Security Considerations - Cisco SCE 8000 10GBE Software Configuration Manual

Configuring and Managing the SNMP Interface
Table 5-2
Request Type
Set Request
Get Request
Get Next Request
Get Response
Trap
Get Bulk Request

Security Considerations

By default, the SNMP agent is disabled for both read and write operations. When enabled, SNMP is
supported over the management port only (in-band management is not supported).
In addition, the Cisco SCE platform supports the option to configure community of managers for
read-write accessibility or for read-only accessibility. Furthermore, an ACL may be associated with the
SNMP agent by assigning it to one of the community strings to allow SNMP management to a restricted
set of manager IP addresses. If different ACLs are assigned to different community strings, access by all
community strings is controlled by all assigned ACLs. Assigning different ACLs to different community
strings is not supported.
When using SNMPv3, Each user is assigned a name (called a securityName), an authentication type
(authProtocol), and a privacy type (privProtocol) as well as associated keys for each of these (authKey
and privKey). Authentication is performed by using the authKey of the user to sign the message being
sent. The authProtocol can be either in MD5 or SHA format. authKeys (and privKeys) are generated from
a passphrase that is at least 8 characters in length. Encryption is performed by using the privKey of a
user to encrypt the data portion of the message being sent. The privacy Protocol can be AES or DES.
Messages can be sent unauthenticated and unencrypted (noAuthNoPriv), authenticated but unencrypted
(authNoPriv), or authenticated and encrypted (authPriv) by setting the securityLevel.
You can create VIEW and GROUPS for access control. A VIEW is a set of MIBs or OIDs, defined by
including or excluding different MIBs and OIDs. A view defines the range of OIDs that are exposed in
a specific view for a user. A GROUP is defined with a particular security level, read-view, and
Cisco SCE 8000 10GBE Software Configuration Guide
5-42
Request Types
Description
Writes new data to one or more of the
objects managed by an agent.
Requests the value of one or more of
the objects managed by an agent.
Requests the Object Identifier(s) and
value(s) of the next object(s) managed
by an agent.
Contains the data returned by an agent.
Sends an unsolicited notification from
an agent to a manager, indicating that
an event or error has occurred on the
agent system
Retrieves large amounts of object
information in a single Request /
response transaction. GetBulk behaves
as if many iterations of GetNext
request/responses were issued, except
that they are all performed in a single
request/response.
Chapter 5 Configuring the Management Interface and Security
Remarks
Set operations immediately affect
the Cisco SCE platform
running-config but do not affect
the startup config
Cisco SCE platform may be
configured to send either SNMPv1
or SNMPv2 style traps.
This is an SNMPv2c message.
OL-30621-02