5.1.3 SNMP access control
Communication with SNMP agents on managed devices requires access control credentials:
SNMPv1 and SNMPv2c
A community string in each NNMi request must match a community string configured in the responding SNMP agent. All communication passes through the network in clear text (no encryption).
SNMPv3
Communication with the SNMP agent complies with the user-based security model (USM). Each SNMP agent has a list of configured user names and their associated authentication requirements (the authentication profile). Formatting of all communication is controlled through configuration settings. NNMi SNMP requests must specify a valid user and follow the authentication and privacy controls configured for that user.
Authentication protocol uses no message authentication or uses hash-based message authentication code (HMAC) with your choice of either HMAC-MD5-96 or HMAC-SHA-1.
-
Privacy protocol uses no encryption or uses a symmetric encryption protocol with your choice of DES-CBC, TripleDES, AES-128, AES-192, or AES-256.
Because DES-CBC is regarded as a weak cipher, we recommend if you are using DES-CBC that you choose a stronger cipher. If you will be configuring SNMPv3 communication on a node managed by NNMi, we recommend that you not use DES-CBC.
To change the encryption method:
In the NNMi console, click the Configuration workspace.
Expand the Incidents folder.
Expand the Trap Server folder.
Click Trap Forwarding Configuration.
From the Privacy Protocol list, select a stronger encryption method.
NNMi supports the specification of multiple SNMP access control credentials for a region of your network (defined through IP address filters or host name filters). NNMi attempts communication with a device in that region by trying in parallel all configured values at a given SNMP security level. You can specify the minimum SNMP security level that NNMi is to use in that region. NNMi uses the first value returned by each node (response from the device's SNMP agent) for discovery and monitoring purposes.
In the default HA environment, the SNMP source address is set to the physical cluster node address. To set the SNMP source address to NNM_INTERFACE (the virtual IP address), edit the ov.conf file to set the IGNORE_NNM_IF_FOR_SNMP value to OFF (by default, it is ON).