12-Network Management and Monitoring Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10312-Network Management and Monitoring Configuration Guide
06-SNMP Configuration
Title Size Download
06-SNMP Configuration 176.2 KB

This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure.

SNMP overview

SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies.

SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.

SNMP framework

The SNMP framework comprises the following elements:

·           SNMP manager—Works on a network management system (NMS) to monitor and manage the SNMP-capable devices in the network.

·           SNMP agent—Works on a managed device to receive and handle requests from the NMS, and send traps to the NMS when some events, such as interface state change, occur.

·           Management Information Base (MIB)—Specifies the variables (for example, interface status and CPU usage) maintained by the SNMP agent for the SNMP manager to read and set.

SNMP operations

SNMP provides the following basic operations:

·           Get—The NMS retrieves SNMP object nodes in an agent MIB.

·           Set—The NMS modifies the value of an object node in the agent MIB.

·           Notifications—Includes traps and informs. SNMP agent sends traps or informs to report events to the NMS. The difference between these two types of notification is that informs require acknowledgement but traps do not. The device supports only traps.

SNMP protocol versions

H3C supports SNMPv1, SNMPv2c, and SNMPv3.

·           SNMPv1 uses community names for authentication. To access an SNMP agent, an NMS must use the same community name as set on the SNMP agent. If the community name used by the NMS is different from the community name set on the agent, the NMS cannot establish an SNMP session to access the agent or receive traps and notifications from the agent.

·           SNMPv2c also uses community names for authentication. SNMPv2c is compatible with SNMPv1, but supports more operation modes, data types, and error codes.

·           SNMPv3 uses a user-based security model (USM) to secure SNMP communication. You can configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for integrity, authenticity, and confidentiality.

 

IMPORTANT

IMPORTANT:

An NMS and an SNMP agent must use the same SNMP version to communicate with each other.

 

MIB and view-based MIB access control

A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege and is identified by a view name. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible.

A MIB view can have multiple view records each identified by a view-name oid-tree pair.

You can control access to the MIB by assigning MIB views to SNMP groups or communities. The relationship between an NMS, agent and MIB is shown in Figure 1.

Figure 1 Relationship between an NMS, agent and MIB

 

A MIB stores variables called “nodes” or “objects” in a tree hierarchy and identifies each node with a unique OID. An OID is a string of numbers that describes the path from the root node to a leaf node. For example, the object B in Figure 2 is uniquely identified by the OID {1.2.1.1}.

Figure 2 MIB tree

mib结构树示意图

 

Configuring SNMP basic parameters

SNMPv3 differs from SNMPv1 and SNMPv2c in many aspects. Their configuration procedures are described in separate sections.

Configuring SNMPv3 basic parameters

To configure SNMPv3 basic parameters:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable the SNMP agent.

snmp-agent

Optional.

Disabled by default.

You can also enable the SNMP agent by using any command that begin with snmp-agent.

3.      Configure system information for the SNMP agent.

snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 | v2c | v3 }* } }

Optional.

The defaults are as follows:

·       Hangzhou H3C Technologies Co., Ltd. for contact.

·       Hangzhou China for location.

·       SNMP v3 for the version.

4.      Configure the local engine ID.

snmp-agent local-engineid engineid

Optional.

The default local engine ID is the company ID plus the device ID.

5.      Create or update a MIB view.

snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ]

Optional.

By default, the MIB view ViewDefault is predefined and its OID is 1.

6.      Configure an SNMPv3 group.

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

N/A

7.      Convert a plaintext key to an encrypted key.

snmp-agent calculate-password plain-password mode { 3desmd5 | 3dessha | md5 | sha } { local-engineid | specified-engineid string }

Optional.

8.      Add a user to the SNMPv3 group.

snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | des56 } priv-password ] ] [ acl acl-number ]

If the cipher keyword is specified, the arguments auth-password and priv-password are considered as encrypted keys.

