When configuring SNMP, go to these sections
for information you are interested in:
l
SNMP
Overview
l
SNMP
Configuration
l
Configuring
SNMP Logging
l
Trap
Configuration
l
Displaying
and Maintaining SNMP
l
SNMP
Configuration Example
l
SNMP
Logging Configuration Example
1.1 SNMP
Overview
Simple Network Management Protocol (SNMP)
offers a framework to monitor network devices through TCP/IP protocol suite. It
provides a set of basic operations in monitoring and maintaining the Internet
and has the following characteristics:
l
Automatic network management: SNMP enables
network administrators to search and modify information, find and diagnose
network problems, plan for network growth, and generate reports on network
nodes.
l
SNMP shields the physical differences between
various devices and thus realizes automatic management of products from
different manufacturers. Offering only the basic set of functions, SNMP makes
the management tasks independent of both the physical features of the managed
devices and the underlying networking technology. Thus, SNMP achieves effective
management of devices from different manufacturers, especially in small,
high-speed and low cost network environments.
An SNMP enabled network comprises network
management station (NMS) and Agent.
l
NMS is a station that runs the SNMP client
software. It offers a user friendly interface, making it easier for network
administrators to perform most network management tasks. Currently, the most
commonly used NMSs include Quidview, Sun NetManager, and IBM NetView.
l
Agent is a program on the device. It receives
and handles requests sent from the NMS. Only under certain circumstances, such
as interface state change, will the Agent inform the NMS.
l
NMS manages an SNMP enabled network, whereas
Agent is the managed network device. They exchange management information
through the SNMP protocol.
SNMP provides the following four basic
operations:
l
Get operation: NMS gets the value of a certain
variable of Agent through this operation.
l
Set operation: NMS can reconfigure certain
values in the Agent MIB (Management Information Base) to make the Agent perform
certain tasks by means of this operation.
l
Trap operation: Agent sends Traps to the NMS
through this operation.
l
Inform operation: NMS sends Traps to other NMSs
through this operation.
Currently, SNMP agents support SNMPv3 and
are compatible with SNMPv1 and SNMPv2c.
l
SNMPv1 authenticates by means of community name,
which defines the relationship between an SNMP NMS and an SNMP Agent. SNMP
packets with community names that did not pass the authentication on the device
will simply be discarded. A community name performs a similar role as a key
word and can be used to regulate access from NMS to Agent.
l
SNMPv2c authenticates by means of community
name. Compatible with SNMPv1, it extends the functions of SNMPv1. SNMPv2c
provides more operation modes such as GetBulk and InformRequest; it supports
more data types such as Counter64 and Counter32; and it provides various error
codes, thus being able to distinguish errors in more detail.
l
SNMPv3 offers an authentication that is
implemented with a User-Based Security Model (USM). You can set the
authentication and privacy functions. The former is used to authenticate the validity
of the sending end of the authentication packets, preventing access of illegal
users; the latter is used to encrypt packets between the NMS and Agent,
preventing the packets from being intercepted. USM ensures a more secure
communication between SNMP NMS and SNMP Agent by authentication with privacy,
authentication without privacy, or no authentication no privacy.
Successful interaction between NMS and
Agent requires consistency of SNMP versions configured on them. You can
configure multiple SNMP versions for an Agent to interact with different NMSs.
Any managed resource can be identified as
an object, which is known as the managed object. Management Information Base
(MIB) is a collection of all the managed objects. It defines a set of characteristics
associated with the managed objects, such as the object identifier (OID),
access right and data type of the objects. Each Agent has its own MIB. NMS can
read or write the managed objects in the MIB. The relationship between NMS,
Agent and MIB is shown in Figure
1-1.
Figure 1-1 Relationship between NMS,
Agent and MIB
MIB stores data using a tree structure. The
node of the tree is the managed object and can be uniquely identified by a path
starting from the root node. As illustrated in the following figure, the
managed object B can be uniquely identified by a string of numbers {1.2.1.1}.
