community public subnet 192.6.2.168 255.255.255.255

SNMP config>

This operation causes that public community requests will be accepted only if they come from the 192.6.2.168 host.

2.2.3.5 COMMUNITY community_name VIEW

Assigns an MIB view to a community. The view must be previously created through the SUBTREE command. If the
view that you associated to the community doesn’t exist, access is restricted to all the MIB. If this indicates that the
view associated to a community is “all” the community will have access to all the MIB.

Example:

SNMP Agent 7
2 Configuring the SNMP Agent Teldat SA

SNMP config>community private view teldat

SNMP config>

Default value: by default access to all the MIB is permitted.

2.2.4 CONTEXT
Creates a context or modifies an existing one.

Syntax:

SNMP config>context <Context-Name>

Example:

SNMP config>context teldatContext

SNMP config>

2.2.5 DEFAULT-CONFIG
Enables default configuration. The DEFAULT-CONFIG command enables SNMP and creates a community called
“teldat”, with the following characteristics: it has all permissions (read, write and trap generation), accepts requests
from any address, and has a complete MIB view.

Default value: the default configuration is enabled.

Syntax:

SNMP config>default-config

2.2.6 DISABLE
Disables the SNMP protocol.

Syntax:

SNMP config>disable

Note

If the default configuration is enabled by default, SNMP is always enabled. This means SNMP cannot
be disabled until the default configuration is disabled.

2.2.7 ENABLE
Enables the SNMP protocol.

Syntax:

SNMP Config>enable

Default value: by default the SNMP is enabled.

2.2.8 ENGINED LOCAL

Configures the engineID the router uses in the SNMPv3. The engineID uniquely identifies an SNMP entity when it
uses the SNMPv3 protocol.

Syntax:

SNMP config>engineid local ?

<8..64 hex chars> EngineID hexadecimal octet string
SNMP config>

Default value: by default there is no engineID configured. In this case, a random engineID is generated on device
startup.

8 SNMP Agent
Teldat SA 2 Configuring the SNMP Agent

2.2.9 GROUP
Assigns a user and a security model to a group. The <user, security model> tuple can only pertain to one group. The
groups use this to define the access control based on views. For further information, please see section View-based
Access Control on page 2.

Syntax:

SNMP config>group <secName> <secModel> <groupName>

secName: user going to be added to a group

securityModel: security model. This can be:

• any: any security model

• v1: SNMPv1
• v2c: SNMPv2c
• v3-usm: SNMPv3 User Security Model (currently this is the only security model defined for SNMPv3)

groupName: group name

Example:

Creating the teldatgroup group, with teldatuser users for SNMPv3 and teldatuser1 for SNMPv1.

SNMP config>group teldatuser v3-usm teldatgroup

SNMP config>group teldatuser2 v1 teldatgroup
SNMP config>

2.2.10 HOST
Configures a host that is sent SNMP notifications, as well as the sending characteristics of the said notifications.

Syntax:

SNMP config>host <IP address> <trap | inform> version <secModel> <secLevel> <secName>
[udp-port <port>] [vrf <vrf-name>] [{traps}]
SNMP config>

IP address: host IP address to which SNMP notifications are sent.

trap: indicates that the notifications are sent as TRAPS.

inform: indicates that the notifications are sent as INFORMs.

secModel: specifies the SNMPv3 version used to send the notifications. The possible versions are:

• v1: SNMPv1 (not available for inform)

• v2c: SNMPv2c
• v3: SNMPv3

secLevel: security level used in sending notifications. This is only configurable for SNMPv3. The possible values are:

• auth: authentication, no encryption

• noauth: no authentication, no encryption
• authpriv: authentication and encryption

secName: user or community name to use when sending the notifications.

udp-port <port>: UDP port the notifications are sent to. This parameter is optional. In cases where it isn’t specified,
the notifications are sent to port 162.

vrf <vrf-name>: Secondary VRF the notifications are sent over. This parameter is optional. In cases where it isn’t
specified, the notifications are sent over the main VRF.

traps: specifies the types of notifications sent to the host. You can specify various types of notifications. The existing
types are as follows:

