At8000 s usando snm_pv3

  • 869 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
869
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
28
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SNMPv3 AT-8000S Marvell Confidential
  • 2. Overview • Simple Network Management Protocol Version (SNMPv3) is an interperable standars-based protocol for network mangement. • SNMPv3 provides secure access to devices by a combination of authentication and encrypting packets over the network Marvell Confidential
  • 3. Overview • The following security features are included in SNMPv3: – Message integrity – Authentication – Encryption • SNMPv3 also describes how to apply the access control and the new sending traps mechanism on SNMPv1 and SNMPv2 PDUs. Marvell Confidential
  • 4. Local Engine Information • Each SNMP agent maintains some local information to be used in SNMPV3 message exchanges. • An SNMP agent is considered an authoritative SNMP engine. • In incoming messages (Get, GetNext, GetBulk, Set), the agent receives, and in Trap messages, it sends to a manager. • The agent’s local information is encapsulated in message fields. Marvell Confidential
  • 5. Security • RFC 2574 defines the user-based security model (USM) for SNMPv3. • This specification includes: – Authentication – Privacy – Timeliness – Key management Marvell Confidential
  • 6. Authentication • Provides data integrity and data origin authentication. • Using authentication for an SNMPV3 message involves an authentication code HMAC, with the hash function either MD5 or SHA-1. • This code is created by the originator of the SNMP message and is written into the msgAuthenticationParameters field of the message. • The receiver then uses this code to validate the message’s integrity and origin. • The agent supports both HMAC-MD5 and HMAC-SHA protocols. Marvell Confidential
  • 7. Privacy • Protects against disclosure of the message’s payload. • The cipher block-chaining (CBC) mode of DES is used for encryption. • The user can either employ authentication on an SNMP message, or both authentication and privacy, but not privacy without authentication. Marvell Confidential
  • 8. Timeliness • Protects against message delay or replay. • The SNMP agent does timeliness check on an incoming message by comparing the time information in the message. Marvell Confidential
  • 9. Key management • Defines procedures for key generation, update and use. • The keys for authentication and privacy are not passed via the SNMP protocol. • The NMS shares the keys with each agent it works with. • The RFC defines a procedure for producing the key the NMS shares with a certain agent, by using an NMS password and that agent’s engineID. • Changing an authentication or privacy key is done by changing the appropriate fields in the usmUserTable. The new key is calculated by the agent according to the old key. Marvell Confidential
  • 10. Sending Traps • Defined in RFC2573. • The mechanism of sending traps defined in the SNMPv3 architecture includes the following phases: – Identifying management targets for traps – Filtering of a trap – Choosing parameters to generate the trap message – Access control checks Marvell Confidential
  • 11. Access Control • RFC 2575 defines the View-Based Access Control Model (VACM), which enables an SNMP agent to force a particular set of access rights to MIB data. • Determining access rights depends on the following factors: – The principal that initiates the access request. For example, a manager responsible for a whole network configuration may have wide authority to change MIB values, while a manager with monitoring responsibility may have read-only access or even no access at all to certain MIB objects. Marvell Confidential
  • 12. Access Control (Cont.) – The security level used for delivering the SNMP request in the network. Usually, a manager will obligate the use of authentication for set requests. – The security model used for processing the SNMP request. The agent can define different levels of access for security models SNMPv1 and SNMPv2, in which no security policy has been used for the message, and the SNMPv3 User-Based Security Model. – The MIB context in the request. A context is a notion, which can be defined as a named subgroup of MIB object instances. Marvell Confidential
  • 13. Access Control (Cont.) – An SNMP agent can maintain one or more contexts, and a MIB object or object instance can belong to one or more contexts. – For example, an agent can maintain information of multiple devices, with each of them represented by a different context name. – The originator of an SNMP request should fill the name of the context of the MIB data it wants to access in the contextName field of the message. – The specific object instance for which access is requested. Some objects contain information, which is more sensitive than that of others. Marvell Confidential
  • 14. Access Control (Cont.) – The type of access, which is requested: read, write or notify. – A different access control policy may be applied for each one of these management operations. Marvell Confidential
