ARISTA - SNMP

From IT-Arts.net
Revision as of 07:04, 17 January 2026 by Admin (talk | contribs) (Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' ")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Return to Wiki Index


Introduction

SNMP (Simple Network Management Protocol) is a protocol used for network management. It allows network devices to be monitored and managed through the exchange of information between network devices (agents) and a central management station (SNMP manager). This guide provides the essential SNMP configuration commands for Arista EOS.

SNMP Overview

Arista EOS supports SNMP for both monitoring and controlling network devices. It can operate in SNMPv1, SNMPv2c, and SNMPv3 modes, with SNMPv3 providing the highest level of security. SNMP can be used to collect a wide range of performance data, configurations, and event logs.

Basic SNMP Configuration

  • snmp-server community <community-name> <RO|RW> [view <view-name>]
 - Configures an SNMP community string. The `RO` keyword configures read-only access, and `RW` configures read-write access. Optionally, a view can be defined to limit access to specific MIBs.
  • snmp-server location <location>
 - Configures the location of the device for SNMP monitoring.
  • snmp-server contact <contact-info>
 - Configures the contact information for the device, such as the administrator's name or email address.
  • snmp-server enable traps
 - Enables SNMP traps to be sent to the SNMP manager.
  • snmp-server host <host-ip> version <v1|v2c|v3> <community-string> [udp-port <port-number>]
 - Configures the SNMP manager's IP address and version (v1, v2c, or v3) along with the community string. Optionally, a UDP port number can be specified for sending traps.
  • snmp-server trap-source <interface>
 - Specifies the interface used as the source for SNMP traps.

SNMPv3 Configuration

SNMPv3 provides enhanced security features, including authentication and encryption.

  • snmp-server user <username> v3 auth <auth-protocol> <auth-password> priv <priv-protocol> <priv-password>
 - Configures an SNMPv3 user with authentication and privacy protocols. The `auth-protocol` can be either `md5` or `sha`, and the `priv-protocol` can be either `des` or `aes`.
  • snmp-server group <group-name> v3 priv read <read-view> write <write-view> notify <notify-view>
 - Creates an SNMPv3 group with access control for read, write, and notify (trap) views.
  • snmp-server view <view-name> <oid> included|excluded
 - Defines an SNMP view to control which OIDs (Object Identifiers) are accessible for SNMP queries.
  • snmp-server engine-id <engine-id>
 - Configures the SNMPv3 engine ID, which is required for communication between SNMPv3 devices.

SNMP Traps

SNMP traps allow the device to notify the SNMP manager of specific events such as link status changes, CPU or memory utilization thresholds being exceeded, etc.

  • snmp-server enable traps <trap-type>
 - Enables the sending of specific SNMP traps. Common trap types include:
   - linkdown - Sends a trap when a link goes down.
   - linkup - Sends a trap when a link comes up.
   - coldstart - Sends a trap when the device is rebooted.
   - warmstart - Sends a trap when the device restarts without a full reboot.
   - cpu-high - Sends a trap when CPU usage exceeds a threshold.
   - memory-high - Sends a trap when memory usage exceeds a threshold.
  • snmp-server trap <trap-type> <trap-host>
 - Configures a specific SNMP trap type and the SNMP manager (trap host) to receive it.
  • snmp-server enable traps snmp
 - Enables SNMP-specific traps, including traps for authentication failures, enterprise-specific notifications, and other SNMP-related events.
  • snmp-server notify <trap-type>
 - Configures which SNMP traps are sent to the manager. Example: `notify linkdown`.
  • show snmp traps
 - Displays the status of SNMP traps and their configurations.

SNMP Views

SNMP views are used to restrict access to specific portions of the MIB (Management Information Base) tree.

  • snmp-server view <view-name> <oid> included|excluded
 - Defines a view that can be used with SNMPv3 access control. The view determines which OIDs are visible to SNMP managers. OIDs can be included or excluded from the view.
  • snmp-server group <group-name> v3 priv read <view-name> write <view-name> notify <view-name>
 - Associates an SNMPv3 group with a specific view for read, write, and notification permissions.

Monitoring and Troubleshooting SNMP

  • show snmp
 - Displays SNMP-related information, such as enabled versions, community strings, and trap settings.
  • show snmp host
 - Displays SNMP host information, including configured trap destinations.
  • show snmp user
 - Displays SNMPv3 user configuration, including authentication and privacy settings.
  • show snmp groups
 - Displays SNMPv3 groups, including access control settings for different SNMP views.
  • show snmp trap-source
 - Displays the current interface used as the source for SNMP traps.
  • debug snmp packets
 - Enables debugging of SNMP packets, useful for troubleshooting communication issues with SNMP managers.
  • debug snmp traps
 - Enables debugging of SNMP traps to monitor trap generation and delivery.
  • clear snmp statistics
 - Clears SNMP statistics, including counters related to SNMP operations.

SNMP Security Best Practices

SNMPv1 and SNMPv2c send community strings in plaintext, making them vulnerable to interception. SNMPv3 should be used for secure communication.

  • Use SNMPv3 for better security (authentication and encryption).
  • Configure strong authentication and privacy passwords.
  • Restrict SNMP access to specific IP addresses using access control lists (ACLs).
  • Limit SNMP access to management interfaces and VLANs only.
  • Disable unused SNMP versions (e.g., SNMPv1 and SNMPv2c) to reduce exposure.
  • Regularly monitor and audit SNMP traps for abnormal network behavior.

SNMPv3 Access Control

SNMPv3 provides more granular control over access to MIB objects via the use of views and access control policies.

  • snmp-server group <group-name> v3 auth read <view-name> write <view-name> notify <view-name>
 - Configures an SNMPv3 group with access control to read, write, and notify views.
  • snmp-server access <community-name> <ip-address> <subnet-mask> <RO|RW>
 - Restricts SNMP access based on a specific community string and IP address range.

SNMPv3 Authentication and Encryption

SNMPv3 supports multiple methods of authentication and encryption, which are important for ensuring the security of SNMP operations.

  • snmp-server user <username> v3 auth <md5|sha> <auth-password> priv <des|aes> <priv-password>
 - Configures SNMPv3 users with both authentication and privacy protocols.
  • snmp-server engine-id <engine-id>
 - Configures the SNMP engine ID for SNMPv3 communication. This ID is used for unique identification.

SNMP MIBs

MIBs (Management Information Bases) define the structure of the management data accessible via SNMP. Arista EOS supports standard MIBs for monitoring device parameters like CPU, memory, and interfaces.

  • show snmp mib <mib-name>
 - Displays MIB information for a specific object or OID.
  • show snmp mib ifTable
 - Displays interface-related MIB data.
  • show snmp mib system
 - Displays system-related MIB data such as system uptime and CPU usage.
Retrieved from "https://it-arts.net/index.php?title=ARISTA_-_SNMP&oldid=860"