Simple Network Management Protocol (SNMP
for short) offers a framework to monitor network devices through TCP/IP
protocol suite. SNMP provides a set of basic operations in monitoring and
maintaining the Internet and has the following characteristics:
l
Automatic network management: SNMP enables network
administrators to search information, modify information, find and diagnose
network problems, plan for network growth, and generate reports on any network
nodes.
l
SNMP shields the physical differences between
various devices and thus realizes automatic management of products from different
manufacturers. SNMP only offers the basic set of functions. With SNMP enabled, the
management tasks and the physical features of the managed devices are not
affected by lower layer network protocols. Thus, SNMP achieves effective
management of devices from different manufactures, especially so in small, fast
and low cost network environments.
An SNMP enabled network are comprised of Network
Management Station (NMS for short) and Agent.
l
NMS is a station that runs the SNMP client
software. It offers a user friendly human computer interface, making it easier
for network administrators to perform most network management tasks. Currently,
the most commonly used NMS include Quidview, Sun NetManager, and IBM NetView.
l
Agent is a program on the device. It receives
and handles requests sent from the NMS. Only under certain circumstances, such
as interface state change, will the Agent inform the NMS.
l
NMS manages an SNMP enabled network, whereas
Agent is the agent of the managed network device. They exchange management
information through the SNMP protocol.
SNMP provides the following four basic
operations:
l
Get operation: NMS gets the behavior information
of Agent through this operation.
l
Set operation: NMS can reconfigure certain values
in the Agent MIB (management information base) to make the Agent perform
certain tasks by means of this set operation.
l
Trap operation: Agent sends Trap information to
the NMS through this operation.
l
Inform operation: NMS sends Trap information to
other NMSs through this operation.
Currently, SNMP agents support SNMPv3 and
are compatible with SNMPv1 and SNMPv2c.
SNMPv1 and SNMPv2c authenticate by means of
community name, which defines the relationship between an SNMP NMS and an SNMP
Agent. SNMP packets with community names that did not pass the authentication
on the device will simply be discarded. A community name performs a similar role
as a key word and can be used to regulate access from NMS to Agent.
SNMPv3 offers an authentication that is
implemented with a User-Based Security Model (USM for short), which could be authentication
with privacy, authentication without privacy, or no authentication no privacy. USM
regulates the access from NMS to Agent in a more efficient way.
Management Information Base (MIB for short)
is a collection of all the objects managed by NMS. It defines the set of
characteristics associated with the managed objects, such as the object identifier
(OID for short), access right and data type of the objects.
MIB stores data using a tree structure. The
node of the tree is the managed object and can be uniquely identified by a path
starting from the root node. As illustrated in the following figure, the managed
object B can be uniquely identified by a string of numbers {1.2.1.1}. This
string of numbers is the OID of the managed object B.
Figure 1-1 MIB tree
As configurations for SNMPv3 differ
substantially from those of SNMPv1 and SNMPv2c, their SNMP functionalities will
be introduced separately below.
Follow these steps to configure SNMPv3:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable SNMP Agent
|
snmp-agent
|
Optional
Disabled by default
You can enable SNMP Agent through this
command or any commands that begin with “snmp-agent”.
|
|
Configure SNMP Agent system information
|
snmp-agent sys-info { contact sys-contact | location sys-location
| version { all | { v1 | v2c | v3 } *} }
|
Optional
The defaults are as follows:
R&D Hangzhou, H3C Technologies Co.,Ltd.
for contact,
Hangzhou China for location,
SNMPv3 for the version.
