By far, the simple network management
protocol (SNMP) has gained the most extensive application in the computer
networks. SNMP has been put into use and widely accepted as an industry
standard in practice. It is used for ensuring the transmission of the
management information between any two nodes. In this way, network
administrators can easily search and modify the information on any node on the
network. In the meantime, they can locate faults promptly and implement the
fault diagnosis, capacity planning and report generating.
SNMP adopts the polling mechanism and
provides the most basic function set. It is most applicable to the small-sized,
fast-speed and low-cost environment. It only requires the connectionless
transport layer protocol UDP; and is thus widely supported by many products.
SNMP can be divided into two parts, namely,
Network Management Station and Agent:
Network management station (NMS) is the
workstation for running the client program. At present, the commonly used NM
platforms include QuidView, Sun NetManager and IBM NetView.
Agent is the server software operated on
network devices.
The NMS can send GetRequest, GetNextRequest
and SetRequest messages to the Agent. Upon receiving the requests from the NMS,
Agent will perform Read or Write operation according to the message types,
generate and return the Response message to the NMS.
Agent will send Trap message on its own
initiative to the NMS to report the events whenever the device status changes
or the device encounters any abnormalities such as restarting the device.
Currently SNMP Agent of the device supports
SNMP V3, and is compatible with SNMP V1 and SNMP V2C.
SNMP V3 adopts user name and password
authentication.
SNMP V1 and SNMP V2C adopt community name
authentication. The SNMP packets failing to pass community name authentication
are discarded. The community name is used to define the relation between SNMP
NMS and SNMP Agent. The community name can limit access to SNMP Agent from SNMP
NMS, functioning as a password. You can define the following features related
to the community name.
l
Define MIB view that a community can access.
l
Set read-only or read-write right to access MIB
objects for the community. The read-only community can only query device
information, while the read-write community can configure the device.
l
Set the basic ACL specified by the community
name.
The management variable in the SNMP packet is
used to describe management objects of a device. To uniquely identify the
management objects of the device in SNMP messages, SNMP adopts the hierarchical
naming scheme to identify the managed objects. It is like a tree, and each tree
node represents a managed object, as shown in Figure
1-1. Thus the object can be identified with the unique path starting from the root.
Figure 1-1 Architecture
of the MIB tree
The management information base (MIB) is
used to describe the hierarchical architecture of the tree and it is the set
defined by the standard variables of the monitored network device. In the above
figure, the managed object B can be uniquely specified by a string of numbers
{1.2.1.1}. The number string is the Object Identifier of the managed object.
The common MIBs supported by the system are
listed in Table 1-1.
Table 1-1 Common
MIBs
|
MIB attribute
|
MIB content
|
References
|
|
Public
MIB
|
MIB
II based on TCP/IP network device
|
RFC1213
|
|
BRIDGE
MIB
|
RFC1493
|
|
RFC2675
|
|
RIP
MIB
|
RFC1724
|
|
RMON
MIB
|
RFC2819
|
|
Ethernet
MIB
|
RFC2665
|
|
OSPF MIB
|
RFC1253
|
|
IF MIB
|
RFC1573
|
|
Private MIB
|
DHCP MIB
DHCP MIB
QACL MIB
ADBM MIB
IGMP Snooping MIB
RSTP MIB
VLAN MIB
Device management
Interface management
|
—
|
|
QACL MIB
|
—
|
|
ADBM MIB
|
—
|
|
RSTP MIB
|
—
|
|
VLAN MIB
|
—
|
|
Device management
|
—
|
|
Interface management
|
—
|
The configuration of SNMP V3 configuration
is different from that of SNMP V1 and SNMP V2C, therefore SNMP basic function
configurations for different versions are introduced respectively. For specific
configurations, refer to Table 1-2 and Table 1-3.
Table 1-2 Configure SNMP basic functions for SNMP V1 and SNMP V2C
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enable SNMP Agent
|
snmp-agent
|
Optional
By default, SNMP Agent is disabled.
