SNMP

1. Function Overview

Setting SNMP (Simple Network Management Protocol) makes it possible to monitor and change network management information for SNMP management software.
In this instance, this product will operate as an SNMP agent.

This product supports communication using SNMPv1, SNMPv2c, and SNMPv3. In terms of management information bases (MIB), it supports RFC1213 (MIB-II) and private MIBs (Yamaha switches).

SNMPv1 and SNMPv2 protocols send notification of the group name (referred to as a “community”) to recipients and only communicate between hosts that belong to that same community. In that case, different community names can be specified for two access modes, either the read-only or read-write mode.
In this way, community names function as a kind of password, but they carry inherent security risks because they must be sent over a network using plain text. The use of SNMPv3 is recommended when more secure communications are required.
SNMPv3 offers communication content authentication and encryption. SNMPv3 does away with the concept of community and instead uses security models called “USM” (User-based Security Model) and “VACM” (View-based Access Control Model). These models provide a higher level of security.

SNMP messages that notify the status of this product are called “traps”. This product transmits standard SNMP traps. In SNMPv1, trap requests that do not ask for an answer with the confirmation of receipt from the recipient are specified as the notification message format. However, with SNMPv2c and SNMPv3, either an “inform” request asking for an answer from the recipient, or a trap request can be selected.

Since this product does not specifically specify a default community name value for read-only and transmission traps used for SNMPv1 and SNMPv2c protocols, be sure to specify an appropriate community name. However, as described above, community names are sent over the network in plain text, so be careful to never use a login password or administrator password as the community name.
By default, no access is possible in each SNMP version. The transmission host for the trap is not set, so traps will not be sent anywhere.

This product can restrict access to the SNMP server. Specifying access restrictions can restrict access from unintended hosts.

2. Definition of Terms Used

None

3. Function Details

The main characteristics of each SNMP version and the router setting policies are explained below.
For specific examples of settings, see “Examples of Command Execution” below.

3.1. SNMPv1

This is authentication between the SNMP manager and agent by using community names.
The controlling device (this product) is divided and managed by zones called “communities”.

Accessing the MIB objects
Community names specified using the snmp-server community command are used to permit access.
Access is possible from a VLAN interface whose IP address has been specified.
SNMP traps
The status of switches can be sent to hosts specified using the snmp-server host command.
The snmp-server enable trap command is used to specify the kind of trap to send.
The snmp-server startup-trap-delay command is used to specify when to send the trap during startup.
When sending a trap at startup, if this product has not yet obtained a source IP address, the trap cannot be sent.
For example, if it takes a long time to obtain an IP address via DHCP, change the value of the snmp-server startup-trap-delay command.

3.2. SNMPv2c

As with SNMPv1, community names are used for authentication between the SNMP manager and agents.
The snmp-server community command is used to specify the community names used to access switches by SNMPv2c.
The “GetBulk” and “Inform” requests are also now supported from this version.
These requests are used to efficiently retrieve multiple MIB objects, and to confirm replies to notification packets sent from this product.

Accessing the MIB objects
Community names specified using the snmp-server community command are used to permit access.
Access is possible from a VLAN interface whose IP address has been specified.
SNMP traps
The status of switches can be sent to hosts specified using the snmp-server host command.
Also, the settings of this command can be used to select whether the transmitted message format is a trap or inform request.
Inform requests are used to request confirmation of reply to the recipient.
The snmp-server startup-trap-delay command is used to specify when to send the trap during startup.
When sending a trap at startup, if this product has not yet obtained a source IP address, the trap cannot be sent.
For example, if it takes a long time to obtain an IP address via DHCP, change the value of the snmp-server startup-trap-delay command.

3.3. SNMPv3

In addition to all of the functions offered in SNMPv2, SNMPv3 offers more robust security functions.
SNMPv3 can authenticate and encrypt SNMP packets sent across the network to protect packets from eavesdropping, spoofing, falsification, replay attacks, and other risks and achieve security levels not possible with SNMPv1 or SNMPv2c functionality, such as community names or SNMP manager IP addresses.