Type Description

SNMP Agent 9
2 Configuring the SNMP Agent Teldat SA

all All notifications

authentication-failure Notifications for authentication failures
cold-start Notifications when the router has executed a cold-start.
enterprise-specific Enterprise specific notifications. Enterprise specific notifications indicate that
something has happened which is defined as unusual and should be reported.
The notification “specific-trap” field identifies the specific event that has occurred.
In our router, the specific enterprise notifications are those configured as such in
the Events Logging System. On enabling the specific notifications, the rest of the
groups automatically enable. Consequently, the events enabled for ‘snmp-trap’
and for all the rest of the groups reach the host.
enterprise-specific-group1 Enterprise specific notifications group 1. The enterprise specific notification indic-
ates that something has happened that is defined as unusual and should be repor-
ted. The notification “specific-trap-group1” field identifies the specific event that
has occurred. In our router, the enterprise specific notifications are those con-
figured as such in the Events Logging System (ELS).
enterprise-specific-group2 Enterprise specific notifications group 2. The enterprise specific notification indic-
ates that something has happened that is defined as unusual and should be repor-
ted. The notification “specific-trap-group2” field identifies the specific event that
has occurred. In our router, the enterprise specific notifications are those con-
figured as such in the Events Logging System (ELS).
enterprise-specific-group3 Enterprise specific notifications group 3. The enterprise specific notification indic-
ates that something has happened that is defined as unusual and should be repor-
ted. The notification “specific-trap-group3” field identifies the specific event that
has occurred. In our router, the enterprise specific notifications are those con-
figured as such in the Events Logging System (ELS).
enterprise-specific-group4 Enterprise specific notifications group 4. The enterprise specific notification indic-
ates that something has happened that is defined as unusual and should be repor-
ted. The notification “specific-trap-group4” field identifies the specific event that
has occurred. In our router, the enterprise specific notifications are those con-
figured as such in the Events Logging System (ELS).
link-down “Link down” notification. This indicates an error in one of the router interfaces. The
notification contains the ifIndex value for the affected interface as the first element
in its variables list.
link-up “Link up” notification. Indicates that one of the router’s interfaces that was down
has begun operating again. The notification contains the ifIndex value for the af-
fected interface as the first element in its variables list.
warm-start Notifications when the router has executed a warm-start.

Example:

The host is configured in 172.24.51.12 address in order to send it encrypted SNMPv3 traps using the teldatuser
user. The notifications are sent to port 170. Notifications are send to report changes in the interface states.

SNMP config>host 172.24.51.12 trap version v3 auth teldatuser udp-port 170 link-
up link-down
SNMP config>

Example:

The host is configured in address 172.24.51.13 in order to send it SNMPv2 informs using the teldatcomm1 com-
munity. All the notifications are sent.

SNMP config>host 172.24.51.13 inform version v2 teldatcomm1 all

SNMP config>

Example:

The host is configured in address 172.24.51.12 in order to send it SNMPv1 traps using the teldatcomm2 community.
The enterprise specific notifications are sent.

SNMP config>host 172.24.51.12 trap version v1 teldatcomm2 enterprise-specific

SNMP config>

2.2.11 LIST
Lists the SNMP configuration.

10 SNMP Agent
Teldat SA 2 Configuring the SNMP Agent

Syntax:

SNMP config>list ?
access Display current access views configuration
all Display all the SNMP configuration information
community Display current communities configuration
group Display current groups configuration
host Display current hosts configuration
trap-sending-parameters Display trap sending configuration
user Display current users configuration
view Display current views configuration
SNMP config>

2.2.11.1 LIST ACCESS

Lists the views configured for each group and security model.

Example:

SNMP config>list access

--------------
Access Entries
--------------
Group Name Context secModel secLevel Views
------------ ---------- -------- ------------ -----------------------------
teldatgroup2 v1 noAuthNoPriv readView:
writeView: teldatwriteview
notifyView:
teldatgroup v3-usm Priv readView: _all_
writeView: _all_
notifyView: _all_
pap sd any AuthNoPriv readView: fd
writeView: ff
notifyView: df
teldatgroup v3-usm Priv readView: teldatreadview
writeView:
notifyView: teldatnotifyviewe
SNMP config>

2.2.11.2 LIST ALL

Displays all the SNMP configuration information.

Example:

SNMP config>list all

Default configuration is disabled
SNMP is enabled
No trap sending parameters, showing default values

Max time storing traps (seg): 50

Max number of traps to store: 32
Manager reachability check before sending traps: UDP echo

Community Name IP Address IP Mask

--------------------------------- --------------------------
public ALL
private 192.6.2.168 255.255.255.255

Community Name Access

--------------------------------- --------------------------
public Read, Trap

SNMP Agent 11
2 Configuring the SNMP Agent Teldat SA

private Read, Write, Trap

Community name Views

--------------------------------- --------------------------
public mib2
private teldat

View name Subtree

--------------------------------- --------------------------
mib2 1.3.6.1.2.1 (included)
teldat 1.3.6.1.4.1.2007 (included)

--------------
Access Entries
--------------
Group Name Context secModel secLevel Views
------------ ---------- -------- ------------ -----------------------------
teldatgroup2 v1 noAuthNoPriv readView:
writeView: teldatwriteview
notifyView:

teldatgroup v3-usm Priv readView: _all_

writeView: _all_
notifyView: _all_
pap sd any AuthNoPriv readView: fd
writeView: ff
notifyView: df
teldatgroup v3-usm Priv readView: teldatreadview
writeView:
notifyView: teldatnotifyviewe

