The simple network management protocol
(SNMP) is used for ensuring the transmission of the management information
between any two network nodes. In this way, network administrators can easily retrieve
and modify the information about any node on the network. In the meantime, they
can locate faults promptly and implement the fault diagnosis, capacity planning
and report generating.
As SNMP adopts the polling mechanism and
provides basic function set, it is suitable for small-sized networks with fast-speed
and low-cost. SNMP is based on user datagram protocol (UDP) and is thus widely
supported by many products.
SNMP is implemented by two components,
namely, network management station (NMS) and agent.
l
An NMS can be a workstation running client
program. At present, the commonly used network management platforms include QuidView,
Sun NetManager, IBM NetView, and so on.
l
Agent is server-side software running on network
devices (such as switches).
An NMS can send GetRequest, GetNextRequest
and SetRequest messages to the agents. Upon receiving the requests from the NMS,
an agent performs Read or Write operation on the managed object (MIB, Management
Information Base) according to the message types, generates the corresponding
Response packets and returns them to the NMS.
When a network device operates improperly
or changes to other state, the agent on it can also send trap messages on its
own initiative to the NMS to report the events.
Currently, SNMP agent on a switch supports
SNMPv3, and is compatible with SNMPv1 and SNMPv2c.
SNMPv3 adopts user name and password
authentication.
SNMPv1 and SNMPv2c adopt community name
authentication. The SNMP packets containing invalid community names are
discarded. SNMP community name is used to define the relationship between SNMP NMS
and SNMP agent. Community name functions as password. It can limit accesses
made by SNMP NMS to SNMP agent. You can perform the following community
name-related configuration.
l
Specifying MIB view that a community can access.
l
Set the permission for a community to access an
MIB object to be read-only or read-write. Communities with read-only permissions
can only query the switch information, while those with read-write permission can
configure the switch as well.
l
Set the basic ACL specified by the community
name.
An SNMP packet carries management variables
with it. Management variable is used to describe the management objects of a switch.
To uniquely identify the management objects of the switch, SNMP adopts a hierarchical
naming scheme to organize the managed objects. It is like a tree, with each
tree node representing a managed object, as shown in Figure 1-1. Each node in this
tree can be uniquely identified by a path starting from the root.
Figure 1-1 Architecture
of the MIB tree
The management information base (MIB)
describes the hierarchical architecture of the tree and it is the set defined
by the standard variables of the monitored network devices. In the above figure,
the managed object B can be uniquely identified by a string of numbers
{1.2.1.1}. The number string is the object identifier (OID) of the managed
object.
The common MIBs supported by switches are
listed in Table 1-1.
Table 1-1 Common
MIBs
|
MIB attribute
|
MIB content
|
Related RFC
|
|
Public
MIB
|
MIB
II based on TCP/IP network device
|
RFC 1213
|
|
BRIDGE
MIB
|
RFC 1493
|
|
RFC 2675
|
|
RIP
MIB
|
RFC 1724
|
|
RMON
MIB
|
RFC 2819
|
|
Ethernet
MIB
|
RFC 2665
|
|
OSPF
MIB
|
RFC 1253
|
|
IF MIB
|
RFC 1573
|
|
Private
MIB
|
DHCP
MIB
QACL
MIB
MSTP
MIB
VLAN
MIB
IPV6
ADDRESS MIB
MIRRORGROUP
MIB
QINQ
MIB
802.x
MIB
HGMP
MIB
NTP
MIB
Device management
Interface
management
|
—
|
SNMPv3 configuration is quite different
from that of SNMPv1 and SNMPv2c. Therefore, the configuration of basic SNMP
functions is described by SNMP versions, as listed in Table 1-2 and Table 1-3.
Table 1-2 Configure basic SNMP functions (SNMPv1 and SNMPv2c)
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enable
SNMP agent
|
snmp-agent
|
Optional
Disabled
by default.
You
can enable SNMP agent by executing this command or any of the commands used
to configure SNMP agent.
|
|
Set system information, and specify
to enable SNMPv1 or SNMPv2c on the switch
|
snmp-agent
sys-info { contact
sys-contact | location sys-location
| version { { v1 | v2c | v3 }* | all
} }
|
Required
By default, the contact information
for system maintenance is "R&D Hangzhou, H3C Technology Co., Ltd.",
the system location is "Hangzhou China", and the SNMP version is
SNMPv3.
|
|
Set a community name and access permission
|
Direct configuration
|
Set a community name
|
snmp-agent
community { read
| write } community-name
[ acl acl-number
| mib-view view-name ]*
|
Required
l
You can set an SNMPv1/SNMPv2c community name
through direct configuration.
l
Indirect configuration is compatible with
SNMPv3. The added user is equal to the community name for SNMPv1 and SNMPv2c.