  • 15. SNMPv3 Implementation AT-8000S Marvell Confidential
  • 16. SNMPv3 in AT-8000S • MD5 keys and passwords are saved in the configuration file. • Some checks are made on user entries, to facilitate correct configuration of SNMPv3 (and help the user avoid mistakes). • Definition of a username and community are contingent upon definition of a group name. Marvell Confidential
  • 17. User controls The user can configure the following per SNMP manager and trap receiver: • Mode of operation (version of SNMP to use). • Authentication and encryption facilities used. • MIB access rights (read, write, notify). The user can configure the following per system: • SNMPv3 Engine ID. Marvell Confidential
  • 18. SNMPv3 – CLI Commands AT-8000S Marvell Confidential
  • 19. Enabling SNMP community • Use the following global configuration command to set up the community access string to permit access to the SNMP command. snmp-server community community [ro | rw | su] [ip-address] [view view-name] snmp-server community-group community group-name [ip-address] community Community string that acts like a password and permits access to the SNMP protocol(up to 20 chars). Marvell Confidential
  • 20. Enabling SNMP community (Cont.) • To remove a specified community string use: no snmp-server community community [ip-address] Marvell Confidential
  • 21. Creating/updating a View Entry • Use the following global configuration command to create or update a view entry. To remove the specified SNMP server view entry, use the “no” form of this command. snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name [oid-tree] view-name Label for the view record that you are updating or creating. The name is used to reference the record. oid-tree Object identifier of the ASN.1 subtree to be included or excluded from the view. Included The view type is included. excluded The view type is excluded. Marvell Confidential
  • 22. Creating/updating a View Entry (Cont.) Example: console(config)# snmp-server view user-view system included console(config)# snmp-server view user-view system.7 excluded console(config)# snmp-server view user-view ifEntry.*.1 included Marvell Confidential
  • 23. Mapping SNMP Users to SNMP Views • Use the following global configuration command to configure a new SNMP group, or a table that maps SNMP users to SNMP views. To remove a specified SNMP group, use the no form of this command. snmp-server group groupname {v1 | v2 | v3 {noauth | auth | priv}} [notify notifyview ] [read readview] [write writeview] no snmp-server group groupname [v1 | v2 | v3 [noauth | auth | priv] Console (config)# snmp-server group user-group v3 priv read user-view Marvell Confidential
  • 24. SNMP engineID • Use the following Global Configuration mode command to specifies the SNMP engineID on the local device. To remove the configured engine ID, use the no form of this command. snmp-server engineID local { engineid-string | default} no snmp-server engineID local engineid-string—Specifies a character string that identifies the engine ID. (Range: 9-64 hexa characters) default—The engine ID is created automatically based on the device MAC address. console(config)# snmp-server engineid local default Marvell Confidential
  • 25. Configure SNMPv3 User • Use the following global configuration command to configure a new SNMP Version 3 user. To remove a user, use the no form of the command. snmp-server user username groupname [remote engineid-string] [ auth-md5 password |auth-sha password | auth-md5-key md5-des-keys | auth-sha-key sha-des-keys ] no snmp-server user username username The name of the user on the host that connects to the agent. groupname The previously-defined name of the group to which the user belongs. engineid-string—Specifies the engine ID of the remote SNMP entity to which the user belongs. Marvell Confidential
  • 26. Configure SNMPv3 User (Cont.) • If auth-md5 or auth-sha is specified, both authentication and privacy are enabled for the user. • When you enter a “show running-config” command, you will not see a line for this user. • To see if this user has been added to the configuration, type the “show snmp user” command. • An SNMP EnginID has to be defined to add SNMP users to the device Marvell Confidential
  • 27. Enable Sending Traps • Use the following Global Configuration command to enable the device to send SNMP traps. To disable SNMP traps, use the no form of the command. snmp-server enable traps no snmp-server enable traps Marvell Confidential
  • 28. Enable Authentication Traps • Use the following Global Configuration command to enable the device to send SNMP traps when authentication fails. To disable these SNMP traps, use the no form of the command. snmp-server traps authentication no snmp-server traps authentication Marvell Confidential