------
Groups
------
SecName secModel Group name
-------------------- -------- -------------------
teldat v3-usm teldatgroup2
teldatmd5aes v3-usm teldatgroup2
teldatmd5des v3-usm teldatgroup2
teldatshades v3-usm teldatgroup2
teldatuser v3-usm teldatgroup2
teldatuser2 v1 teldatgroup

-----
Hosts
-----
SecName IP Address Type Port Security Traps
----------- --------------- ------ ----- ------------------- -------------------
teldat 172.24.51.12 trap 162 v3-usm Priv Cold Start
Warm Start
Link Down
Link Up
Auth. Failure
Enterprise Specific
teldat2 172.24.51.12 trap 162 v3-usm AuthNoPriv Cold Start
Warm Start
Link Down
Link Up
Auth. Failure

12 SNMP Agent
Teldat SA 2 Configuring the SNMP Agent

Enterprise Specific
teldatcomm2 172.24.51.12 trap 162 v1 noAuthNoPriv Enterprise Specific
teldatuser 172.24.51.12 trap 170 v3-usm AuthNoPriv Link Down
Link Up
Ent. Sp. Group 2
Ent. Sp. Group 3
teldatcomm1 172.24.51.12 inform 162 v2c noAuthNoPriv None

-----
Users
-----
SecName auth type priv type
------------------------------- --------- ---------
teldat sha aes-128
teldatmd5aes md5 aes-128
teldatmd5des md5 des
teldatshades sha des
teldatuser sha des
teldatuser2 sha aes-128

SNMP config>

Note

If the default configuration is enabled, SNMP is always enabled.

2.2.11.3 LIST COMMUNITY

Lists information on the configured communities.

Syntax:

SNMP config>list community ?

access Display the access mode information for all communities
address Display the associated addresses information for all communities
view Display the view information associated to each community
SNMP config>

LIST COMMUNITY ACCESS

Lists information on the access level associated to the different configured communities.

Example:

SNMP config>list community access

Community Name Access
--------------------------------- --------------------------
public Read, Trap
private Read, Write, Trap
SNMP config>

LIST COMMUNITY ADDRESS

Lists information on the subnets from those that are permitted access using the different communities.

Example:

SNMP config>list community address

Community Name IP Address IP Mask
--------------------------------- --------------------------
public ALL
private 192.6.2.168 255.255.255.255

SNMP Agent 13
2 Configuring the SNMP Agent Teldat SA

SNMP config>

LIST COMMUNITY VIEW

Lists the view information associated to each community.

Example:

SNMP config>list community view

Community name Views
--------------------------------- --------------------------
public mib2
private teldat
SNMP config>

2.2.11.4 LIST GROUP

Lists information on the configured groups.

Example:

SNMP config>list group

------
Groups
------
SecName secModel Group name
-------------------- -------- -------------------
teldat v3-usm teldatgroup2
teldatmd5aes v3-usm teldatgroup2
teldatmd5des v3-usm teldatgroup2
teldatshades v3-usm teldatgroup2
teldatuser v3-usm teldatgroup2
teldatuser2 v1 teldatgroup
SNMP config>

2.2.11.5 LIST HOST

Lists information on the configured notifications.

Example:

SNMP config>list host

-----
Hosts
-----
SecName IP Address Type Port VRF Name Security Traps
----------- --------------- ------ ----- ------------ ------------------- -------------------
teldat 172.24.51.12 trap 162 <main> v3-usm Priv Cold Start
Warm Start
Link Down
Link Up
Auth. Failure
Enterprise Specific
teldat2 172.24.51.12 trap 162 <main> v3-usm AuthNoPriv Cold Start
Warm Start
Link Down
Link Up
Auth. Failure
Enterprise Specific
teldatcomm2 172.24.51.12 trap 162 <main> v1 noAuthNoPriv Enterprise Specific
teldatuser 172.24.51.12 trap 170 <main> v3-usm AuthNoPriv Link Down
Link Up

14 SNMP Agent
Teldat SA 2 Configuring the SNMP Agent

Ent. Sp. Group 2

Ent. Sp. Group 3
teldatcomm1 172.24.51.12 inform 162 <main> v2c noAuthNoPriv None
SNMP config>

2.2.11.6 LIST TRAP-SENDING-PARAMETERS

Lists information relative to the sending of notifications.

Example:

SNMP config>list trap-sending-parameters

No trap sending parameters, showing default values

Max time storing traps (seg): 50

Max number of traps to store: 32
Manager reachability check before sending traps: UDP echo

SNMP config>

2.2.11.7 LIST USER

Lists information on the configured users.

Example:

SNMP config>list user

-----
Users
-----
SecName auth type priv type
------------------------------- --------- ---------
teldat sha aes-128
teldatmd5aes md5 aes-128
teldatmd5des md5 des
teldatshades sha des
teldatuser sha des
teldatuser2 sha aes-128
SNMP config>

2.2.11.8 LIST VIEW

Lists information on the view defined in the system, with the MIB portions or subtrees associated to each.