|
|
Configure an SNMP agent group
|
snmp-agent group v3 group-name [ authentication |
privacy ] [ read-view read-view ] [ write-view write-view
] [ notify-view notify-view ] [ acl acl-number ]
|
Required
|
|
Add a new user to an SNMP agent group
|
snmp-agent usm-user v3 user-name group-name [ authentication-mode
{ md5 | sha } auth-password [ privacy-mode { des56
| aes128 } priv-password ] ] [ acl acl-number ]
|
Required
|
|
Configure the maximum size of an SNMP
packet that can be received or sent by an SNMP agent
|
snmp-agent packet max-size byte-count
|
Optional
1,500 bytes by default
|
|
Configure the engine ID for a local SNMP
agent
|
snmp-agent local-engineid engineid
|
Optional
Company ID and device ID by default
|
|
Create or update view information
|
snmp-agent mib-view { included | excluded } view-name
oid-tree [ mask mask-value ]
|
Optional
By default, MIB view name is ViewDefault,
OID of which is 1.
|
Follow these steps to configure SNMPv1 and SNMPv2c:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable SNMP Agent
|
snmp-agent
|
Optional
Disabled by default
You can enable SNMP Agent through this
command or any commands that begin with “snmp-agent”.
|
|
Configure SNMP Agent system information
|
snmp-agent sys-info { contact sys-contact | location sys-location
| version { { v1 | v2c | v3 }* | all }
}
|
Optional
The defaults are as follows:
R&D Hangzhou, H3C Technologies Co.,Ltd.
for contact,
Hangzhou China for location.
SNMPv3 for the version.
|
|
Configure a community name and SNMP NMS
access right
|
Configure directly
|
Configure a community name
|
snmp-agent community { read | write } community-name [ acl
acl-number | mib-view view-name ]*
|
At least one required
In the direct configuration, SNMPv1 and
SNMPv2c community names are set.
In indirect configuration, the commands
are consistent with SNMPv3 commands. Users are added to the specific group, which
is corresponding to SNMPv1 and SNMPv2c community.
|
|
Configure indirectly
|
Configure an SNMP group
|
snmp-agent group { v1 | v2c } group-name [ read-view read-view
] [ write-view write-view ] [ notify-view notify-view
] [ acl acl-number ]
|
|
Add a new user to an SNMP group
|
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl
acl-number ]
|
|
Configure the maximum size of an SNMP packet
that can be received or sent by an ANMP agent
|
snmp-agent packet max-size byte-count
|
Optional
15,00 bytes be default
|
|
Configure the engine ID for a local SNMP
agent
|
snmp-agent local-engineid engineid
|
Optional
Company ID and device ID by default
|
|
Create or update view information
|
snmp-agent mib-view { included | excluded } view-name
oid-tree [ mask mask-value ]
|
Optional
By default, MIB view name is ViewDefault,
OID of which is 1.
|
Caution:
l
The validity of a USM user depends on the engine
ID of the SNMP agent. If the engine ID used for USM user creation is not identical
to the current engine ID, the USM user is invalid.
l
S5500-SI series Ethernet switches do not support
the remote-engineid command.
SNMP Agent sends Trap messages to NMS to alert
the latter of critical and important events (such as restart of the managed device).
Basic SNMP configurations have been
completed (including version configuration: community names must be configured
for SNMPv1 and SNMPv2c; user names and MIB view must be configured for SNMPv3.)
I. Enable the sending of Trap
messages
Follow these steps to configure Trap:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the sending of Trap messages
globally
|
snmp-agent
trap enable [ configuration | flash | standard [ authentication | coldstart
| linkdown | linkup | warmstart ]* | system ]
|
Optional
Sending of all types of Trap messages is
enabled by default.
|
|
Enable the
sending of Trap messages about port state changes in Ethernet port view
|
Enter Ethernet
port view
|
interface
interface-type interface-number
|
Optional
The
sending of Trap messages about port state changes is enabled by default.
|
|
Enable the
sending of Trap messages about port state changes
|
enable snmp
trap updown
|
|
Return to
system view
|
quit
|
Caution:
Note that, if you
want a port to send SNMP trap messages when its port state changes, you must
enable the function of sending linkup/linkdown trap messages both in Ethernet
port view and system view. Use the enable snmp trap updown command to
enable this function in Ethernet port view and use the snmp-agent trap
enable [ standard [ linkdown | linkup ] * ] command to
enable this function in system view.