l
You can choose either of them as needed.
|
|
Indirect configuration
|
Set an SNMP group
|
snmp-agent
group { v1
| v2c } group-name
[ read-view read-view ] [ write-view
write-view ] [ notify-view notify-view
] [ acl acl-number
]
|
|
Add a user to an SNMP group
|
snmp-agent
usm-user { v1
| v2c } user-name
group-name [ acl acl-number
]
|
|
Set the maximum size of an SNMP packet
for SNMP agent to receive or send
|
snmp-agent
packet max-size
byte-count
|
Optional
1,500 bytes by default.
|
|
Set the device engine ID
|
snmp-agent
local-engineid
engineid
|
Optional
By default, the device engine ID is “enterprise
number + device information”.
|
|
Create/Update
the view information
|
snmp-agent mib-view { included | excluded
} view-name
oid-tree
[ mask mask-value ]
|
Optional
By
default, the view name is “ViewDefault” and OID is 1.
|
Table 1-3 Configure basic SNMP functions (SNMPv3)
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable SNMP agent
|
snmp-agent
|
Optional
Disabled by default.
You can enable SNMP agent by
executing this command or any of the commands used to configure SNMP agent.
|
|
Set system information and specify to
enable SNMPv3 on the switch
|
snmp-agent
sys-info { contact
sys-contact | location sys-location
| version { { v1 | v2c
| v3 }*
| all } }
|
Required
By default, the contact information
for system maintenance is "R&D Hangzhou, H3C Technology Co., Ltd.",
the system location is "Hangzhou China", and the SNMP version is
SNMPv3.
|
|
Set an SNMP group
|
snmp-agent
group v3
group-name [ authentication | privacy ] [ read-view
read-view ] [ write-view write-view
] [ notify-view notify-view ] [ acl acl-number
]
|
Required
|
|
Encrypt a plain-text password to generate
a cipher-text one
|
snmp-agent
calculate-password plain-password mode
{ md5 | sha } {
local-engineid | specified-engineid engineid }
|
Optional
This command is used if password in
cipher-text is needed for adding a new user.
|
|
Add a user to an SNMP group
|
snmp-agent usm-user v3 user-name group-name [ cipher ] authentication-mode
{ md5 | sha } auth-password [ privacy-mode { des56
| aes128 } priv-password ] ] [ acl acl-number ]
|
Required
|
|
Set the maximum size of an SNMP
packet for SNMP agent to receive or send
|
snmp-agent
packet max-size
byte-count
|
Optional
1,500 bytes by default.
|
|
Set the device engine ID
|
snmp-agent
local-engineid
engineid
|
Optional
By default, the device engine ID is “enterprise
number + device information”.
|
|
Create or update the view information
|
snmp-agent
mib-view
{ included | excluded } view-name oid-tree [ mask
mask-value ]
|
Optional
By default, the view name is “ViewDefault”
and OID is 1.
|
An S3100 Ethernet
switch provides the following functions to prevent attacks through unused UDP
ports.
l
Executing the snmp-agent command or any
of the commands used to configure SNMP agent enables the SNMP agent, and at the
same opens UDP port 161 used by SNMP agents and the UDP port used by SNMP trap
respectively.
l
Executing the undo snmp-agent command disables
the SNMP agent and closes UDP ports used by SNMP agent and SNMP trap as well.
Trap messages refer to those sent by managed
devices to the NMS without request. They are used to report some urgent and important
events (for example, the rebooting of managed devices).
Note that basic SNMP configuration is
performed before you configure basic trap.
Table 1-4 Configure basic Trap
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enable
the switch to send Trap messages to NMS
|
snmp-agent trap enable [ configuration | flash | standard [
authentication | coldstart |
linkdown | linkup | warmstart
]* | system | ]
|
Optional
By
default, a port is enabled to send all types of Traps.
|
|
Enable the port to send Trap messages
|
Enter port view or interface view
|
interface
interface-type interface-number
|
|
Enable the port or interface to send Trap
messages
|
enable snmp trap updown
|
|
Quit to system view
|
quit
|
|
Set the destination for Trap messages
|
snmp-agent
target-host trap
address udp-domain
{ ip-address } [ udp-port port-number
] params securityname security-string
[ v1 | v2c
| v3 {authentication
| privacy } ]
|
Required
|
|
Set the source address for Trap
messages
|
snmp-agent
trap source interface-type
interface-number
|
Optional
|
|
Set the size of the queue used to
hold the Traps to be sent to the destination host
|
snmp-agent
trap queue-size size
|
Optional
The default is 100.
|
|
Set the aging time for Trap messages
|
snmp-agent
trap life seconds
|
Optional
120 seconds by default.
|
The extended Trap includes the following.
l
“Interface description” and
“interface type” are added into the linkUp/linkDown Trap message. When
receiving this extended Trap message, NMS can immediately determine which
interface on the device fails according to the interface description and type.
l
In all Trap messages sent from the information
center to the log server, a MIB object name is added after the OID field of the
MIB object. The name is for your better understanding of the MIB object.