9.      Configure the maximum SNMP packet size (in bytes) that the SNMP agent can handle.

snmp-agent packet max-size byte-count

Optional.

1,500 bytes by default.

 

Configuring SNMPv1 or SNMPv2c basic parameters

To configure SNMPv1 or SNMPv2c basic parameters:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable the SNMP agent.

snmp-agent

Optional.

Disabled by default.

You can also enable the SNMP agent by using any command that begins with snmp-agent.

3.      Configure system information for the SNMP agent.

snmp-agent sys-info { contact sys-contact | location sys-location | version { { v1 | v2c | v3 }* | all } }

The defaults are as follows:

·       Hangzhou H3C Technologies Co., Ltd. for contact.

·       Hangzhou China for location.

·       SNMP v3 for the version.

4.      Configure the local engine ID.

snmp-agent local-engineid engineid

Optional.

The default local engine ID is the company ID plus the device ID.

5.      Create or update a MIB view.

snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ]

Optional.

By default, the MIB view ViewDefault is predefined and its OID is 1.

6.      Configure SNMP access right.

·       (Approach 1) Create an SNMP community:
snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]*

·       (Approach 2) Create an SNMP group, and add a user to the SNMP group:

a.   snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

b.   snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

Use either approach.

To be compatible with SNMPv3, use the snmp-agent group command.

Make sure that the username is the same as the community name configured on the NMS.

7.      Configure the maximum size (in bytes) of SNMP packets for the SNMP agent.

snmp-agent packet max-size byte-count

Optional

1,500 bytes by default.

 

 

NOTE:

Each view-name oid-tree pair represents a view record. If you specify the same record with different MIB subtree masks multiple times, the last configuration takes effect. Except the four subtrees in the default MIB view, you can create up to 16 unique MIB view records.

 

Configuring SNMP logging

Introduction to SNMP logging

The SNMP logging function logs the Get requests, Set requests, and Set responses that the NMS has performed on the SNMP agent, but does not log the Get responses.

·           For a Get operation, the agent logs the IP address of the NMS, name of the accessed node, and node OID.

·           For a Set operation, the agent logs the IP address of the NMS, name of the accessed node, node OID, the assigned value and the error code and error index of the Set response.

The SNMP module sends these logs to the information center as informational messages. You can configure the information center to output these messages to certain destinations, for example, the console and the log buffer. For more information about the information center, see the chapter “Configuring the information center.”

Enabling SNMP logging

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable SNMP logging.

snmp-agent log { all | get-operation | set-operation }

Disabled by default.

3.      Configure SNMP log output rules.

info-center source { module-name | default } channel { channel-number | channel-name } [ debug { level severity | state state } * | log { level severity | state state } * | trap { level severity | state state } * ] *

Optional.

By default, SNMP logs are output to loghost and logfile only. To output SNMP logs to other destinations such as the console or a monitor terminal, set the output destinations with this command.

 

 

NOTE:

·       Disable SNMP logging in normal cases to prevent a large amount of SNMP logs from decreasing device performance.

·       The total output size for the node field (MIB node name) and the value field (value of the MIB node) in each log entry is 1024 bytes. If this limit is exceeded, the information center truncates the data in the fields.

 

Configuring SNMP traps

The SNMP agent sends traps to inform the NMS of important events, such as a reboot.

Traps fall into generic traps and vendor-specific traps. Available generic traps include authentication, coldstart, linkdown, linkup and warmstart. All other traps are vendor-defined.

SNMP traps generated by a module are sent to the information center. You can configure the information center to enable or disable outputting the traps from a module by their severity and set output destinations. For more information about the information center, see the chapter “Configuring the information center.”

Enabling SNMP traps

To enable traps:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable traps globally.

snmp-agent trap enable [ acfp [ client | policy | rule | server ] | bfd | bgp | configuration | flash | fr | mpls | ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa | vifcfgerror | virifauthfail | virifrxbadpkt | virifstatechange | viriftxretransmit | virnbrstatechange ] * | pim [ neighborloss | invalidregister | invalidjoinprune | rpmappingchange | interfaceelection | electedbsrlostelection | candidatebsrwinelection ] * | standard [ authentication | coldstart | linkdown | linkup | warmstart ] * | system | vrrp [ authfailure | newmaster ] ]

Optional.