II. Configure the parameters for
sending Trap messages
Follow these steps to configure parameters
for sending Trap messages:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure the address of the target host
of Trap messages
|
snmp-agent target-host trap address udp-domain { ip-address |
ipv6 ipv6-address } [ udp-port port-number ] params
securityname security-string [ v1 | v2c | v3
[ authentication | privacy ] ]
|
Required
|
|
Configure the source address for Trap
messages
|
snmp-agent trap source interface-type interface-number
|
Optional
|
|
Configure the queue size for sending Trap
messages
|
snmp-agent trap queue-size size
|
Optional
100 by default
|
|
Configure the life for Trap messages
|
snmp-agent trap life seconds
|
Optional
120 seconds by default
|
|
To do…
|
Use the command…
|
|
Display SNMP-agent system information,
including the contact, location, and version of the SNMP
|
display snmp-agent sys-info [ contact | location | version ]*
|
|
Display SNMP agent statistics
|
display snmp-agent statistics
|
|
Display the SNMP agent engine ID
|
display snmp-agent { local-engineid | remote-engineid }
|
|
Display SNMP agent group information
|
display snmp-agent group [ group-name ]
|
|
Display SNMP user information
|
display snmp-agent usm-user [ engineid engineid | username user-name
| group group-name ] *
|
|
Display SNMPv1 or SNMPv2 community
information
|
display snmp-agent community [ read | write ]
|
|
Display MIB view information for an SNMP
agent
|
display snmp-agent mib-view [ exclude | include | viewname view-name
]
|
I. Network requirements
l
The NMS connects to the agent, a switch, through
an Ethernet.
l
The IP address of the NMS is 129.102.140.23/16
l
The IP address of VLAN interface on the switch
is 129.102.0.1/16.
l
On the switch, configure the following: community
name, access right, administrator ID, contact, location, enabling sending of
Trap messages.
II. Network diagram
Figure 1-2 Network diagram for SNMP
III. Configuration procedure
# Configure the community name, the SNMP
agent group, and SNMP agent user.
<Sysname> system-view
[Sysname] snmp-agent sys-info version
all
[Sysname] snmp-agent community read public
[Sysname] snmp-agent community write private
[Sysname] snmp-agent mib-view included
internet 1.3.6.1
[Sysname] snmp-agent group v3 managev3group
write-view internet
[Sysname] snmp-agent usm-user v3 managev3user
managev3group
# Configure the VLAN interface to be used
by the administrator to be VLAN-interface 2. Add the port GigabitEthernet1/0/3 used
for network management to VLAN 2. Configure the IP address of VLAN-interface 2 to
129.102.0.1.
[Sysname] vlan 2
[Sysname-vlan2] port GigabitEthernet 1/0/3
[Sysname-vlan2] quit
[Sysname] interface Vlan-interface 2
[Sysname-Vlan-interface2] ip address
129.102.0.1 255.255.0.0
[Sysname-Vlan-interface2] quit
# Configure the ID, contact of the administrator,
and the location of the switch.
[Sysname] snmp-agent sys-info contact
Mr.Wang-Tel:3306
[Sysname] snmp-agent sys-info location
telephone-closet,3rd-floor
# Enable the sending of Trap messages to
the NMS with an IP address of 129.102.140.23/16, using public as the community
name.
[Sysname] snmp-agent trap enable
[Sysname] snmp-agent target-host trap
address udp-domain 129.102.140.23 udp-port 5000 params securityname public
IV. Configuring SNMP NMS
SNMPv3 uses authentication and privacy
security model. In NMS, the user needs to specify user name and security level,
and based on that level, configure the authentication mode, authentication
password, privacy mode, privacy password. In addition, the time-out time and
number of retries should also be configured. The user can inquire and configure
the switch through NMS. For detailed information, refer to the NMS manuals.