Table 1-5 Configure extended Trap
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Configure
extended Trap
|
snmp-agent
trap ifmib link extended
|
Optional
By
default, the linkUp/linkDown Trap message adopts the standard format defined
in IF-MIB. For details, refer to RFC 1213.
|
Table 1-6 Enable logging for network management
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable logging for network management
|
snmp-agent log { set-operation | get-operation | all }
|
Optional
Disabled by default.
|
Use the display
logbuffer command to view the log of the get and set operations requested by
the NMS.
After the above configuration, you can execute
the display command in any view to view the running status of SNMP, and
to verify the configuration.
Table 1-7 Display SNMP
|
Operation
|
Command
|
Description
|
|
Display
the SNMP information about the current device
|
display snmp-agent sys-info [ contact | location | version
]*
|
Available
in any view.
|
|
Display
SNMP packet statistics
|
display snmp-agent statistics
|
|
Display
the engine ID of the current device
|
display snmp-agent { local-engineid | remote-engineid }
|
|
Display
group information about the device
|
display snmp-agent group [ group-name ]
|
|
Display
SNMP user information
|
display snmp-agent usm-user [ engineid engineid | username
user-name | group group-name
]
|
|
Display
Trap list information
|
display snmp-agent trap-list
|
|
Display
the currently configured community name
|
display snmp-agent community [ read | write ]
|
|
Display
the currently configured MIB view
|
display snmp-agent mib-view [ exclude | include | viewname
view-name ]
|
I. Network requirements
l
An NMS and Switch A (SNMP agent) are connected through
the Ethernet. The IP address of the NMS is 10.10.10.1 and that of the VLAN
interface on Switch A is 10.10.10.2.
l
Perform the following configuration on Switch A:
setting the community name and access permission, administrator ID, contact and
switch location, and enabling the switch to sent trap messages.
Thus, the NMS is able to access Switch A
and receive the trap messages sent by Switch A.
II. Network diagram
Figure 1-2 Network diagram for SNMP configuration
III. Network procedure
# Enable SNMP agent, and set the SNMPv1 and
SNMPv2c community names.
<Sysname> system-view
[Sysname] snmp-agent
[Sysname] snmp-agent sys-info version
all
[Sysname] snmp-agent community read public
[Sysname] snmp-agent community write private
# Set the access right of the NMS to the MIB
of the SNMP agent.
[Sysname] snmp-agent mib-view include
internet 1.3.6.1
# For SNMPv3, set:
l
SNMPv3 group and user
l
security to the level of needing authentication
and encryption
l
authentication protocol to HMAC-MD5
l
authentication password to passmd5
l
encryption protocol to DES
l
encryption password to cfb128cfb128
[Sysname] snmp-agent group v3
managev3group privacy write-view internet
[Sysname] snmp-agent usm-user v3
managev3user managev3group authentication-mode md5 passmd5 privacy-mode des56
cfb128cfb128
# Set the VLAN-interface 2 as the interface
used by NMS. Add port Ethernet 1/0/2, which is to be used for network
management, to VLAN 2. Set the IP address of VLAN-interface 2 as 10.10.10.2.
[Sysname] vlan 2
[Sysname-vlan2] port Ethernet 1/0/2
[Sysname-vlan2] quit
[Sysname] interface Vlan-interface 2
[Sysname-Vlan-interface2] ip address 10.10.10.2
255.255.255.0
[Sysname-Vlan-interface2] quit
# Enable the SNMP agent to send Trap messages
to the NMS whose IP address is 10.10.10.1. The SNMP community name to be used is
“public”.
[Sysname] snmp-agent trap enable
standard authentication
[Sysname] snmp-agent trap enable
standard coldstart
[Sysname] snmp-agent trap enable
standard linkup
[Sysname] snmp-agent trap enable
standard linkdown
[Sysname] snmp-agent target-host trap
address udp-domain 10.10.10.1 udp-port 5000 params securityname public
IV. Configuring the NMS
The S3100 series Ethernet switches support H3C’s
QuidView NMS. SNMPv3 adopts user name and password authentication. When you use
H3C’s QuidView NMS, you need to set user names and choose the security
level in [Quidview Authentication Parameter]. For each security level, you need
to set authorization mode, authorization password, encryption mode, encryption
password, and so on. In addition, you need to set timeout time and maximum retry
times.
You can query and configure an Ethernet
switch through the NMS. For more information, refer to the corresponding manuals
of H3C’s NMS products.