By default, only the trap function of the voice module is disabled, and the trap function of other modules is enabled.

3.      Enter interface view.

·       interface interface-type interface-number

·       controller { cpos | e1 | e3 | t1 | t3 } number

Use either approach.

4.      Enable link state traps.

enable snmp trap updown

Optional.

Enabled by default.

 

 

NOTE:

·       To generate linkUp or linkDown traps when the link state of an interface changes, you must enable the linkUp or linkDown trap function globally by using the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command and on the interface by using the enable snmp trap updown command.

·       After you enable a trap function for a module, whether the module generates traps also depends on the configuration of the module. For more information, see the configuration guide for each module.

 

Configuring the SNMP agent to send traps to a host

Configuration prerequisites

·           Complete the basic SNMP settings and check that they are the same as on the NMS. If SNMPv1 or SNMPv2c is used, you must configure a community name. If SNMPv3 is used, you must configure an SNMPv3 user and MIB view.

·           The device and the NMS can reach each other.

Configuration procedure

The SNMP module buffers the traps received from a module in a trap queue. You can set the size of the queue, the duration that the queue holds a trap, and trap target (destination) hosts, typically the NMS.

To configure the SNMP agent to send traps to a host:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Configure a target host.

snmp-agent target-host trap address udp-domain { ip-address | ipv6 ipv6-address } [ udp-port port-number ] [ vpn-instance vpn-instance-name ] params securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ]

Optional.

The vpn-instance keyword is applicable in an IPv4 network.

To send the traps to the NMS, this command is required, and you must specify ip-address as the IP address of the NMS.

3.      Configure the source address for traps.

snmp-agent trap source interface-type { interface-number | interface-number.subnumber }

Optional.

4.      Extend the standard linkUp/linkDown traps.

snmp-agent trap if-mib link extended

Optional.

By default, standard linkUp/linkDown traps are used.

5.      Configure the trap queue size.

snmp-agent trap queue-size size

Optional.

The default trap queue size is 100.

6.      Configure the trap holding time.

snmp-agent trap life seconds

Optional.

120 seconds by default.

 

 

NOTE:

·       Extended linkUp/linkDown traps add interface description and interface type to standard linkUp/linkDown traps. If the NMS does not support extended SNMP messages, use standard linkUp/linkDown traps.

·       When the trap queue is full, the oldest traps are automatically deleted for new traps.

·       A trap is deleted when its holding time expires.

 

Displaying and maintaining SNMP

 

Task

Command

Remarks

Display SNMP agent system information, including the contact, physical location, and SNMP version.

display snmp-agent sys-info [ contact | location | version ]* [ | { begin | exclude | include } regular-expression ]

Available in any view

Display SNMP agent statistics.

display snmp-agent statistics [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the local engine ID.

display snmp-agent local-engineid [ | { begin | exclude | include } regular-expression ]

Available in any view

Display SNMP group information.

display snmp-agent group [ group-name ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display basic information about the trap queue.

display snmp-agent trap queue [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the modules that can send traps and their trap status (enable or disable).

display snmp-agent trap-list [ | { begin | exclude | include } regular-expression ]

Available in any view

Display SNMPv3 user information.

display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ] * [ | { begin | exclude | include } regular-expression ]

Available in any view

Display SNMPv1 or SNMPv2c community information.

display snmp-agent community [ read | write ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display MIB view information.

display snmp-agent mib-view [ exclude | include | viewname view-name ] [ | { begin | exclude | include } regular-expression ]

Available in any view

 

SNMP configuration examples

SNMPv1/SNMPv2c configuration example

Network requirements

As shown in Figure 3, the NMS (1.1.1.2/24) uses SNMPv1 or SNMPv2c to manage the SNMP agent (1.1.1.1/24), and the agent automatically sends traps to report events to the NMS.