The configurations
on the agent and the NMS must match in order to perform the related operations.
Chapter 2 RMON
Configuration
Remote Monitoring (RMON) is a type of
IETF-defined MIB. It is the most important enhancement to the MIB II standard.
It allows you to monitor traffic on network segments and even the entire
network.
When configuring RMON, go to these sections
for information you are interested in:
l
RMON Overview
l
Configuring RMON
l
Displaying and Maintaining RMON
l
RMON Configuration Example (on a Switch)
2.1 RMON Overview
This section covers these topics:
l
Introduction
l
RMON Groups
2.1.1 Introduction
RMON is implemented based on the simple
network management protocol (SNMP) and is fully compatible with the existing
SNMP framework.
RMON provides an efficient means of monitoring
subnets and allows SNMP to monitor remote network devices in a more proactive
and effective way. It reduces traffic between network management station (NMS) and
agent, facilitating large network management.
RMON comprises two parts: NMSs and agents
running on network devices.
l
Each RMON NMS administers the agents within its administrative
domain.
l
An RMON agent resides on a network monitor or
probe for an interface. It monitors and gathers information about traffic over the
network segment connected to the interface to provide statistics about packets
over a specified period and good packets sent to a host for example.
RMON allows multiple monitors. A monitor provides
two ways of data gathering:
l
Using RMON probes. NMSs can obtain management
information from RMON probes directly and control network resources. In this
approach, RMON NMSs can obtain all RMON MIB information.
l
Embedding RMON agents in network devices such as
routers, switches, and hubs to provide the RMON probe function. RMON NMSs
exchange data with RMON agents with basic SNMP commands to gather network
management information, which, due to system resources limitation, may not
cover all MIB information but four groups of information, alarm, event,
history, and statistics, in most cases.
The device adopts the second way. By using RMON
enabled RMON agents on network monitors, an NMS can obtain information about
traffic size, error statistics, and performance statistics for network
management.
2.1.2 RMON Groups
RMON categorizes objects into groups. This
section describes only the major implemented groups.
I. Event group
The event group defines event indexes and
controls the generation and notifications of the events triggered by the alarms
defined in the alarm group and the private alarm group. The events can be
handled in one of the following ways:
l
Logging events in the event log table
l
Sending traps to NMSs
l
Both logging and sending traps
l
No action
II. Alarm group
The RMON alarm group monitors specified
alarm variables, such as statistics on a port. If the monitored variable exceeds
or equals to the rising threshold, a rising alarm event is triggered. If the
monitored variable is lower than or equals to the falling threshold, a falling alarm
event is triggered. The event is then handled as defined in the event group.
The following is how the system handles
entries in the RMON alarm table:
1)
Sample the alarm variables at the specified
interval.
2)
Compare the sampled values with the predefined
threshold and trigger events if all triggering conditions are met.
If a monitored
variable overpasses the same threshold multiple times consecutively, only the
first one can cause an alarm event. That is, the rising alarm and falling alarm
are alternate.
III. Private alarm group
The private alarm group calculates the
sampled values of alarm variables and compares the result with the defined
threshold, thereby realizing a more comprehensive alarming function.
System handles the prialarm alarm table
entry (as defined by the user) in the following ways:
l
Periodically takes statistical samples on the
defined prialarm alarm variables as defined in the prialarm formula.
l
Calculate the sampled values based on the prialarm
formula.
l
Compare the result with the defined threshold
and generate an appropriate event.
IV. History control group
The history control group controls the
periodic statistical sampling of data, such as bandwidth utilization, number of
errors, and total number of packets.
Note that each value provided by the group
is a cumulative sum during a sampling period.