This string of numbers is the OID of the managed object B.
Figure
1-2 MIB tree
1.2 SNMP
Configuration
As configurations for SNMPv3 differ
substantially from those of SNMPv1 and SNMPv2c, their SNMP functionalities will
be introduced separately below.
Follow these steps to configure SNMPv3:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable SNMP Agent
|
snmp-agent
|
Optional
Disabled by default
You can enable SNMP Agent through this
command or any commands that begin with snmp-agent.
|
|
Configure SNMP Agent system information
|
snmp-agent sys-info { contact sys-contact | location sys-location
| version { all | { v1 | v2c | v3 }* }
}
|
Optional
The defaults are as follows:
Hangzhou H3C Tech. Co., Ltd. for contact,
Hangzhou, China for location, and SNMP v3
for the version.
|
|
Configure an SNMP agent group
|
snmp-agent group v3 group-name [ authentication |
privacy ] [ read-view read-view ] [ write-view write-view
] [ notify-view notify-view ] [ acl acl-number ]
|
Required
|
|
Convert the user-defined plain text
password to a cipher text password
|
snmp-agent calculate-password plain-password mode { md5 | sha } { local-engineid
| specified-engineid string }
|
Optional
|
|
Add a new user to an SNMP agent group
|
snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode
{ md5 | sha } auth-password [ privacy-mode { aes128
| des56 } priv-password ] ] [ acl acl-number ]
|
Required
If the cipher keyword is
specified, the arguments auth-password and priv-password are
considered as cipher text password.
|
|
Configure the maximum size of an SNMP
packet that can be received or sent by an SNMP agent
|
snmp-agent packet max-size byte-count
|
Optional
1,500 bytes by default
|
|
Configure the engine ID for a local SNMP
agent
|
snmp-agent local-engineid engineid
|
Optional
Company ID and device ID by default
|
|
Create or update the MIB view content for
an SNMP agent
|
snmp-agent mib-view { excluded | included } view-name oid-tree
[ mask mask-value ]
|
Optional
MIB view name is ViewDefault and OID is 1
by default.
|
Follow these steps to configure SNMPv1 and
SNMPv2c:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable SNMP Agent
|
snmp-agent
|
Required
Disabled by default
You can enable SNMP Agent through this
command or any commands that begin with snmp-agent.
|
|
Configure SNMP Agent system information
|
snmp-agent sys-info { contact sys-contact | location sys-location
| version { { v1 | v2c | v3 }* | all }
}
|
Required
The defaults are as follows:
Hangzhou H3C Tech. Co., Ltd. for contact,
Hangzhou, China for location and SNMP v3
for the version.
|
|
Configure SNMP NMS access right
|
Configure directly
|
Configure a community name
|
snmp-agent community { read | write } community-name [ acl
acl-number | mib-view view-name ]*
|
Use either approach.
Both commands can be used to configure
SNMP NMS access rights. The second command was introduced to be compatible
with SNMPv3.
The community name configured on NMS
should be consistent with the username configured on the Agent.
|
|
Configure indirectly
|
Configure an SNMP group
|
snmp-agent group { v1 | v2c } group-name [ read-view read-view
] [ write-view write-view ] [ notify-view notify-view
] [ acl acl-number ]
|
|
Add a new user to an SNMP group
|
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl
acl-number ]
|
|
Configure the maximum size of an SNMP
packet that can be received or sent by an SNMP agent
|
snmp-agent packet max-size byte-count
|
Optional
15,00 bytes by default
|
|
Configure the engine ID for a local SNMP
agent
|
snmp-agent local-engineid engineid
|
Optional
Company ID and device ID by default
|
|
Create or update MIB view content for an
SNMP agent
|
snmp-agent mib-view { excluded | included } view-name oid-tree
[ mask mask-value ]
|
Optional
ViewDefault by default
|
Caution:
The validity of a
USM user depends on the engine ID of the SNMP agent. If the engine ID used for
USM user creation is not identical to the current engine ID, the USM user is
invalid.