You can enable SNMP agent by
executing this command or any configuration command of snmp-agent
|
|
Set system information
|
snmp-agent sys-info { contact sys-contact | location sys-location
| version { { v1 | v2c | v3 }* | all } }
|
Required
By default, the contact information
for system maintenance is "R&D Hangzhou, H3C Technologies Co.,
Ltd.", the system location is "Hangzhou China", and the SNMP
version is SNMP V3.
|
|
Set a community name and access
authority
|
Direct configuration
|
Set a community name
|
snmp-agent community { read | write } community-name [ acl
acl-number | mib-view view-name ]*
|
Required
Direct configuration for SNMP V1 and
SNMP V2C is based on community name
Indirect configuration. The added
user is equal to the community name for SNMPV1 and SNMPV2C
You can choose either of them as
needed
|
|
Indirect configuration
|
Set an SNMP group
|
snmp-agent group { v1 | v2c } group-name [ read-view read-view
] [ write-view write-view ] [ notify-view notify-view
] [ acl acl-number ]
|
|
Add a new user for an SNMP group
|
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl
acl-number ]
|
|
Set the maximum size of SNMP packet
that the Agent can send/receive
|
snmp-agent packet max-size max-size
|
Optional
By default, it is 1,500 bytes.
|
|
Set the device engine ID
|
snmp-agent local-engineid engineid
|
Optional
By default, the device engine ID is
"Enterprise Number + device information".
|
|
Create or update the view information
|
snmp-agent mib-view { included | excluded } view-name
oid-tree
|
Optional
By default, the view name is ViewDefault
and OID is 1.
|
Table 1-3 Configure SNMP basic functions (SNMP V3)
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable SNMP Agent
|
snmp-agent
|
Required
By default, SNMP Agent is disabled
You can enable SNMP agent by
executing this command or any configuration command of snmp-agent.
|
|
Set system information
|
snmp-agent sys-info { contact sys-contact | location sys-location
| version { { v1 | v2c | v3 }* | all }
}
|
Optional
By default, the contact information
for system maintenance is "R&D Hangzhou, H3C Technologies Co.,
Ltd.", the system location is "Hangzhou China", and the SNMP
version is SNMP V3.
|
|
Set an SNMP group
|
snmp-agent group v3 group-name [ authentication |
privacy ] [ read-view read-view ] [ write-view write-view
] [ notify-view notify-view ] [ acl acl-number ]
|
Required
|
|
Add a new user for an SNMP group
|
snmp-agent usm-user v3 user-name group-name [ authentication-mode
{ md5 | sha } auth-password [ privacy-mode des56
priv-password ] ] [ acl acl-number ]
|
Required
|
|
Set the size of SNMP packet that the
Agent can send/receive
|
snmp-agent packet max-size byte-count
|
Optional
By default, it is 1,500 bytes.
|
|
Set the device engine ID
|
snmp-agent local-engineid engineid
|
Optional
By default, the device engine ID is "Enterprise
Number + device information".
|
|
Create or update the view information
|
snmp-agent mib-view { included | excluded } view-name
oid-tree
|
Optional
By default, the view name is ViewDefault
and OID is 1.
|
An S3100-SI
Ethernet switch acts as the following to prevent attacks through unused
sockets.
l
Opening UDP port 161 (which is used by SNMP
agents) and UDP port 1024 (which is used by SNMP-trap clients) only when SNMP
is enabled.
l
Closing UDP port 161 and UDP port 1024 when SNMP
is disabled.
This function is
achieved in the following way.
l
Executing the snmp-agent command or any
of the commands used to configure SNMP agent causes the SNMP agent being
enabled and UDP port 161 and UDP port 1024 being opened.
l
Executing the undo snmp-agent command
causes UDP port 161 and UDP port 1024 being closed as well.
Trap is the information that the managed
device initiatively sends to the NMS without request. Trap is used to report
some urgent and important events (e.g., the managed device is rebooted).
Complete SNMP basic configuration.