Example:

SNMP config>list view

View name Subtree
--------------------------------- --------------------------
teldatview 1.3.6.1.4.1.2007 (included)
mib2 1.3.5.1.2.1 (included)
SNMP config>

2.2.12 MIB
Allows you to configure options for the MIBs.

Syntax:

SNMP config>mib <mibName> <variableName> <option>

2.2.12.1 MIB IFMIB

Allows you to configure options for the IF-MIB MIB.

SNMP Agent 15
2 Configuring the SNMP Agent Teldat SA

Syntax:

SNMP config>mib ?
ifmib Options for IF-MIB

2.2.12.1.1 MIB IFMIB IFALIAS

Allows you to configure options for the ifAlias variable of the IF-MIB MIB.

SNMP config>mib ifmib ?

ifalias Options for ifAlias variable
SNMP config>mib ifmib ifalias ?
256 Change ifAlias value larger than 64 characters

• 256: Allows you to increase the maximum limit on the allowable length for the string of characters that is the value
of the ifAlias variable.

Example:

SNMP config>mib ifmib ifalias 256

2.2.13 NO
Configures the parameters with their default values or deletes the configuration.

Syntax:

SNMP config>no ?
access Specify access views associated to a group and security
model
community Create a community or modify parameters of an existing one
context Create a context or modify an existing one
default-config Enable the SNMP default configuration
engineid Specify an SNMPv3 EngineID
group Assign a <user, securityModel> tuple to a group
host Specify a host to receive SNMP notification messages
mib Configure options for a MIB
subtree Create or modify a MIB view
trap Set trap parameters
user Create a SNMPv3 user or modify parameters of an existing one
SNMP config>

Example:

Deleting the private community.

SNMP config>no community private

SNMP config>

Example:

Deleting all the notifications configuration associated to host 172.24.51.12.

SNMP config>no host 172.24.51.12

SNMP config>

Example:

Default configuration for the maximum time that a notification is kept before sending it.

SNMP config>no trap sending-parameters time

SNMP config>

2.2.14 SUBTREE
Creates a new view or adds a portion of the MIB to an already existing view. It’s possible to include or exclude the
MIB portion from the existing view.

16 SNMP Agent
Teldat SA 2 Configuring the SNMP Agent

To assign a view to one or more communities use the COMMUNITY community_name VIEW command and use
the ACCESS command to assign a view to a group.

Syntax:

SNMP config>subtree <viewName> <OID> <included | excluded>

SNMP config>

View name Specify the name of the view (32 characters maximum). Special characters such
as spaces, tabs, and so on, are not accepted.
Specifies the MIB Object ID for the subtree. All the objects that hang off this OID
OID are included in or excluded from the view.
included The specified OID is included in the view (it can be accessed).
excluded The specified OID is excluded from the view (it can’t be accessed).

Example:

SNMP config>subtree mib2 1.3.6.1.2.1 included

SNMP config>

Note

If one or various ‘excluded’ portions of the MIB are in a view, everything that doesn’t pertain to this is
also excluded from the view. I.e. by default access is restricted to all the variables that are not explicitly
specified as ‘included’.

2.2.15 TRAP
Configure the parameters used to determine sending conditions for the traps.

Syntax:

SNMP config>trap ?
sending-parameters Set trap sending parameters
SNMP config>

2.2.15.1 TRAP SENDING-PARAMETERS

Permits you to configure the trap sending parameters. The sending of an SNMP trap can provoke an X.25 or ISDN
call if the destination for these is on the other side of an interface of this type. For this reason it is advisable to group
the traps you need to send in a buffer and sent them all together in order to reduce the number of calls carried out.
Additionally, it’s a good idea to make sure that the address which has been configured as the traps destination is
reachable (that the call has already been established, following the previous example), so that the probability of the
traps being lost along the route diminishes. However, on other occasions, you may wish to receive the traps as
quickly as possible. Therefore it is convenient to minimize the number of traps saved in the buffer before being sent
or the maximum time that a trap can wait until it is sent. In this particular case, it is not recommendable to check if the
manager station which receives the traps is reachable. This could introduce a certain delay if you have to wait for a
response to the ECHO UDP or ICMP which is sent to each configured destination from the device to see if these are
accessible.

The type of traps sent to notify an event is another of the parameters that can be configured using this command.

The trap sending parameters which are configured from this option are:
NUMBER Size of the trap buffer to regroup: number of traps that can be stored before being
sent to their destination.
REACHABILITY-CHECKING Indicates if reachability checks for the manager stations configured as trap destin-
ation should be carried out before being sent.
TIME Maximum time that a trap is stored in the buffer before being sent (provided that
the buffer does not previously reach its maximum capacity).
FORMAT Format of the variable bindings list which is constructing when a trap is sent.