Security
SNMPv3 offers the following security functions.
1. USM (User-based Security Model)
  USM is a model for maintaining security at the message level. It offers authentication and encryption based on shared key cryptography and prevents falsification of message streams.
  - Security level
    The security level can be specified using the parameter settings for the group to which users belong.
    Security levels are classified based on a combination of authentication and encryption, as indicated below.
    
    noAuthNoPriv : No authentication or encryption
    
    AuthNoPriv : Authentication only
    
    AuthPriv : authentication and encryption
  - User authentication
    For authentication, HMAC is used in the procedure to authenticate the integrity (whether data has been falsified or not) and the source.
    A hash is used in the authentication key to confirm whether the message has been falsified, and whether the sender is the user themselves.
    Both HMAC-MD5-96 and HMAC-SHA-96 are supported as hash algorithms.
  - Encryption
    With SNMPv3, SNMP messages are encrypted for the purpose of preventing leakage of managed information.
    Both the DES-CBC and AES128-CFB encryption schemes are supported.
    The snmp-server user command can be used to specify usernames, corresponding group names, user authentication methods, encryption methods, and passwords.
    The necessary authentication and encryption settings can be made according to the security level specified in the group settings.
2. VACM (View-based Access Control Model)
  VACM is a model for controlling access to SNMP messages.
  - Group
    With VACM, the access policies mentioned below are defined per group, not per user.
    Use the snmp-server user command with the optional “group” setting to specify user group affiliation. The MIB views set here that are accessible to the specified groups can be configured.
  - MIB view
    With SNMPv3, a collection of accessible MIB objects can be defined for each group. When defined, the collection of MIB objects is called the “MIB view”. The “MIB view” is expressed as a collected view sub-tree that shows the object ID tree.
    Use the snmp-server view command to specify the MIB view. Whether the MIB view should be included or excluded in each view sub-tree can be selected.
  - Access policy
    With VACM, set the MIB view that will permit reading and writing for each group.
    Use the snmp-server group command to set the group name, security level, and MIB view.
    The MIB view is the MIB view specified using the snmp-server view command.
SNMP traps
The status of switches can be sent to hosts specified using the snmp-server host command.
In order to transmit a trap, the snmp-server user command must first be used to configure the user.
Also, the settings of this command can be used to select whether the transmitted message format is a trap or inform request.
Inform requests are used to request confirmation of reply to the recipient.
The snmp-server startup-trap-delay command is used to specify when to send the trap during startup.
When sending a trap at startup, if this product has not yet obtained a source IP address, the trap cannot be sent.
For example, if it takes a long time to obtain an IP address via DHCP, change the value of the snmp-server startup-trap-delay command.

3.4. Restricting SNMP server access

Hosts able to access the product’s SNMP server can be specified using the snmp-server access command.
Access from unintended hosts can be restricted by only allowing access from the intended SNMP manager.
Default settings accept access from all hosts. Specify access restrictions based on the operating environment.
For more information about access restrictions, refer to Remote Access Control.

3.5. Private MIBs

This product supports yamahaSW, which is a proprietary private MIB for switch management.
This private MIB allows the obtaining of information for Yamaha’s proprietary functions, and for more detailed information about the switch.
For information about supported private MIBs and how to obtain private MIBs, refer to SNMP MIB Reference.

4. Related Commands

Related commands are indicated below.
For details on the commands, refer to the Command Reference.

Operations	Operating commands
Set host that receives SNMP notifications	snmp-server host
Set how long to wait for notification messages to be transmitted when starting up the system.	snmp-server startup-trap-delay
Set notification type to transmit	snmp-server enable trap
Set system contact	snmp-server contact
Set system location	snmp-server location
Set SNMP community	snmp-server community
Set SNMP view	snmp-server view
Set SNMP group	snmp-server group
Set SNMP user	snmp-server user
Specify SNMP server access settings	snmp-server access
Show SNMP community information	show snmp community
Show SNMP view settings	show snmp view
Show SNMP group settings	show snmp group
Show SNMP user settings	show snmp user

Operations

Operating commands

Set host that receives SNMP notifications

snmp-server host

Set how long to wait for notification messages to be transmitted when starting up the system.

snmp-server startup-trap-delay

Set notification type to transmit

snmp-server enable trap

Set system contact

snmp-server contact

Set system location

snmp-server location

Set SNMP community

snmp-server community

Set SNMP view

snmp-server view

Set SNMP group

snmp-server group

Set SNMP user

snmp-server user

Specify SNMP server access settings

snmp-server access

Show SNMP community information

show snmp community

Show SNMP view settings

show snmp view

Show SNMP group settings

show snmp group

Show SNMP user settings

show snmp user

5. Examples of Command Execution

5.1. SNMPv1 setting example

This example makes SNMPv1-based network monitoring possible under the following conditions.

