Previous | Table of Contents | Next |
In the second scenario, the manager attempts to access the router using the same IP address [XXX.YYY.ZZZ.145], but with a different community name (xyzsnmp). The GetRequest is transmitted in Frame 70 and then retransmitted in Frames 71 and 72. The router never responds. Recall that the IP address [XXX.YYY.ZZZ.145] and the community name (xyzsnmp) are valid on the agent, but not in this combination. Thus, the association between the community name and the IP address provides a second level of access security.
Trace 7.2a Verifying access control with IP addresses (summary)
Sniffer Network Analyzer data 16-Nov at 17:04:10, file 7-2.ENC, Pg 1 SUMMARY Delta T Destination Source Summary 64 0.0013 Router Manager 145 SNMP Get sysDescr 65 0.0479 Manager 145 Router SNMP GetReply sysDescr = /usr3/wf/wf .rel/v5.75/wf. pj/proto.ss/ ace_test.p/ 66 4.1358 Router Router Ethertype=8102 (Unknown) 67 5.0239 Router Router Ethertype=8102(Unknown) 68 5.0388 Router Router Ethertype=8102(Unknown) 69 5.0314 Router Router Ethertype=8102(Unknown) 70 1.9592 Router Manager 145 SNMP Get sysDescr 71 0.9971 Router Manager 145 SNMP Get sysDescr 72 2.0045 Router Manager 145 SNMP Get sysDescr
Trace 7.2b Verifying access control with IP addresses (details)
Sniffer Network Analyzer data 16-Nov at 17:04:10, file 7-2.ENC, Pg 1 ---------------------------- Frame 64 ------------------------- SNMP: ----- Simple Network Management Protocol (Version 1) ---- SNMP: SNMP: Version = 0 SNMP: Community = abcsnmp SNMP: Command = Get request SNMP: Request ID = 1888324335 SNMP: Error status = 0 (No error) SNMP: Error index = 0 SNMP: SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0) SNMP: Value = NULL SNMP: -------------------------- Frame 65 --------------------------- SNMP: ----- Simple Network Management Protocol (Version 1) ---- SNMP: SNMP: Version = 0 SNMP: Community = abcsnmp SNMP: Command = Get response SNMP: Request ID = 1888324335 SNMP: Error status = 0 (No error) SNMP: Error index = 0 SNMP: SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0) SNMP: Value = /usr3/wf/wf.rel/v5.75/wf.pj/proto.ss/ace_test.p/ SNMP: . . . -------------------------- Frame 70 --------------------------- SNMP: ----- Simple Network Management Protocol (Version 1) ---- SNMP: SNMP: Version = 0 SNMP: Community = xyzsnmp SNMP: Command = Get request SNMP: Request ID = 586726387 SNMP: Error status = 0 (No error) SNMP: Error index = 0 SNMP: SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0) SNMP: Value = NULL SNMP: ------------------------------ Frame 71 ----------------------- SNMP: ----- Simple Network Management Protocol (Version 1) ---- SNMP: SNMP: Version = 0 SNMP: Community = xyzsnmp SNMP: Command = Get request SNMP: Request ID = 586726387 SNMP: Error status = 0 (No error) SNMP: Error index = 0 SNMP: SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0) SNMP: Value = NULL SNMP: ------------------------------ Frame 72 ----------------------- SNMP: ----- Simple Network Management Protocol (Version 1) ---- SNMP: SNMP: Version = 0 SNMP: Community = xyzsnmp SNMP: Command = Get request SNMP: Request ID = 586726387 SNMP: Error status = 0 (No error) SNMP: Error index = 0 SNMP: SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0) SNMP: Value = NULL SNMP:
The connectionless nature of SNMP's UDP transport leaves some doubt as to whether the agent has actually acted on a Set command from the manager. Testing that the Set actually occurred requires a three-step process. In the first step, the network manager reads the current value of an object. In the second step, the network manager issues the Set command. In the third step, it rereads that value to confirm that it was changed. This example shows these three steps in detail.
The internetwork in this example contains several Ethernet segments and is managed by a DECmcc console (see Figure 7-3). The goal is to assign a value to an object on the SynOptics (now Bay Networks) hub, which contains an SNMP agent. The hub also contains a SynOptics private enterprise MIB with OID prefix {1.3.6.1.4.1.45}. To assign the value, the agent must be configured to allow access from a remote manager, as illustrated in Section 7.2. For the SynOptics hubs, the SNMP configuration parameters establish several communities, each with different access rights. The read-only community is typically named "public." The read-write community is typically named "administrator." A third community usually called "trap1" defines the devices that will receive traps.
Figure 7-3 Verifying a Set command
As mentioned previously, the first step in testing the Set command, which occurs in Frames 5 to 8 (Trace 7.3a), is for the network manager to read the values of the SynOptics MIB. The SynOptics MIB is an extensive private MIB that contains objects such as the subnet mask [255.255.255.0], default gateway [XXX.YYY.170.250], boot file server address [XXX.YYY.170.20], and many others (see Frame 6 in Trace 7.3b). You should obtain documentation on private enterprise MIBs from the vendor when you initialize the network management system so that these details will be readily available. Note that the value we want to change is the Trap Receiver Community, OID {SynOptics 1.3.2.4.20.1.3.XXX.YYY.170.20}. From the detail of Frame 6, you can see that the fourteenth Objects Value = "public."
The second step begins in Frame 9 when the manager attempts to Set the Trap community to the value "test." Frame 10 returns an authentication failure trap, which indicates that the receiver of the trap (the Hub agent) did not permit the manager to set the object's value. This failure occurred because the Set command (Frame 9) specified a Community name = public, and that community was specified for a read-only (not read-write) operation.
Previous | Table of Contents | Next |