Syntax:

SNMP config>trap sending-parameters ?

number Number of traps to store before sending

SNMP Agent 17
2 Configuring the SNMP Agent Teldat SA

reachability-checking Reachability checking before sending traps

time Max time to store traps in buffer before sending
format Configure the variable-bindings list format
SNMP config>

TRAP SENDING-PARAMETERS NUMBER

Configures the size of the trap buffer to regroup. I.e. the number of traps that can be stored before being sent to their
destination. In all cases the traps are sent individually, each in an UDP packet.

Syntax:

SNMP config>trap sending-parameters number ?

<1..63> Max number of traps to store
SNMP config>

Default value: by default, 32 traps are stored.

Example:

SNMP config>trap sending-parameters number 30

SNMP config>

TRAP SENDING-PARAMETERS REACHABILITY-CHECKING

This parameter indicates if you are going to execute the reachability checking for the manager stations configured as
trap destinations before sending. The permitted values for this variable are:

icmp: enables ECHO ICMP sending to the destinations to check if these accessible.

ip-route: traps are only sent when a route to the destination has existed for more than 10 seconds (or the configured
value). Through the up-delay option, you can configure the time an IP route to the destination must exist for in order
to determine if it is accessible.

udp: enables ECHO UDP sending to the destinations to check if these are accessible.

Syntax:

SNMP config>trap sending-parameters reachability-checking ?

icmp ICMP checking
ip-route IP route checking
udp UDP checking
SNMP config>trap sending-parameters reachability-checking ip-route ?
up-delay IP route uptime to consider it accesible
<cr>
SNMP config>trap sending-parameters reachability-checking ip-route up-delay ?
<1s..10m> Route uptime
SNMP config>

Default value: by default the ECHO UDP sending is used.

Example:

SNMP config>trap sending-parameters reachability-checking ip-route up-delay 15s

SNMP config>

TRAP SENDING-PARAMETERS TIME

This is the maximum time that a trap is stored in the buffer before being sent provided that the buffer has not reached
maximum capacity. The traps are sent once the buffer is full or the maximum seconds indicated by this parameter
have elapsed if the buffer has not filled up before this.

Syntax:

SNMP config>trap sending-parameters time ?

<0s..3550w> Max time storing traps (Time value)
SNMP config>

Default value: by default the traps are stored for a maximum of 50 seconds.

18 SNMP Agent
Teldat SA 2 Configuring the SNMP Agent

Example:

SNMP config>trap sending-parameters time 40s

SNMP config>

TRAP SENDING-PARAMETERS FORMAT

The type of trap that is constructed to notify an event depends on the format configured through this command.

With the "legacy" option, each system event that is reported by SNMP format becomes in a specific type of trap for
this event, which includes a variable -bindings list whose size depends on the number of event arguments. When
two traps of this type are received, the same variable -binding in each of the traps can contain object instances
whose meaning and syntax is different depending on the event they generate. This mode of sending traps is propriet-
or and does not follow the standard.

Through the format ‘standard’ option, each even that is notified is transformed into a trap specified for this event,
whose arguments are converted in the list of variable-bindings defined for this type of trap.

Syntax:

SNMP config> trap sending-parameters format { legacy | standard }

By default, the format configed is “legacy”.

2.2.16 USER
Configures a user for SNMPv3. Specifies the authentication and encryption characteristics associated to the user.

Syntax:

SNMP config>user <userName> [auth {md5|sha} {plain|ciphered} <auth-key> [priv {aes128|des}

{plain|ciphered} <priv-key>]]

userName: user name.

auth: type of authentication used. This can be md5 or sha.
plain: select this option to enter the key in clear.
ciphered: select this option to enter the key encrypted.
auth-key : key used for authentication.
priv: type of authentication used. This can be aes128 or des.
priv-key : key used for encryption.

Example:

Configuration for a teldat user without security parameters (without authentication or encryption).

SNMP config>user teldat

Example:

Configuration for a teldatmd5 user with MD5 authentication using key teldatauth and without encryption.

SNMP config>user teldatmd5 auth md5 plain teldatauth

Example:

Configuration for a teldatshaaes user with SHA authentication using key teldatauth2 and with AES-128 encryption
using key teldatpriv.

SNMP config>user teldatshaaes auth sha plain teldatauth2 priv aes128 plain teldatpriv

2.2.17 EXIT
Use the EXIT command to return to the configuration prompt.

Syntax:

SNMP Config>exit

Example:

SNMP Agent 19
2 Configuring the SNMP Agent Teldat SA

SNMP Config>exit
Config>

20 SNMP Agent
Teldat SA 3 Monitoring the SNMP Agent

Chapter 3 Monitoring the SNMP Agent

3.1 Accessing the SNMP Monitoring Environment

To enter the SNMP monitoring environment use the PROTOCOL SNMP command found in the general monitoring
menu.