Figure 3 Network diagram

 

Configuration procedure

1.       Configure the SNMP agent:

# Configure the IP address of the agent as 1.1.1.1/24 and make sure that the agent and the NMS can reach each other. (Details not shown)

# Specify SNMPv1 and SNMPv2c, and create a read-only community public and a read and write community private.

<Sysname> system-view

[Sysname] snmp-agent sys-info version v1 v2c

[Sysname] snmp-agent community read public

[Sysname] snmp-agent community write private

# Configure contact and physical location information for the switch.

[Sysname] snmp-agent sys-info contact Mr.Wang-Tel:3306

[Sysname] snmp-agent sys-info location telephone-closet,3rd-floor

# Enable SNMP traps, set the NMS at IP address 1.1.1.2/24 as an SNMP trap destination, and use public as the community name. (To make sure that the NMS can receive traps, specify the same SNMP version in the snmp-agent target-host command as that on the NMS.)

[Sysname] snmp-agent trap enable

[Sysname] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname public v1

2.       Configure the SNMP NMS:

# Configure the SNMP version for the NMS as v1 or v2c, create a read-only community and name it public, and create a read and write community and name it private. For how to configure the NMS, see the manual for the NMS.

 

 

NOTE:

The configurations on the agent and the NMS must match.

 

3.       Verify the configuration:

¡  After the above configuration, an SNMP connection is established between the NMS and the agent. The NMS can get and configure the values of some parameters on the agent through MIB nodes.

¡  Execute the shutdown or undo shutdown command to an idle interface on the agent, and the NMS receives the corresponding trap.

SNMPv3 configuration example

Network requirements

As shown in Figure 4, the NMS (1.1.1.2/24) uses SNMPv3 to monitor and manage the interface status of the agent (1.1.1.1/24), and the agent automatically sends traps to report events to the NMS.

The NMS and the agent perform authentication when they set up an SNMP session. The authentication algorithm is MD5 and the authentication key is authkey. The NMS and the agent also encrypt the SNMP packets between them by using the DES algorithm and the privacy key prikey.

Figure 4 Network diagram

 

Configuration procedure

1.       Configure the SNMP agent:

# Configure the IP address of the agent as 1.1.1.1/24 and make sure that the agent and the NMS can reach each other. (Details not shown)

# Assign the NMS read and write access to the objects under the snmp node (OID 1.3.6.1.2.1.2), and deny its access to any other MIB object. Set the user name to managev3user, authentication algorithm to MD5, authentication key to authkey, the encryption algorithm to DES56, and the privacy key to prikey.

<Sysname> system-view

[Sysname] undo snmp-agent mib-view ViewDefault

[Sysname] snmp-agent mib-view included test interfaces

[Sysname] snmp-agent group v3 managev3group read-view test write-view test

[Sysname] snmp-agent usm-user v3 managev3user managev3group authentication-mode md5 authkey privacy-mode des56 prikey

# Configure the contact person and physical location information for the device.

[Sysname] snmp-agent sys-info contact Mr.Wang-Tel:3306

[Sysname] snmp-agent sys-info location telephone-closet,3rd-floor

# Enable traps, specify the NMS at 1.1.1.2 as a trap destination, and set the username to managev3user for the traps.

[Sysname] snmp-agent trap enable

[Sysname] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname managev3user v3 privacy

2.       Configure the SNMP NMS:

¡  Specify the SNMP version for the NMS as v3.

¡  Create two SNMP users: managev3user and public.

¡  Enable both authentication and privacy functions.

¡  Use MD5 for authentication and DES for encryption.

¡  Set the authentication key to authkey and the privacy key to prikey.

¡  Set the timeout time and maximum number of retries.

For information about configuring the NMS, see the NMS manual.