1.3 Configuring SNMP Logging
SNMP logs the GET and SET operations that
NMS performs to SNMP Agent. When the GET operation is performed, Agent logs the
IP address of NMS, node name of the GET operation and OID of the node. When the
SET operation is performed, Agent logs the IP address of NMS, node name of the
SET operation, OID of the node, the value set and the error code and index
returned with the SET operation. These logs will be transferred to system
information and sent to the information center to be checked and tracked.
SNMP logs GET request, SET request and SET
response, but does not log GET response.
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable SNMP logging
|
snmp-agent log { all | get-operation | set-operation }
|
Required
Disabled by default.
|
|
Configure SNMP log output rules
|
info-center source { module-name | default } channel {
channel-number | channel-name } [ debug {
level severity | state state } * | log {
level severity | state state } * | trap {
level severity | state state } * ] *
|
Optional
By default, SNMP logs are output to
loghost and logfile only. To output SNMP logs to other destinations such as
console or monitor terminal, you need to set the output destinations with
this command.
|
l
Logs occupy storage space of the device, thus
affecting the performance of the device. Therefore, you are recommended to
disable SNMP logging.
l
The priority of SNMP log is informational,
meaning it is a common prompt of the device. To check SNMP logs, enable the
information center to output system information with the severity of
informational.
l
The size of SNMP logs cannot exceed that allowed
by the information center and the sum of the node, and value field of each log
information cannot exceed 1K bytes; otherwise, the exceeded part will be
output.
l
For the detailed description of system
information, the information center and the info-center source command,
refer to Information Center Configuration.
SNMP Agent sends Traps to NMS to alert the
latter of critical and important events (such as restart of the managed
device).
Basic SNMP configurations have been
completed. These configurations include version configuration: community name
is needed when SNMPv1 and v2c are adopted; username and MIB view are needed if
SNMPv3 is adopted.
I. Enabling Trap transmission
Follow these steps to enable Trap
transmission:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Set to enable the device to send Traps
globally
|
snmp-agent trap enable [ bgp | configuration
| flash | ospf [ process-id ] [ ospf-trap-list ]
| standard [ authentication | coldstart | linkdown |
linkup | warmstart ]* | system | voice | vrrp
[ authfailure | newmaster ] ]
|
Optional
All types of Traps are allowed by
default.
|
|
Enter interface view
|
interface interface-type interface-number
|
—
|
|
Set to enable the device to send Traps of
interface state change
|
enable snmp trap updown
|
Optional
Transmission of Traps of interface state
change is allowed by default.
|
Caution:
To enable an
interface to send SNMP Traps when its state changes, you need to enable the
Link up/down Trap packet transmission function on an interface and globally.
Use the enable snmp trap updown command to enable this function on an
interface, and use the snmp-agent trap enable [ standard [
linkdown | linkup ] * ] command to enable this function globally.
II. Configuring Trap transmission
parameters
Follow these steps to configure Trap:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure target host attribute for Traps
|
snmp-agent target-host trap address udp-domain { ip-address |
ipv6 ipv6-address } [ udp-port port-number ]
params securityname security-string [ v1 | v2c
| v3 [ authentication | privacy ] ]
|
Required
|
|
Configure the source address for Traps
|
snmp-agent trap source interface-type { interface-number | interface-number.subnumber
}
|
Optional
|
|
Extend the standard linkUp/linkDown Traps
defined in RFC
|
snmp-agent trap if-mib link extended
|
Optional
Standard linkUp/linkDown Traps defined in
RFC are used by default.
|
|
Configure the queue size for sending
Traps
|
snmp-agent trap queue-size size
|
Optional
100 by default
|
|
Configure
the lifetime for Traps
|
snmp-agent
trap life seconds
|
Optional
120
seconds by default
|
The extended linkUp/linkDown Traps comprise the standard
linkUp/linkDown Traps defined in RFC plus interface description and interface
type. If the extended messages are not supported on NMS, you can disable this
function and enable the device to send standard linkUp/linkDown Traps.