+protocol snmp
-- SNMP protocol monitor --
SNMP+

3.2 SNMP Monitoring Commands

Command Function
? (HELP) Displays the commands or their options.
LIST Displays information on the SNMP protocol.
EXIT Exits the SNMP monitoring menu.

3.2.1 ? (HELP)
Displays the available commands or the options for a command.

Syntax:

SNMP+?

Example:

SNMP+?
list Show protocol information
exit
SNMP+

3.2.2 LIST
Lists the current configuration for SNMP.

Syntax:

SNMP+list ?
access-entry Access entries information
all All the information
community Communities information
debug Debug information
group Groups information
host Hosts and notifications information
statistics SNMP statistics
trap-sending-parameters Information related to sending traps
user Users information
view Views defined in the system

3.2.2.1 LIST ACCESS-ENTRY

Lists the views associated to each group and security model.

Example:

SNMP+list access-entry
Access Group Name Access Parameters
--------------------------------- --------------------------

SNMP Agent 21
3 Monitoring the SNMP Agent Teldat SA

grpcomm1
Context:
Context match: prefix
Security model: any noAuthNoPriv
Read view: teldatview
Write view: teldatview
Notify view: teldatview
Storage Type: permanent
Row status: active

grpcomm2
Context:
Context match: prefix
Security model: any noAuthNoPriv
Read view: _all_
Write view: <not specified>
Notify view: _all_
Storage Type: permanent
Row status: active

teldatgroup
Context:
Context match: exact
Security model: v3 (USM) authPriv
Read view: _all_
Write view: _all_
Notify view: _all_
Storage Type: permanent
Row status: active

teldatgroup2
Context:
Context match: exact
Security model: v1 noAuthNoPriv
Read view: _all_
Write view: teldatwriteview
Notify view: _all_
Storage Type: permanent
Row status: active

Note

The configuration of communities is internally transformed into group configurations. This is why groups
appear that have not been explicitly configured.

3.2.2.2 LIST ALL

Lists all the information for the currently active SNMP configuration.

Syntax:

SNMP+list all

Example:

SNMP+list all
SNMP is enabled

Max time storing traps (seg): 50

Max number of traps to store: 32
Manager reachability check before sending traps: UDP echo

22 SNMP Agent
Teldat SA 3 Monitoring the SNMP Agent

Community Name IP Address IP Mask

--------------------------------- --------------------------
private ALL

Community Name Access

--------------------------------- --------------------------
private Read, Write, Trap

Community name Views

--------------------------------- --------------------------
private teldatview

Community Name SecName Parameters

--------------------------------- --------------------------
private Context:
SecName: comm1
Network prefix: 0.0.0.0/0

Access Group Name Access Parameters

-------------------------------- --------------------------
grpcomm1
Context:
Context match: prefix
Security model: any noAuthNoPriv
Read view: teldatview
Write view: teldatview
Notify view: teldatview
Storage Type: permanent
Row status: active

grpcomm2
Context:
Context match: prefix
Security model: any noAuthNoPriv
Read view: _all_
Write view: <not specified>
Notify view: _all_
Storage Type: permanent
Row status: active

teldatgroup
Context:
Context match: exact
Security model: v3 (USM) authPriv
Read view: _all_
Write view: _all_
Notify view: _all_
Storage Type: permanent
Row status: active

teldatgroup2
Context:
Context match: exact
Security model: v1 noAuthNoPriv
Read view: _all_
Write view: teldatwriteview
Notify view: _all_
Storage Type: permanent

SNMP Agent 23
3 Monitoring the SNMP Agent Teldat SA

Row status: active

Group Name Parameters

--------------------------------- --------------------------
grpcomm1 SecName: comm1
Security model: v1
Storage Type: permanent
Row status: active

teldatgroup SecName: teldatuser2

Security model: v1
Storage Type: permanent
Row status: active

grpcomm1 SecName: comm1

Security model: v2c
Storage Type: permanent
Row status: active

teldatgroup SecName: teldatuser

Security model: v3 (USM)
Storage Type: permanent
Row status: active

There are no host notifications

User Name Parameters

--------------------------------- --------------------------
teldatuser
Engine ID: 1234567890
Group-name: teldatgroup
SecName: teldat
Authentication Protocol: SHA
Privacy Protocol: AES128

_all_
view subtree: .0
view mask:
view type: included
Storage Type: permanent
Row status: active
_all_
view subtree: .1
view mask:
view type: included
Storage Type: permanent
Row status: active
_all_
view subtree: .2
view mask:
view type: included
Storage Type: permanent
Row status: active
_none_
view subtree: .0
view mask:
view type: excluded
Storage Type: permanent

24 SNMP Agent
Teldat SA 3 Monitoring the SNMP Agent

Row status: active

_none_
view subtree: .1
view mask:
view type: excluded
Storage Type: permanent
Row status: active
_none_
view subtree: .2
view mask:
view type: excluded
Storage Type: permanent
Row status: active
SNMP+

3.2.2.3 LIST COMMUNITY

Lists information on the configured communities.