Table 1-4 Configure Trap
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enable the
device to send Trap packets
|
snmp-agent trap enable [ configuration | flash | standard
[ authentication | coldstart | linkdown | linkup
| warmstart ]* | system ]
|
Optional
By
default, the port is enabled to send Trap packets.
|
|
Enable the
port to send Trap packets
|
Enter port
view or interface view
|
interface
interface-type interface-number
|
|
Enable the port or interface to send Trap
packets
|
enable snmp trap updown
|
|
Quit to system view
|
quit
|
|
Set Trap target host address
|
snmp-agent target-host trap address udp-domain { ip-address }
[ udp-port port-number ] params securityname security-string
[ v1 | v2c | v3 { authentication | privacy
} ]
|
Required
|
|
Set the source address to send Trap
packets
|
snmp-agent trap source interface-type interface-number
|
Optional
|
|
Set the information queue length of Trap
packet sent to destination host
|
snmp-agent trap queue-size size
|
Optional
The default value is 100.
|
|
Set aging time for Trap packets
|
snmp-agent trap life seconds
|
Optional
The default aging time for Trap packets
is 120 seconds.
|
After the above configuration is completed,
execute the display command in any view to view the running status of
SNMP, and to verify the configuration.
Table 1-5 Display SNMP
|
Operation
|
Command
|
Description
|
|
Display
system information of the current SNMP device
|
display
snmp-agent sys-info [ contact | location
| version ]*
|
Optional
The display
command can be executed in any view
|
|
Display
SNMP packet statistics information
|
display
snmp-agent statistics
|
|
Display
the engine ID of the current device
|
display
snmp-agent { local-engineid | remote-engineid
}
|
|
Display
group information about the device
|
display
snmp-agent group [ group-name ]
|
|
Display
SNMP user information
|
display
snmp-agent usm-user [ engineid engineid
| username user-name | group group-name ]
|
|
Display
Trap list information
|
display
snmp-agent trap-list
|
|
Display
the currently configured community name
|
display
snmp-agent community [ read | write
]
|
|
Display
the currently configured MIB view
|
display
snmp-agent mib-view [ exclude | include
| viewname view-name ]
|
I. Network requirements
l
An NMS and Switch A are connected through the
Ethernet. The IP address of the NMS is 10.10.10.1 and that of the VLAN
interface on Switch A is 10.10.10.2.
l
Perform the following configuration on Switch A:
setting the community name and access authority, administrator ID, contact and
switch location, and enabling the switch to sent trap packet.
II. Network diagram
Figure 1-2 Network diagram for SNMP
III. Network procedure
# Set the community name, group name and
user.
<H3C> system-view
[H3C] snmp-agent
[H3C] snmp-agent sys-info version all
[H3C] snmp-agent community write
public
[H3C] snmp-agent mib-view include
internet 1.3.6.1
[H3C] snmp-agent group v3
managev3group write-view internet
[H3C] snmp-agent usm-user v3
managev3user managev3group
# Set the VLAN interface 2 as the interface
used by NMS. Add port Ethernet1/0/2 to VLAN 2. This port will be used for
network management. Set the IP address of VLAN interface 2 as 10.10.10.2.
[H3C] vlan 2
[H3C-vlan2] port ethernet 1/0/2
[H3C-vlan2] quit
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] ip address
10.10.10.2 255.255.255.0
[H3C-Vlan-interface2] quit
# Enable the SNMP agent to send Trap
packets to the NMS whose IP address is 10.10.10.1. The SNMP community is
public.
[H3C] snmp-agent trap enable standard
authentication
[H3C] snmp-agent trap enable standard
coldstart
[H3C] snmp-agent trap enable standard
linkup
[H3C] snmp-agent trap enable standard
linkdown
[H3C] snmp-agent target-host trap
address udp-domain 10.10.10.1 udp-port 5000 params securityname public
IV. Configuring NMS
The S3100-SI series switch supports H3C’s
QuidView NMS. SNMP V3 adopts user name and password authentication. In [QuidView
Authentication Parameter], you need to set a user name, choose security level,
and set authorization mode, authorization password, encryption mode, and encryption
password respectively according to different security levels. In addition, you
must set timeout time and retry times.
You can query and configure the Ethernet
switch through the NMS. For more information, refer to the manuals of H3C’s
NMS products.
NMS configuration
must be consistent with device configuration; otherwise, the NMS cannot manage
the device.
