Previous Table of Contents Next


In the second scenario, the manager attempts to access the router using the same IP address [XXX.YYY.ZZZ.145], but with a different community name (xyzsnmp). The GetRequest is transmitted in Frame 70 and then retransmitted in Frames 71 and 72. The router never responds. Recall that the IP address [XXX.YYY.ZZZ.145] and the community name (xyzsnmp) are valid on the agent, but not in this combination. Thus, the association between the community name and the IP address provides a second level of access security.

Trace 7.2a Verifying access control with IP addresses (summary)

  Sniffer Network Analyzer data 16-Nov at 17:04:10, file 7-2.ENC,
   Pg 1
     SUMMARY  Delta T  Destination    Source         Summary
       64     0.0013   Router         Manager 145    SNMP Get sysDescr
       65     0.0479   Manager 145    Router         SNMP GetReply
                                                     sysDescr =
                                                     /usr3/wf/wf
                                                     .rel/v5.75/wf.
                                                     pj/proto.ss/
                                                     ace_test.p/
       66     4.1358   Router         Router         Ethertype=8102
                                                     (Unknown)
       67     5.0239   Router         Router         Ethertype=8102(Unknown)
       68     5.0388   Router         Router         Ethertype=8102(Unknown)
       69     5.0314   Router         Router         Ethertype=8102(Unknown)
       70     1.9592   Router         Manager 145    SNMP Get sysDescr
       71     0.9971   Router         Manager 145    SNMP Get sysDescr
       72     2.0045   Router         Manager 145    SNMP Get sysDescr

Trace 7.2b Verifying access control with IP addresses (details)

  Sniffer Network Analyzer data 16-Nov at 17:04:10, file 7-2.ENC,
   Pg 1
  ---------------------------- Frame 64 -------------------------
  SNMP: ----- Simple Network Management Protocol (Version 1) ----
  SNMP:
  SNMP: Version = 0
  SNMP: Community = abcsnmp
  SNMP: Command = Get request
  SNMP: Request ID = 1888324335
  SNMP: Error status = 0 (No error)
  SNMP: Error index = 0
  SNMP:
  SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0)
  SNMP: Value = NULL
  SNMP:
  -------------------------- Frame 65 ---------------------------
  SNMP: ----- Simple Network Management Protocol (Version 1) ----
  SNMP:
  SNMP: Version = 0
  SNMP: Community = abcsnmp
  SNMP: Command = Get response
  SNMP: Request ID = 1888324335
  SNMP: Error status = 0 (No error)
  SNMP: Error index = 0
  SNMP:
  SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0)
  SNMP: Value = /usr3/wf/wf.rel/v5.75/wf.pj/proto.ss/ace_test.p/
  SNMP:
  .
  .
  .
  -------------------------- Frame 70 ---------------------------
  SNMP: ----- Simple Network Management Protocol (Version 1) ----
  SNMP:
  SNMP: Version = 0
  SNMP: Community = xyzsnmp
  SNMP: Command = Get request
  SNMP: Request ID = 586726387
  SNMP: Error status = 0 (No error)
  SNMP: Error index = 0
  SNMP:
  SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0)
  SNMP: Value = NULL
  SNMP:
  ------------------------------ Frame 71 -----------------------
  SNMP: ----- Simple Network Management Protocol (Version 1) ----
  SNMP:
  SNMP: Version = 0
  SNMP: Community = xyzsnmp
  SNMP: Command = Get request
  SNMP: Request ID = 586726387
  SNMP: Error status = 0 (No error)
  SNMP: Error index = 0
  SNMP:
  SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0)
  SNMP: Value = NULL
  SNMP:
  ------------------------------ Frame 72 -----------------------
  SNMP: ----- Simple Network Management Protocol (Version 1) ----
  SNMP:
  SNMP: Version = 0
  SNMP: Community = xyzsnmp
  SNMP: Command = Get request
  SNMP: Request ID = 586726387
  SNMP: Error status = 0 (No error)
  SNMP: Error index = 0
  SNMP:
  SNMP: Object = {1.3.6.1.2.1.1.1.0} (sysDescr.0)
  SNMP: Value = NULL
  SNMP:

7.3 Verifying that a Set Command has been Properly Received and Implemented

The connectionless nature of SNMP's UDP transport leaves some doubt as to whether the agent has actually acted on a Set command from the manager. Testing that the Set actually occurred requires a three-step process. In the first step, the network manager reads the current value of an object. In the second step, the network manager issues the Set command. In the third step, it rereads that value to confirm that it was changed. This example shows these three steps in detail.

The internetwork in this example contains several Ethernet segments and is managed by a DECmcc console (see Figure 7-3). The goal is to assign a value to an object on the SynOptics (now Bay Networks) hub, which contains an SNMP agent. The hub also contains a SynOptics private enterprise MIB with OID prefix {1.3.6.1.4.1.45}. To assign the value, the agent must be configured to allow access from a remote manager, as illustrated in Section 7.2. For the SynOptics hubs, the SNMP configuration parameters establish several communities, each with different access rights. The read-only community is typically named "public." The read-write community is typically named "administrator." A third community usually called "trap1" defines the devices that will receive traps.


Figure 7-3  Verifying a Set command

As mentioned previously, the first step in testing the Set command, which occurs in Frames 5 to 8 (Trace 7.3a), is for the network manager to read the values of the SynOptics MIB. The SynOptics MIB is an extensive private MIB that contains objects such as the subnet mask [255.255.255.0], default gateway [XXX.YYY.170.250], boot file server address [XXX.YYY.170.20], and many others (see Frame 6 in Trace 7.3b). You should obtain documentation on private enterprise MIBs from the vendor when you initialize the network management system so that these details will be readily available. Note that the value we want to change is the Trap Receiver Community, OID {SynOptics 1.3.2.4.20.1.3.XXX.YYY.170.20}. From the detail of Frame 6, you can see that the fourteenth Objects Value = "public."

The second step begins in Frame 9 when the manager attempts to Set the Trap community to the value "test." Frame 10 returns an authentication failure trap, which indicates that the receiver of the trap (the Hub agent) did not permit the manager to set the object's value. This failure occurred because the Set command (Frame 9) specified a Community name = public, and that community was specified for a read-only (not read-write) operation.


Previous Table of Contents Next