Authentication-related
configuration on an NMS must be consistent with that of the devices for the NMS
to manage the devices successfully.
Remote monitoring (RMON) is a kind of
management information base (MIB) defined by Internet Engineering Task Force
(IETF). It is an important enhancement made to MIB II standards. RMON is mainly
used to monitor the data traffic across a network segment or even the entire
network, and is currently a commonly used network management standard.
An RMON system comprises of two parts: the
network management station (NMS) and the agents running on network devices.
RMON agents operate on network monitors or network probes to collect and keep
track of the statistics of the traffic across the network segments to which
their ports connect, such as the total number of the packets on a network
segment in a specific period of time and the total number of packets successfully
sent to a specific host.
l
RMON is fully based on SNMP architecture. It is
compatible with the current SNMP implementations.
l
RMON enables SNMP to monitor remote network
devices more effectively and actively, thus providing a satisfactory means of
monitoring remote subnets.
l
With RMON implemented, the communication traffic
between NMS and SNMP agents can be reduced, thus facilitating the management of
large-scale internetworks.
RMON allows multiple monitors. It can collect
data in the following two ways:
l
Using the dedicated RMON probes. When an RMON
system operates in this way, the NMS directly obtains management information
from the RMON probes and controls the network resources. In this case, all
information in the RMON MIB can be obtained.
l
Embedding RMON agents into network devices (such
as routers, switches and hubs) directly to make the latter capable of RMON
probe functions. When an RMON system operates in this way, the NMS collects
network management information by exchanging information with the SNMP agents
using the basic SNMP commands. However, this way depends on device resources
heavily and an NMS operating in this way can only obtain the information about
these four groups (instead of all the information in the RMON MIB): alarm
group, event group, history group, and statistics group.
An H3C S3100 Ethernet switch implements
RMON in the second way. With an RMON agent embedded in, an S3100 Ethernet
switch can serve as a network device with the RMON probe function. Through the
RMON-capable SNMP agents running on the Ethernet switch, an NMS can obtain the
information about the total traffic, error statistics and performance
statistics of the network segments to which the ports of the managed network
devices are connected. Thus, the NMS can further manage the networks.
I. Event group
Event group is used to define the indexes
of events and the processing methods of the events. The events defined in an event
group are mainly used by entries in the alarm group and extended alarm group to
trigger alarms.
You can specify a network device to act in
one of the following ways in response to an event:
l
Logging the event
l
Sending trap messages to the NMS
l
Logging the event and sending trap messages to
the NMS
l
No processing
II. Alarm group
RMON alarm management enables monitoring on
specific alarm variables (such as the statistics of a port). When the value of
a monitored variable exceeds the threshold, an alarm event is generated, which then
triggers the network device to act in the way defined in the events. Events are
defined in event groups.
With an alarm entry defined in an alarm
group, a network device performs the following operations accordingly:
l
Sampling the defined alarm variables periodically
l
Comparing the samples with the threshold and
triggering the corresponding events if the former exceed the latter
III. Extended alarm group
With extended alarm entry, you can perform
operations on the samples of alarm variables and then compare the operation
results with the thresholds, thus implement more flexible alarm functions.
With an extended alarm entry defined in an
extended alarm group, the network devices perform the following operations
accordingly:
l
Sampling the alarm variables referenced in the
defined extended alarm expressions periodically
l
Performing operations on the samples according
to the defined expressions
l
Comparing the operation results with the
thresholds and triggering corresponding events if the operation result exceeds
the thresholds.
IV. History group
After a history group is configured, the
Ethernet switch collects network statistics information periodically and stores
the statistics information temporarily for later use. A history group can
provide the history data of the statistics on network segment traffic, error
packets, broadcast packets, and bandwidth utilization.
With the history data management function,
you can configure network devices to collect history data, sample and store data
of a specific port periodically.
V. Statistics group
Statistics group contains the statistics of
each monitored port on a switch. An entry in a statistics group is an
accumulated value counting from the time when the statistics group is created.
The statistics include the number of the
following items: collisions, packets with cyclic redundancy check (CRC) errors,
undersize (or oversize) packets, broadcast packets, multicast packets, and
received bytes and packets.
With the RMON statistics management
function, you can monitor the use of a port and make statistics on the errors
occurred when the ports are being used.
Before performing RMON configuration, make
sure the SNMP agents are correctly configured. For the information about SNMP
agent configuration, refer to section 1.2 “Configuring Basic SNMP Functions”.
Table 2-1 Configure
RMON
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Add an event entry
|
rmon event event-entry [ description string
] { log | trap trap-community | log-trap
log-trapcommunity | none } [ owner text
]
|
Optional
|
|
Add an alarm entry
|
rmon alarm entry-number
alarm-variable sampling-time { delta | absolute } rising_threshold threshold-value1 event-entry1 |