Syntax:

SNMP+list community ?
access Display the access mode information for all communities
address Display the associated addresses information for all communities
view Display the view information associated to each community

LIST COMMUNITY ACCESS

Lists information on the access level associated to the different configured communities.

Syntax:

SNMP+list community access

Example:

SNMP+list community access

Community Name Access
--------------------------------- --------------------------
public Read, Trap
private Read, Write, Trap
SNMP+

LIST COMMUNITY ADDRESS

Lists information on the subnets that are permitted access using the different communities.

Syntax:

SNMP+list community address

Example:

SNMP+list community address

Community Name IP Address IP Mask
--------------------------------- --------------------------
public ALL
private 192.6.2.168 255.255.255.255
SNMP+

LIST COMMUNITY VIEW

Lists information on the view associated to each community.

Syntax:

SNMP Agent 25
3 Monitoring the SNMP Agent Teldat SA

SNMP+list community view

Example:

SNMP+list community view

Community name Views
--------------------------------- --------------------------
public mib2
private teldat
SNMP+

3.2.2.4 LIST DEBUG

Lists information on the internal structures used in the SNMP code. This information is only useful for debugging pur-
poses.

3.2.2.5 LIST GROUP

Lists information on the configured groups.

Syntax:

SNMP+list group

Example:

SNMP+list group
Group Name Parameters
--------------------------------- --------------------------
grpcomm1 SecName: comm1
Security model: v1
Storage Type: permanent
Row status: active

teldatgroup SecName: teldatuser2

Security model: v1
Storage Type: permanent
Row status: active

grpcomm1 SecName: comm1

Security model: v2c
Storage Type: permanent
Row status: active

teldatgroup SecName: teldatuser

Security model: v3 (USM)
Storage Type: permanent
Row status: active

3.2.2.6 LIST HOST

Lists information on the configured notifications.

Syntax:

SNMP+list host

Example:

SNMP+list host
Host Address Parameters
--------------------------------- --------------------------
172.24.51.12 UDP port: 162
Notification type: trap

26 SNMP Agent
Teldat SA 3 Monitoring the SNMP Agent

SecName: private
Message Processing Model: v1
security: v1 noAuthNoPriv

3.2.2.7 LIST STATISTICS

Lists the statistics on the received and sent packets.

Syntax:

SNMP+list statistics

Example:

SNMP+list statistics
-----------------------------------------
SNMP Counters
-----------------------------------------
In Packets ...................... 0
In Bad Versions ............... 0
In Bad Community Names ........ 0
In Bad Community Uses ......... 0
In ASN Parse Errors ........... 0
In Total Request Variables .... 0
In Total Set Variables ........ 0
In GET Requests ............... 0
In GET-NEXT Requests .......... 0
In SET Requests ............... 0
In GET-RESPONSEs .............. 0
In Traps ...................... 0
Out Packets ..................... 0
Out Packets Too Big ........... 0
Out No Such Names ............. 0
Out Bad Values ................ 0
Out Generic Errors ............ 0
Out GET-RESPONSEs ............. 0
Out Traps ..................... 0

-----------------------------------------
USM Counters
-----------------------------------------
Unsupported Security Levels ..... 0
Not In Time Windos .............. 0
Unknown User Names .............. 0
Unknown Engine IDs .............. 0
Wrong Digests ................... 0
Descryption Errors .............. 0

-----------------------------------------
Target MIB Counters
-----------------------------------------
Unknown Contexts ................ 0

-----------------------------------------
Other Counters
-----------------------------------------
Unknown Security Models ......... 0
Invalid Messages ................ 0
Unknown PDU Handlers ............ 0
SNMP+

SNMP Agent 27
3 Monitoring the SNMP Agent Teldat SA

3.2.2.8 LIST TRAP-SENDING-PARAMETERS

Lists information relative to sending traps.

Syntax:

SNMP+list trap-sending-parameters

Example:

SNMP+list trap-sending-parameters
Max time storing traps (seg): 50
Max number of traps to store: 32
Manager reachability check before sending traps: UDP echo

SNMP+

3.2.2.9 LIST USER

Lists information on the configured users.

Syntax:

SNMP+list user

Example:

SNMP+list user
User Name Parameters
--------------------------------- --------------------------
teldatuser
Engine ID: 1234567890
Group-name: teldatgroup
SecName: teldat
Authentication Protocol: SHA
Privacy Protocol: AES128

3.2.2.10 LIST VIEW

Lists information on the views defined in the system.