 

 

NOTE:

The SNMP settings on the agent and the NMS must match.

 

3.       Verify the configuration:

¡  After the above configuration, an SNMP connection is established between the NMS and the agent. The NMS can get and configure the values of some parameters on the agent through MIB nodes.

¡  Execute the shutdown or undo shutdown command to an idle interface on the agent, and the NMS receives the corresponding trap.

SNMP logging configuration example

Network requirements

Configure the SNMP agent (1.1.1.1/24) in Figure 5 to log the SNMP operations performed by the NMS.

Figure 5 Network diagram

 

Configuration procedure

 

 

NOTE:

This example assumes that you have configured all required SNMP settings for the NMS and the agent (see “SNMPv1/SNMPv2c configuration example or SNMPv3 configuration example”).

 

# Enable logging display on the terminal. (This function is enabled by default, so that you can omit this configuration).

<Sysname> terminal monitor

<Sysname> terminal logging

# Enable the information center to output the system information with the severity level equal to or higher than informational to the console port.

<Sysname> system-view

[Sysname] info-center source snmp channel console log level informational

# Enable SNMP logging on the agent to log the Get and Set operations of the NMS.

[Sysname] snmp-agent log get-operation

[Sysname] snmp-agent log set-operation

# Verify the configuration:

Use the NMS to get a MIB variable from the agent. The following is a sample log message displayed on the configuration terminal:

%Jan 1 02:49:40:566 2006 Sysname SNMP/6/GET:

seqNO = <10> srcIP = <1.1.1.2> op = <get> node = <sysName(1.3.6.1.2.1.1.5.0)> value=<>

Use the NMS to set a MIB variable on the agent. The following is a sample log message displayed on the configuration terminal:

%Jan 1 02:59:42:576 2006 Sysname SNMP/6/SET:

seqNO = <11> srcIP = <1.1.1.2> op = <set> errorIndex = <0> errorStatus =<noError> node = <sysName(1.3.6.1.2.1.1.5.0)> value = <Sysname>

Table 1 SNMP log message field description

Field

Description

Jan 1 02:49:40:566 2006

Time when the SNMP log was generated.

seqNO

Serial number automatically assigned to the SNMP log, starting from 0.

srcIP

IP address of the NMS.

op

SNMP operation type (GET or SET).

node

MIB node name and OID of the node instance.

erroIndex

Error index, with 0 meaning no error.

errorstatus

Error status, with noError meaning no error.

value

Value set when the SET operation is performed (this field is null for a GET operation).

If the value is a character string that has characters beyond the ASCII range 0 to 127 or invisible characters, the string is displayed in hexadecimal format, for example, value = <81-43>[hex].

 

 

NOTE:

The information center can output system event messages to several destinations, including the terminal and the log buffer. In this example, SNMP log messages are output to the terminal. To configure other message destinations, see the chapter “Configuring the information center.

 


Overview

MIBs fall into public MIBs and private MIBs. A private MIB is attached to a sub-node under the enterprises MIB node (1.3.6.1.4.1). The H3C private MIB has two styles: the H3C compatible MIB style and the H3C new MIB style:

·           In the H3C compatible MIB style, the device public MIB is under the H3C’s enterprise ID 25506, and the private MIB is under the enterprise ID 2011.

·           In the H3C new MIB style, both the device public MIB and the private MIB are under the H3C’s enterprise ID 25506.

These two styles of MIBs implement the same management function. Your device comes with a MIB loaded but the MIB style depends on the device model. You can change the MIB style as needed, but must make sure that the device is using the same MIB style as the NMS.

Setting the MIB style

To set the MIB style:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Set the MIB style.

mib-style [ new | compatible ]

Optional.

By default, H3C new MIB style is used.

 

 

NOTE:

After changing the MIB style, reboot the device to validate the change.

 

Displaying and maintaining MIB style

 

Task

Command

Remarks

Display the MIB style.

display mib-style [ | { begin | exclude | include } regular-expression ]

Available in any view