122
SNMP operations
SNMP provides the following basic operations:
•
Get
—NMS retrieves the SNMP object nodes in an agent MIB.
•
Set
—NMS modifies the value of an object node in an agent MIB.
•
Notification
—SNMP agent sends traps or informs to report events to the NMS. The difference
between these two types of notification is that informs require acknowledgment but traps do not.
Traps are available in SNMPv1, SNMPv2c, and SNMPv3. Informs are available only in
SNMPv2c and SNMPv3.
Protocol versions
SNMPv1, SNMPv2c, and SNMPv3 are supported in non-FIPS mode. Only SNMPv3 is supported in
FIPS mode. An NMS and an SNMP agent must use the same SNMP version to communicate with
each other.
•
SNMPv1
—Uses community names for authentication. To access an SNMP agent, an NMS
must use the same community name as set on the SNMP agent. If the community name used
by the NMS differs from the community name set on the agent, the NMS cannot establish an
SNMP session to access the agent or receive traps from the agent.
•
SNMPv2c
—Uses community names for authentication. SNMPv2c is compatible with SNMPv1,
but supports more operation types, data types, and error codes.
•
SNMPv3
—Uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets
for integrity, authenticity, and confidentiality.
Access control modes
SNMP uses the following modes to control access to MIB objects:
•
View-based Access Control Model
—VACM mode controls access to MIB objects by
assigning MIB views to SNMP communities or users.
•
Role based access control
—RBAC mode controls access to MIB objects by assigning user
roles to SNMP communities or users.
SNMP communities or users have read and write access to all MIB objects if they use the
predefined network-admin, mdc-admin, or level-15 user role.
SNMP communities or users have read-only access to all MIB objects if they use the
predefined network-operator or mdc-operator user role.
SNMP communities or users have user-assigned access rights if they use a non-predefined
user role. To create a non-predefined user role, use the
role
command. To assign MIB
object rights to the user role, use the
rule
command.
If you create the same SNMP community or user with both modes multiple times, the most recent
configuration takes effect. For more information about RBAC, see
Fundamentals Command
Reference
.
RBAC mode controls access on a per MIB object basis, and VACM mode controls access on a MIB
view basis. As a best practice to enhance MIB security, use RBAC mode.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more
information about FIPS mode, see
Security Configuration Guide
.