  • 29. SNMP Filter Entry • Use the following global configuration command to create or update a filter entry. To remove the specified SNMP server filter entry, use the no form of this command: snmp-server filter filter-name oid-tree {included | excluded} no snmp-server filter filter-name [oid-tree] console(config)# snmp-server filter filter-name system included console(config)# snmp-server filter filter-name system.7 excluded console(config)# snmp-server filter filter-name ifEntry.*.1 included Marvell Confidential
  • 30. Recipient of SNMPv3 Notification • Use the following global configuration command to specify the recipient of SNMP V3 notification operation: snmp-server v3-host {ipaddr|hostname} username [traps | informs] {noauth | auth | priv} [udp-port port] [filter filtername] [timeout seconds] [retries retries] To delete the recipient use: no snmp-server v3-host host-addr [traps | informs] [username] Marvell Confidential
  • 31. Recipient of SNMPv3 Notification (Cont.) • If a trap and inform are defined on the same target, and an inform was sent, the trap would not be sent. • A user and notification view are not automatically created. Use the snmp-server user, snmpserver group and snmp- server view Global Configuration mode commands to generate a user, group and notify group, respectively. Marvell Confidential
  • 32. Review SNMP v.1, v.2 Commands Marvell Confidential
  • 33. Snmp Server Host • Use the following global configuration command to specify the recipient of Simple Network Management Protocol Version 1 or Version 2 notifications. • snmp-server host {ip-address | hostname} community-string [traps | informs] [1 | 2] [udp-port port] [filter filtername] [timeout seconds] [retries retries] To remove the specified host, use the no form of this command. • no snmp-server host {ip-address | hostname} [traps | informs] Marvell Confidential
  • 34. Snmp Server contact • Use the following global configuration command to configure the system contact (sysContact) string. • snmp-server contact text To remove system contact information, use the no form of the command. no snmp-server contact Marvell Confidential
  • 35. Snmp Server Location • Use the following global configuration command to configure the system location string. snmp-server location text To remove system contact information, use the no form of the command. no snmp-server location Marvell Confidential
  • 36. Snmp Server Set • Use the following global configuration command to define the SNMP MIB value. snmp-server set variable-name name1 value1 [ name2 value2 …] • Although the CLI can set any required configuration, there might be a situation where a SNMP user sets a MIB variable that does not have an equivalent command. In order to generate configuration files that support those situations, the snmp-server set command is used. Marvell Confidential
  • 37. Device Configuration Marvell Confidential
  • 38. SNMPv3 View #1: MIB X included MIB Y excluded … User_ID Group_ID … … View #n: MIB X included MIB Y excluded … Marvell Confidential
  • 39. View configuration • Configuring 3 views: a1, a2, a3: console(config)# snmp-server view a1 ip included console(config)# snmp-server view a1 ipForwarding excluded console(config)# snmp-server view a2 internet included console(config)# snmp-server view a3 ipDefaultTTL included console(config)# exit console# show snmp views Name OID Tree Type ------------------- ------------------------- -------- a1 ip included a1 ipForwarding excluded a2 internet included a3 ipDefaultTTL included Default iso included Default snmpVacmMIB excluded Default usmUser excluded Default snmpCommunityTable excluded Default rndCommunityTable excluded DefaultSuper iso included Marvell Confidential
  • 40. Group configuration • Configuring 3 groups: b1, b2, b3: console(config)# snmp-server group b1 v3 auth read Default write a1 console(config)# snmp-server group b2 v3 noauth read a2 write a2 console(config)# snmp-server group b3 v3 priv read a3 console(config)# exit console# show snmp groups Name Security Views Model Level Read Write Notify ------------------ ------ ---------- -------- --------- ----------- b1 V3 auth Default a1 - b2 V3 noauth a2 a2 - b3 V3 priv a3 - - Marvell Confidential
  • 41. Engine ID • Specifies SNMP engine ID on the local device, automatically created EngineID based on the device MAC console(config)# snmp-server engineid local default Marvell Confidential
  • 42. Defining users • Configuring 3 users:c1, c2, c3 console(config)# snmp-server user c1 b1 auth-md5 password1 console(config)# snmp-server user c2 b2 console(config)# snmp-server user c3 b3 auth-sha password3 console# show snmp users Name Group name Auth Remote Method ------------------- ----------------------- ------- ----------------------- c1 b1 MD5 c2 b2 noAuth c3 b3 SHA Marvell Confidential
  • 43. NMS Configuration Marvell Confidential
  • 44. Adding user c2 Device ip address Marvell Confidential
  • 45. Selecting the object to get Marvell Confidential
  • 46. Command results Marvell Confidential
  • 47. Definning user c3 Marvell Confidential
  • 48. Selecting an object to set Marvell Confidential
  • 49. Command results Marvell Confidential
  • 50. Marvell Confidential