V. Ethernet statistics group
The statistics group monitors port
utilization and records errors. It provides statistics about network collisions,
CRC alignment errors, undersize/oversize packets, broadcasts, multicasts, bytes
received, packets received, and so on.
Unlike values provided by the history
control group, each value provided in this group is a cumulative sum counted
starting from the creation of a valid event entry.
2.2 Configuring RMON
Before configuring RMON, configure the SNMP
agent as described in Chapter 1 SNMP Configuration.
Follow these steps to configure RMON:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
––
|
|
Create an event entry in the event table
|
rmon event event-entry [ description
string ] { log | trap trap-community |
log-trap log-trapcommunity | none } [ owner
text ]
|
Optional
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
––
|
|
Create an entry in the history table
|
rmon history entry-number buckets number interval
sampling-interval [ owner text ]
|
Optional
|
|
Create an entry in the statistics table
|
rmon statistics entry-number [ owner text ]
|
Optional
|
|
Exit Ethernet port view
|
quit
|
—
|
|
Create an entry in the alarm table
|
rmon alarm
entry-number alarm-variable sampling-time { absolute
| delta } rising-threshold threshold-value1
event-entry1 falling-threshold threshold-value2
event-entry2 [ owner text ]
|
Optional
Before creating an entry, you must use
the rmon event command to define the events referenced in the entry.
|
|
Create an entry in the private alarm
table
|
rmon prialarm entry-number prialarm-formula prialarm-des sampling-timer { absolute | changeratio | delta } rising_threshold
threshold-value1 event-entry1 falling_threshold
threshold-value2 event-entry2 entrytype { forever | cycle
cycle-period } [ owner text ]
|
Optional
Before creating an entry, you must use
the rmon event command to define the events referenced in the entry.
|
When an entry is
created in the history control table, if the specified buckets number value exceeds the capacity of the device for history entries, this history entry can be created. However, the buckets number corresponding to this entry is the real capacity of the device for history entries.
2.3 Displaying and Maintaining RMON
|
To do…
|
Use the command…
|
|
Display RMON statistics
|
display rmon statistics [ interface-type interface-number ]
|
|
Display RMON history information and the
latest history sampling information
|
display rmon history [interface-type interface-number ]
|
|
Display RMON alarm information
|
display rmon alarm [ entry -number ]
|
|
Display RMON prialarm information
|
display rmon prialarm [ entry -number ]
|
|
Display RMON events
|
display rmon event [ entry -number ]
|
|
Display RMON event logs
|
display rmon eventlog [ event-number ]
|
2.4 RMON Configuration Example
I. Network requirements
Agent is connected to a configuration
terminal through its console port and to a remote NMS across the Internet.
Create an entry in the RMON Ethernet
statistics table to gather statistics on Ethernet ports for NMS to retrieve.
II. Network diagram
Figure 2-1 Network diagram for RMON
III. Configuration procedure
# Configure RMON to gather statistics on
the running status of GigabitEthernet 1/0/1.
<Sysname>system-view
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet 1/0/1] rmon
statistics 1 owner user1-rmon
[Sysname-GigabitEthernet 1/0/1] quit
# Display RMON statistics for GigabitEthernet
1/0/1.
<Sysname> display rmon
statistics
Statistics entry 1 owned by user-rmon
is VALID.
Interface :
GigabitEthernet1/0/1<ifIndex.2>
etherStatsOctets : 384158 , etherStatsPkts :
4855
etherStatsBroadcastPkts :
1421 , etherStatsMulticastPkts : 733
etherStatsUndersizePkts :
0 , etherStatsOversizePkts : 0
etherStatsFragments :
0 , etherStatsJabbers : 0
etherStatsCRCAlignErrors :
0 , etherStatsCollisions : 0
etherStatsDropEvents (insufficient
resources): 0
Packets received according to
length:
64 : 1006 , 65-127 :
3116 , 128-255 : 722
256-511: 10 , 512-1023:
1 , 1024-1518: 0