Syntax:

SNMP+list view

Example:

SNMP+list view
_all_
view subtree: .0
view mask:
view type: included
Storage Type: permanent
Row status: active

_all_
view subtree: .1
view mask:
view type: included
Storage Type: permanent
Row status: active

_all_
view subtree: .2
view mask:

28 SNMP Agent
Teldat SA 3 Monitoring the SNMP Agent

view type: included

Storage Type: permanent
Row status: active

_none_
view subtree: .0
view mask:
view type: excluded
Storage Type: permanent
Row status: active

_none_
view subtree: .1
view mask:
view type: excluded
Storage Type: permanent
Row status: active

_none_
view subtree: .2
view mask:
view type: excluded
Storage Type: permanent
Row status: active
SNMP+

3.2.3 EXIT
Exits the SNMP monitoring menu.

Syntax:

SNMP+exit

Example:

SNMP+exit
+

SNMP Agent 29
4 Configuration Examples Teldat SA

Chapter 4 Configuration Examples

4.1 SNMPv1
We configure a private community with read and write access, accessible from subnet 172.24.0.0.

community private access write-read-trap

community private subnet 172.24.0.0 255.255.0.0

4.2 SNMPv3
We configure four different users, using the different possible combinations of authentication and encryption. The
four users have access to all the MIB.

We also configure the engineID, to simplify data capture and decoding with a traffic analyst.

First configure the engineID:

SNMP config>engineid local 1234567890

SNMP config>

Next configure the four different users:

SNMP config>user teldatshaaes auth sha plain teldatshakey1 priv aes128 plain teldataeskey1
SNMP config>user teldatmd5aes auth md5 plain teldatmd5key1 priv aes128 plain teldataeskey2
SNMP config>user teldatmd5des auth md5 plain teldatmd5key2 priv des plain teldatdeskey1
SNMP config>user teldatshades auth sha plain teldatshakey2 priv des plain teldatdeskey2

Associate the users to a group:

SNMP config>group teldatshaaes v3-usm teldatgroup

SNMP config>group teldatmd5aes v3-usm teldatgroup
SNMP config>group teldatmd5des v3-usm teldatgroup
SNMP config>group teldatshades v3-usm teldatgroup

Finally define the views associated to the said group. We’re going to use the _all_ view to indicate all the OIDs.

SNMP config>access teldatgroup v3-usm priv read-view _all_ write-view _all_ noti
fy-view _all_

The final configuration is as follows:

SNMP config>sho conf

; Showing Menu and Submenus Configuration for access-level 15 ...
; Super Router * * Version 10.8.0-Alfa

engineid local 1234567890

user teldatmd5aes auth md5 ciphered 0x9EF49A1E6DE98B3A17B395CC91972DD1 priv
aes128 ciphered 0xF85A722D9DFE44BD02B19BD7FDF39A31
user teldatmd5des auth md5 ciphered 0x9EF49A1E6DE98B3A3B301FEBBE355690 priv
des ciphered 0xC5577087CC1FC12A979CDB77D6EE1682
user teldatshaaes auth sha ciphered 0xABF7853ECFB670CAF5830731ECEF2D4F priv
aes128 ciphered 0xF85A722D9DFE44BD56ADCA608C25C3EE
user teldatshades auth sha ciphered 0xABF7853ECFB670CA26C2B4252C567511 priv
des ciphered 0xC5577087CC1FC12AB10CF76833CD4F80
;
group teldatmd5aes v3-usm teldatgroup
;
group teldatmd5des v3-usm teldatgroup
;
group teldatshaaes v3-usm teldatgroup

30 SNMP Agent
Teldat SA 4 Configuration Examples

;
group teldatshades v3-usm teldatgroup
;
;
access teldatgroup v3-usm priv read-view _all_ write-view _all_ notify-view _all_
;
;
SNMP config>

4.3 SNMPv1/v2 multi-VRF consults

If required you can configure a context associated to the secondary VRF that you wish to consult.

This context is defined in the SNMP protocol menu and additionally you need to associate it to the community.

log-command-errors
no configuration
feature vrf
; -- VRF user configuration --
vrf vrf1 context ctxt
exit
;
network ethernet0/0
; -- Ethernet Interface User Configuration --
ip address 192.168.10.1 255.255.255.0
;
exit
;
;
protocol snmp
; -- SNMP user configuration --
community second context ctxt
;
context ctxt
;
;
exit
;
dump-command-errors
end

4.4 SNMPv3 multi-VRF consults

You need to configure a context associated to the secondary VRF that you wish to consult.

This context is defined in the SNMP protocol menu and additionally you need to associate it to the access command.

log-command-errors
no configuration
feature vrf
; -- VRF user configuration --
vrf vrf1 context ctxt
exit
;
network ethernet0/0
; -- Ethernet Interface User Configuration --
ip address 192.168.10.1 255.255.255.0
;
exit

SNMP Agent 31
4 Configuration Examples Teldat SA

;
;
protocol snmp
; -- SNMP user configuration --
user snmp_user
;
group snmp_user v3-usm snmp_group
;
access snmp_group context ctxt v3-usm noauth
;
context ctxt
;
;
exit
;
dump-command-errors
end

32 SNMP Agent