SNMP Notification messages (Traps and Informs) provide the mechanism for one SNMP application to notify another SNMP application that something has occurred or been noticed. The SNMPv3 protocol mandates all notification messages be rejected unless the SNMPv3 user sending the notification already exists in the remote SNMP agent's user database. The user database in an SNMPv3 application is actually referenced by a combination of the user's name (Security Name) and an identifier for the given SNMP application (engineID).
Console's snmptrapd Configuration window lets you configure the Security User credentials and/or Engine IDs for devices from which Console's SNMPTrap Service (snmptrapd) accepts SNMPv3 Notification messages. If this information is not provided as part of the SNMPTrap Service configuration, all Notification messages are dropped by SNMPTrap Service. They do not appear in the Console's Trap/Event log and they are not acknowledged by SNMPTrap Service.
SNMPv3 traps and SNMPv3 inform messages differ in operation. When two SNMP agents communicate, one agent is always designated as authoritative. This authoritative designation depends on the type of message. When an SNMP message expects a response (e.g., SNMPv3 Inform), the receiver is authoritative. When an SNMP message does not expect a response (e.g., SNMPv3 Trap), the sender is authoritative. This is important because it is the authoritative agent's EngineID together with a Security User Name that must be recognized before the receiver accepts the message.
SNMPv3 Traps
Traps are one-way notification messages. They are not acknowledged by a receiving SNMP application. The Security User and Engine ID of the sending agent is included in SNMPv3 trap messages. So, before Console can receive trap messages, the SNMPTrap Service needs to know both the Security User credentials and the engine ID of the sending SNMP agent.
Because of this, you must define the Security User credentials and engineID of the SNMP agents for every device from which you want to receive SNMPv3 traps. This information is defined using the createUser directive in the snmptrappd.conf file. So, if you want to have 100 SNMP agents send SNMPv3 traps to the SNMPTrap Service, you need 100 createUser directives (defining both the security user credentials and engine ids) in the configuration file.
createUser Example for Traps:
createUser -e 0x01:02:03:04:05:A1:B2:C3:D4:E5 myUser MD5 myauthpassword DES myprivpassword
| Where: | |||
|---|---|---|---|
| -e <engine:id> | Specifies the engineID of the sending agent. | ||
| myUser | Security user name. | ||
| myauthpassword | MD5 or SHA - authentication type and authentication password (optional parameter - do not use when authentication is not used). | ||
| myprivpassword | DES - encryption type and encryption password - (optional parameter - do not use when encryption is not used or leave the encryption password blank if it is the same as the authentication password). |
SNMPv3 Informs
Inform notifications require two-way communication. Inform messages expect a response. An Inform notification is essentially a Trap that gets acknowledged by the receiving SNMP application. The sending SNMP application repeats the Inform message until it gets an I got it response from the receiving SNMP application. In this case, the receiving SNMP agent is authoritative, which means the inform message should include the Security User credentials and the EngineID of the receiving agent. However, because this is a two-way communication, it is possible for the sender to discover the Engine ID of the receiving agent and because the engineID can be discovered, it is not necessary to specify an engineID in the SNMPTrap Service's configuration file. It is only necessary to provide security user/credential information in this file and let the sender discover the engine ID.
The createUser directive in the snmptrapd.conf file defines security information for Inform messages.
createUser Example for Informs:
createUser myUser MD5 myauthpassword DES myprivpassword
| Where: | |||
|---|---|---|---|
| myUser | Security user name. | ||
| myauthpassword | MD5 or SHA - authentication type and authentication password (optional parameter - do not use when authentication is not used). | ||
| myprivpassword | DES - encryption type and encryption password - (optional parameter - do not use when encryption is not used or leave the encryption password blank if it is the same as the authentication password). |
Restart the SNMPTrap Service
Any time you change the snmptrapd.conf file, the SNMPTrap Service must be restarted.
To restart the snmptrapd:
| Windows | Linux |
|---|---|
|
|
).