Set the read-only community name “public”.
Set the trap destination as “192.168.100.11”, and set trap community name to “snmptrapname”.

Hosts that can access communities named “public” are restricted to only 192.168.100.0/24.

Yamaha(config)# snmp-server community public ro                  　          ... 1
Yamaha(config)# snmp-server host 192.168.100.11 traps version 1 snmptrapname ... 2
Yamaha(config)# snmp-server access permit 192.168.100.0/24 community public  ... 3

5.2. SNMPv2c setting example

This example makes SNMPv2c-based network monitoring possible under the following conditions.

Set the readable/writable community name as “private”.
Specify the notification message destination as “192.168.100.12”, the notification type as “inform” request format, and the notification destination community name as “snmpinformsname”.

Hosts that can access communities named “private” are restricted to only 192.168.100.12.

Yamaha(config)# snmp-server community private rw                  　               ...1
Yamaha(config)# snmp-server host 192.168.100.12 informs version 2c snmpinformsname ...2
Yamaha(config)# snmp-server access permit 192.168.100.12 community private         ...3

5.3. SNMPv3 setting example

This example makes SNMPv3-based network monitoring possible under the following conditions.

Specify the view that shows the internet node (1.3.6.1) and below as “most”.
Specify the view that shows the mib-2 node (1.3.6.1.2.1) and below as “standard”.
Create the user group “admins” and assign full access rights to the “most” view for all users in the “admins” group.
Create the user group “users” and assign read-only access rights for the “standard” view to users in the “users” group.
Create an “admin1” user that belongs to the “admins” group.
Set the password to “passwd1234”, using the “HMAC-SHA-96” authentication algorithm.
Set the encryption password to “passwd1234”, using the “AES128-CFB” encryption algorithm.
Create an “user1” user that belongs to the “users” group.
Set the password to “passwd5678”, using the “HMAC-SHA-96” authentication algorithm.
Send notifications in trap format (without response confirmation) to 192.168.10.3.
Send notifications in inform request format to 192.168.20.3.

Yamaha(config)# snmp-server view most 1.3.6.1 include                                  ... 1
Yamaha(config)# snmp-server view standard 1.3.6.1.2.1 include                          ... 2
Yamaha(config)# snmp-server group admins priv read most write most                     ... 3
Yamaha(config)# snmp-server group users auth read standard                             ... 4
Yamaha(config)# snmp-server user admin1 admins auth sha passwd1234 priv aes passwd1234 ... 5
Yamaha(config)# snmp-server user user1 users auth sha passwd5678                       ... 6
Yamaha(config)# snmp-server host 192.168.10.13 traps version 3 priv admin1             ... 7
Yamaha(config)# snmp-server host 192.168.20.13 informs version 3 priv admin1           ... 8

6. Points of Caution

Check the SNMP version that can be used with the SNMP manager beforehand. It is necessary to configure this product in accordance with the SNMP version that will be used.
This product is not compatible with the following functions related to SNMPv3.
- Proxy function
- Access to MIB objects after the SNMPv2 subtree (1.3.6.1.6). Changing SNMPv3-related settings via SNMP is also not supported.
Character string specifications for the community name, username, password, and group name are as follows.
- When enclosed in single or double quotation marks, the character string in the single or double quotation marks is used.
  - The case where there is a character string outside the single or double quotation marks is not supported.
  - If a character string is enclosed in single or double quotation marks, the single or double quotation marks on both ends are not included in the character count.
  - The group name is assigned to the character string used with the snmp-server user command.
    
    It is not assigned to the character string used with the snmp-server group command.
- The use of \ is not supported.
- The use of only single or double quotation marks is not supported.
SNMP server access restrictions specified using the snmp-server access command only apply to SNMPv1 and SNMPv2c access. They do not apply to SNMPv3 access.