1.5 Displaying and Maintaining SNMP
|
To do…
|
Use the command…
|
Remarks
|
|
Display SNMP-agent system information,
including the contact, location, and version of the SNMP
|
display snmp-agent sys-info [ contact | location | version ]*
|
Available in any view
|
|
Display SNMP agent statistics
|
display snmp-agent statistics
|
|
Display the SNMP agent engine ID
|
display snmp-agent local-engineid
|
|
Display SNMP agent group information
|
display snmp-agent group [ group-name ]
|
|
Display the modules that can send Traps
and whether their Trap sending is enabled or not
|
display snmp-agent trap-list
|
|
Display SNMP v3 agent user information
|
display snmp-agent usm-user [ engineid engineid | username user-name
| group group-name ] *
|
|
Display SNMP v1 or v2c agent community
information
|
display snmp-agent community [ read | write ]
|
|
Display MIB view information for an SNMP
agent
|
display snmp-agent mib-view [ exclude | include | viewname view-name
]
|
1.6 SNMP Configuration Example
I. Network requirements
l
The NMS connects to the agent, a switch, through
an Ethernet.
l
The IP address of the NMS is 1.1.1.2/24.
l
The IP address of VLAN interface on the switch
is 1.1.1.1/24.
l
NMS monitors and manages Agent using SNMPv2c.
Agent reports errors or faults to the NMS.
II. Network diagram
Figure
1-3 Network diagram for SNMP (on a switch)
III. Configuration procedure
1)
Configuring SNMP Agent
# Configure
the SNMP basic information, including version and community name.
<Sysname> system-view
[Sysname] snmp-agent sys-info version
v2c
[Sysname] snmp-agent community read
public
[Sysname] snmp-agent community write
private
# Configure VLAN-interface 2 (with the IP
address of 1.1.1.1/24). Add the port Ethernet 1/0 to VLAN 2.
[Sysname] vlan 2
[Sysname-vlan2] port ethernet 1/0
[Sysname-vlan2] interface
vlan-interface 2
[Sysname-Vlan-interface2] ip address
1.1.1.1 255.255.255.0
[Sysname-Vlan-interface2] quit
# Configure the contact person and physical
location information of the switch.
[Sysname] snmp-agent sys-info contact
Mr.Wang-Tel:3306
[Sysname] snmp-agent sys-info
location telephone-closet,3rd-floor
# Enable the sending of Traps to the NMS
with an IP address of 1.1.1.2/24, using public as the community name.
[Sysname] snmp-agent trap enable
[Sysname] snmp-agent target-host trap
address udp-domain 1.1.1.2 udp-port 5000 params securityname public
2)
Configuring SNMP NMS
With SNMPv2c, the user needs to specify the
read only community, the read and write community, the timeout time, and number
of retries. The user can inquire and configure the device through the NMS.
The configurations
on the agent and the NMS must match.
I. Network requirements
l
NMS and Agent are connected through an Ethernet
l
The IP address of NMS is 1.1.1.2/24
l
The IP address of the VLAN interface on Agent is
1.1.1.1/24
l
Configure community name, access right and SNMP
version on Agent
II. Network diagram
Figure
1-4 Network diagram for SNMP logging
III. Configuration procedure
The configurations
for NMS and Agent are omitted.
# Enable logging display on the terminal
(optional, enabled by default).
<Sysname> terminal monitor
<Sysname> terminal logging
# Enable the information center to output
the system information with the severity of informational to the Console port.
<Sysname> system-view
[Sysname] info-center source snmp
channel console log level informational
# Enable SNMP logging on Agent to log the
GET and SET operations of NMS.
[Sysname] snmp-agent log
get-operation
[Sysname] snmp-agent log
set-operation
l
The following log information is displayed on
the terminal when NMS performs the GET operation to Agent.
