Introduction : SNMP on the OnBoard Appliance

SNMP on the OnBoard Appliance
The administrator can activate Simple Network Management Protocol (SNMP) agent software that resides on the OnBoard appliance. The SNMP agent provides access to the OnBoard appliance by an SNMP management application, such as HP Openview, Novell NMS, IBM NetView or Sun Net Manager and provides proxied access to SNMP data from connected SPs that implement SNMP agents. The OnBoard appliance SNMP agent can be configured to send notifications (also known as traps) about significant events on the OnBoard appliance and on connected devices.
The OnBoard appliance administrator must configure the SNMP agent to use the version of SNMP supported by the management application, either SNMP v1, v2c and v3. The use of v3 is strongly encouraged wherever possible because it provides authentication and encryption of data that is lacking in v1 and v2c.
Access to information provided by the OnBoard appliance and its proxied connected devices is available in two ways:
The recommended access method for agents which support only SNMP version 1 or 2c is through a VPN tunnel to the OnBoard appliance. The OnBoard appliance provides the authentication and encryption lacking in those protocol versions. The management application can then be used to for SNMP management of the device.
When versions 1 or 2c agents are used to obtain native management access to a device, no SNMP configuration is needed. Support is implemented entirely through the VPN connection limited by iptables rules that restrict access to particular devices.
CAUTION:The snmpd running on OnBoard allows access to proxied data using the v1 and 2c protocols without the creation of a VPN tunnel, but the lack of security inherent in these protocols means this option should be used with caution if it is used at all.
The access method agent which supports version 3 is via a local Net-SNMP snmp daemon. The proxying of traps is not supported by Net_SNMP. Forwarding of traps is supported, with filtering by source address.
If SNMP is used as recommended (by allowing access by agents running SNMP version 1 or 2c only through a VPN tunnel), no public client is allowed unauthenticated access to either managed clients or to the OnBoard appliance itself. For compatibility with other clients, unencrypted transfer of data is possible with SNMP v3 connections, but unencrypted data transfer is strongly discouraged.
User and group information for v3 connections must be different from the user and groupnames used for accessing the OnBoard appliance for the following reasons:
To keep the OnBoard appliance user information more secure, since SNMP usernames and passwords are stored in cleartext in /etc/snmp/snmpd.conf
The administrator can configure the following:
OnBoard appliance traps occur on the following types of events:
Traps are handled the three following ways:
Before enabling SNMP, depending on the version of SNMP in use, the administrator needs some or all of the information in the following table.
Object Identifier. A unique indentifier for each object in an SNMP MIB. The OID naming scheme is in the form of an inverted tree with branches pointing downward. The OID naming scheme is governed by the Internet Engineering Task Force (IETF), which grants authority for parts of the OID name space to individual organizations. Cyclades has the authority to assign OIDs that can be derived by branching downward from the node in the MIB name tree that starts at 1.3.6.1.4.1.4413.
SNMP version (also called protocol)
v3-Uses a username for authentication. In addition to the username, an optional authentication password may be used. An encryption password also may be used for encrypting traffic. Cyclades recommends that both authentication and encryption be used to maximize the security of data and commands. Available authentication methods are MD5 or SHA. Available encryption methods are DES and AES.
For SNMP v1 and v2c only the community name is used for authentication. An arbitrary string, with a maximum length of 256 characters. Does not need to match the community name used on the public side or be unique on the private side. Must match the community string expected by the device, often public.
Use IP-Enter an IP for the source device in the field if you select this option. If the default is selected, then all traps from all source IPs are forwarded to the destination IP.
MD5
SHA
DES
AES
Optional password used for encryption. Must be either empty or at least eight characters. If used, an authentication password is required.
Strings are defined as case-sensitive ASCII, not beginning with a hash and delimited by a space, form-feed ('\f'), newline ('\n'), carriage return ('\r'), horizontal tab ('\t'), vertical tab ('\v') or null ('\0'). Any character may be included if it is escaped with a backslash ('\'). Two backslashes are interpreted as one.
Views can be created to define sections of an OID tree that are included and excluded from access. When a view is being defined, more than one line can be used to build a view. For example, one line may allow access to a subtree, and another may remove access to a portion of that subtree.
The following table describes the values used for configuring views.
Object Identifier. A unique indentifier for each object in an SNMP MIB. The OID naming scheme is in the form of an inverted tree with branches pointing downward. The OID naming scheme is governed by the Internet Engineering Task Force (IETF), which grants authority for parts of the OID name space to individual organizations.
The following table describes the values used for configuring SNMP traps.
The following table shows the tasks related to administering SNMP on the OnBoard appliance and provides links to where they are documented.