%Jan 1 02:49:40:566 2006 Sysname
SNMP/6/GET:
seqNO = <10> srcIP =
<1.1.1.2> op = <get> node = <sysName(1.3.6.1.2.1.1.5.0)>
value=<>
l
The following log information is displayed on
the terminal when NMS performs the SET operation to Agent.
%Jan 1 02:59:42:576 2006 Sysname
SNMP/6/SET:
seqNO = <11> srcIP =
<1.1.1.2> op = <set> errorIndex = <0> errorStatus
=<noError> node = <sysName(1.3.6.1.2.1.1.5.0)> value =
<Sysname>
Table 1-1
Descriptions on the output field of SNMP log
|
Field
|
Description
|
|
Jan 1 02:49:40:566 2006
|
The time when SNMP log is generated
|
|
seqNO
|
Sequence number of the SNMP log ()
|
|
srcIP
|
IP address of NMS
|
|
op
|
SNMP operation type (GET or SET)
|
|
node
|
Node name of the SNMP operations and OID
of the instance
|
|
erroIndex
|
Error index, with 0 meaning no error
|
|
errorstatus
|
Error status, with noError meaning no
error
|
|
value
|
Value set when the SET operation is
performed (This field is , meaning the value obtained with the GET operation
is not logged.)
When the value is a string of characters
and the string contains characters not in the range of ASCII 0 to 127 or
invisible characters, the string is displayed in hexadecimal. For example,
value = <81-43>[hex]
|
The system information of the information center can be output to
the terminal or to the log buffer. In this example, SNMP log is output to the
terminal. To set the SNMP log to be output to other directions, refer to Information
Center Configuration.
When configuring RMON, go to these sections
for information you are interested in:
l
RMON
Overview
l
Configuring
RMON
l
Displaying
and Maintaining RMON
l
RMON
Configuration Example
2.1 RMON
Overview
This section covers these topics:
l
Introduction
l
RMON
Groups
2.1.1 Introduction
Remote Monitoring (RMON) is a type of
IETF-defined MIB. It is the most important enhancement to the MIB II standard.
It allows you to monitor traffic on network segments and even the entire
network.
RMON is implemented based on the Simple
Network Management Protocol (SNMP) and is fully compatible with the existing
SNMP framework.
RMON provides an efficient means of
monitoring subnets and allows SNMP to monitor remote network devices in a more
proactive and effective way. It reduces traffic between network management
station (NMS) and agent, facilitating large network management.
RMON comprises two parts: NMSs and agents
running on network devices.
l
Each RMON NMS administers the agents within its
administrative domain.
l
An RMON agent resides on a network monitor or
probe for an interface. It monitors and gathers information about traffic over
the network segment connected to the interface to provide statistics about
packets over a specified period and good packets sent to a host for example.
RMON allows multiple monitors. A monitor
provides two ways of data gathering:
l
Using RMON probes. NMSs can obtain management
information from RMON probes directly and control network resources. In this
approach, RMON NMSs can obtain all RMON MIB information.
l
Embedding RMON agents in network devices such as
routers, switches, and hubs to provide the RMON probe function. RMON NMSs
exchange data with RMON agents with basic SNMP commands to gather network
management information, which, due to system resources limitation, may not
cover all MIB information but four groups of information, alarm, event,
history, and statistics, in most cases.
The device adopts the second way. By using
RMON agents on network monitors, an NMS can obtain information about traffic
size, error statistics, and performance statistics for network management.
2.1.3 RMON
Groups
Among the ten RMON groups defined by RMON
specifications (RFC 1757), H3C series Ethernet switches support the event
group, alarm group, history group and statistics group. Besides, H3C also
defines and implements the private alarm group, which enhances the functions of
the alarm group. This section describes the five kinds of groups in general.
I. Event group
The event group defines event indexes and
controls the generation and notifications of the events triggered by the alarms
defined in the alarm group and the private alarm group. The events can be
handled in one of the following ways:
l
Logging events in the event log table
l
Sending traps to NMSs
l
Both logging and sending traps
l
No action
II. Alarm group
The RMON alarm group monitors specified
alarm variables, such as statistics on a port. If the sampled value of the
monitored variable is bigger than or equal to the upper threshold, an upper
event is triggered; if the sampled value of the monitored variable is lower
than or equal to the lower threshold, a lower event is triggered The event is
then handled as defined in the event group.
The following is how the system handles
entries in the RMON alarm table:
1)
Samples the alarm variables at the specified
interval.
2)
Compares the sampled values with the predefined
threshold and triggers events if all triggering conditions are met.
If a sampled alarm variable
overpasses the same threshold multiple times, only the first one can cause an
alarm event. That is, the rising alarm and falling alarm are alternate.
III. Private alarm group
The private alarm group calculates the
sampled values of alarm variables and compares the result with the defined
threshold, thereby realizing a more comprehensive alarming function.
System handles the prialarm alarm table
entry (as defined by the user) in the following ways:
l
Periodically samples the prialarm alarm
variables defined in the prialarm formula.
l
Calculates the sampled values based on the
prialarm formula.
l
Compares the result with the defined threshold
and generates an appropriate event.
If the count result
overpasses the same threshold multiple times, only the first one can cause an
alarm event. That is, the rising alarm and falling alarm are alternate.
IV. History group
The history group controls the periodic
statistical sampling of data, such as bandwidth utilization, number of errors,
and total number of packets.
Note that each value provided by the group
is a cumulative sum during a sampling period.
V. Ethernet statistics group
The statistics group monitors port
utilization. It provides statistics about network collisions, CRC alignment
errors, undersize/oversize packets, broadcasts, multicasts, bytes received,
packets received, and so on.
After the creation of a valid event entry
on a specified interface, the Ethernet statistics group counts the number of
packets received on the current interface. The result of the statistics is a
cumulative sum.
2.2 Configuring
RMON
Before configuring RMON, configure the SNMP
agent as described in SNMP
Configuration.
Follow these steps to configure RMON:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create an event entry in the event table
|
rmon event entry-number [ description
string ] { log | log-trap log-trapcommunity | none
| trap trap-community } [ owner text ]
|
Optional
|
|
Enter Ethernet interface view
|
interface interface-type interface-number
|
—
|
|
Create an entry in the history table
|
rmon history entry-number buckets number interval
sampling-interval [ owner text ]
|
Optional
|
|
Create an entry in the statistics table
|
rmon statistics entry-number [ owner text ]
|
Optional
|
|
Exit Ethernet interface view
|
quit
|
—
|
|
Create an entry in the alarm table
|
rmon alarm
entry-number alarm-variable sampling-interval { absolute
| delta } rising-threshold threshold-value1 event-entry1
falling-threshold threshold-value2 event-entry2
[ owner text ]
|
Optional
|
|
Create an entry in the private alarm
table
|
rmon prialarm entry-number prialarm-formula prialarm-des sampling-interval { absolute | changeratio | delta } rising-threshold
threshold-value1 event-entry1 falling-threshold
threshold-value2 event-entry2 entrytype { forever | cycle
cycle-period } [ owner text ]
|
Optional
|
l
Two entries with the same configuration cannot
be created. If the parameters of a newly created entry are identical to the
corresponding parameters of an existing entry, the system considers their
configurations the same and the creation fails. Refer to Table 2-1
for the parameters to be compared for different entries.
l
The system limits the total number of all types
of entries. When the total number of an entry reaches the maximum number of
entries that can be created, the creation fails.
l
When you create an entry in the history table,
if the specified buckets number argument exceeds the history
table size supported by the device, the entry will be created. However, the
validated value of the buckets number argument corresponding with
the entry is the history table size supported by the device.
Table 2-1 Restrictions on the
configuration of RMON
|
Entry
|
Parameters to be compared
|
|
Event
|
Event description (description string),
event type (log, trap, logtrap or none) and community name (trap-community
or log-trapcommunity)
|
|
History
|
Sampling interval (interval sampling-interval)
|
