By far, the simple network management protocol
(SNMP) has gained the most extensive application in the computer networks. SNMP
has been put into use and widely accepted as an industry standard in practice.
It is used for ensuring the transmission of the management information between
any two network nodes. In this way, network administrators can easily retrieve and
modify the information about any node on the network. In the meantime, they can
locate faults promptly and implement the fault diagnosis, capacity planning and
report generating.
As SNMP adopts the polling mechanism and only
provides basic function set, it is suitable for small-sized networks with fast-speed
and low-cost. SNMP is based on user datagram protocol (UDP) and is thus widely
supported by many products.
SNMP is implemented by two components,
namely, network management station (NMS) and agent.
An NMS can be a workstation running client
program. At present, the commonly used network management platforms include QuidView,
Sun NetManager, IBM NetView, and so on.
Agent is server-side software running on
network devices.
An NMS can send GetRequest, GetNextRequest
and SetRequest messages to the agents. Upon receiving the requests from the NMS,
an agent performs Read or Write operation according to the message types,
generate the corresponding Response packets and return them to the NMS.
When a network device operates improperly
or changes to other state, the agent on it can also send trap messages on its
own initiative to the NMS to report the events.
Currently, SNMP agent on a network device
supports SNMPv3, and is compatible with SNMPv1 and SNMPv2C.
SNMPv3 adopts user name and password
authentication.
SNMPv1 and SNMPv2C adopt community name
authentication. The SNMP packets containing invalid community names are
discarded. SNMP community name is used to define the relationship between SNMP
NMS and SNMP agent. Community name functions as password. It can limit accesses
made by SNMP NMS to SNMP agent. You can perform the following community
name-related configuration.
l
Specifying MIB view that a community can access.
l
Set the permission for a community to access an
MIB object to be read-only or read-write. Communities with read-only permissions
can only query device information, while those with read-write permission can configure
devices as well.
l
Set the basic ACL specified by the community name.
An SNMP packet carries management variables
with it. Management variable is used to describe the management objects of a
device. To uniquely identify the management objects of the device, SNMP adopts a
hierarchical naming scheme to organize the managed objects. It is like a tree, with
each tree node representing a managed object, as shown in Figure 1-1. Each node in this tree can be uniquely identified by a path starting from the root.
Figure 1-1 Architecture of the MIB tree
The management information base (MIB)
describes the hierarchical architecture of the tree and it is the set defined
by the standard variables of the monitored network devices. In the above
figure, the managed object B can be uniquely identified by a string of numbers
{1.2.1.1}. The number string is the object identifier of the managed object.
The common MIBs supported by the system are
listed in Table 1-1.
Table 1-1 Common MIBs
|
MIB attribute
|
MIB content
|
Related RFC
|
|
Public MIB
|
MIB II
based on TCP/IP network device
|
RFC1213
|
|
BRIDGE MIB
|
RFC1493
|
|
RFC2675
|
|
RIP MIB
|
RFC1724
|
|
RMON MIB
|
RFC2819
|
|
Ethernet
MIB
|
RFC2665
|
|
OSPF MIB
|
RFC1253
|
|
IF MIB
|
RFC1573
|
|
Private
MIB
|
DHCP MIB
QACL MIB
ADBM MIB
RSTP MIB
VLAN MIB
Device management
Interface
management
|
—
|
SNMPv3 configuration is quite different
from that of SNMPv1 and SNMPv2C. Therefore, the configuration of basic SNMP
functions is described by SNMP versions, as listed in Table
1-2 and Table 1-3.
Table 1-2 Configure
basic SNMP functions (SNMPv1 and SNMPv2C)
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enable SNMP agent
|
snmp-agent
|
Optional
By default, SNMP agent is disabled.
You can enable SNMP agent by executing
this command or any of the commands used to configure SNMP agent.
|
|
Set system information
|
snmp-agent sys-info { contact sys-contact | location sys-location
| version { { v1 | v2c | v3 }* | all } }
|
Required
By default, the contact information for
system maintenance is "R&D Hangzhou, H3C Technologies Co.,Ltd.",
the system location is "Hangzhou China", and the SNMP version is
SNMPv3.
|
|
Set a community name and access permission
|
Direct configuration
|
Set a community name
|
snmp-agent community { read | write } community-name [ acl
acl-number | mib-view view-name ]*
|
Required
l
You can set an SNMPv1/SNMPv2C community name
through direct configuration.
l
Indirect configuration is compatible with
SNMPv3. The added user is equal to the community name for SNMPv1 and SNMPv2C.
l
You can choose either of them as needed.
|
|
Indirect configuration
|
Set an SNMP group
|
snmp-agent group { v1 | v2c } group-name [ read-view read-view
] [ write-view write-view ] [ notify-view notify-view
] [ acl acl-number ]
|
|
Add a user to an SNMP group
|
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl
acl-number ]
|
|
Set the maximum SNMP packet size for SNMP
agent
|
snmp-agent packet max-size byte-count
|
Optional
By default, the maximum SNMP packet size
is 1,500 bytes.
|
|
Set the device engine ID
|
snmp-agent local-engineid engineid
|
Optional
By default, the device engine ID is formed
by appending device information to the enterprise number.
|
|
Create/Update the view information
|
snmp-agent mib-view { included | excluded } view-name
oid-tree
|
Optional
By default, the view name is “ViewDefault”
and OID is 1.
|
Table 1-3 Configure
basic SNMP functions (SNMP V3)
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable SNMP agent
|
snmp-agent
|
Required
By default, SNMP Agent is disabled.
You can enable SNMP agent by executing
this command or any of the commands used to configure SNMP agent.
|
|
Set system information
|
snmp-agent sys-info { contact sys-contact | location sys-location
| version { { v1 | v2c | v3 }* | all }
}
|
Optional
By default, the contact information for
system maintenance is "R&D Hangzhou, H3C Technologies Co.,Ltd.",
the system location is "Hangzhou China", and the SNMP version is
SNMPv3.
|
|
Set an SNMP group
|
snmp-agent group v3 group-name [ authentication |
privacy ] [ read-view read-view ] [ write-view write-view
] [ notify-view notify-view ] [ acl acl-number ]
|
Required
|
|
Add a user to an SNMP group
|
snmp-agent usm-user v3 user-name group-name [ authentication-mode
{ md5 | sha } auth-password [ privacy-mode des56
priv-password ] ] [ acl acl-number ]
|
Required
|
|
Set the maximum SNMP packet size for SNMP
agent
|
snmp-agent packet max-size byte-count
|
Optional
By default, the maximum SNMP packet size
is 1,500 bytes.
|
|
Set the device engine ID
|
snmp-agent local-engineid engineid
|
Optional
By default, the device engine ID is formed
by appending device information to the enterprise number.
|
|
Create or update the view information
|
snmp-agent mib-view { included | excluded } view-name
oid-tree
|
Optional
By default, the view name is “ViewDefault”
and OID is 1.
|
An S5600 Ethernet
switch acts as the following to prevent attacks through unused sockets.
l
Opening UDP port 161 (which is used by SNMP
agents) and UDP port 1024 (which is used by SNMP-trap clients) only when SNMP
is enabled.
l
Closing UDP port 161 and UDP port 1024 when SNMP
is disabled.
This function is
achieved in the following way.
l
Executing the snmp-agent command or any
of the commands used to configure SNMP agent causes the SNMP agent being
enabled and UDP port 161 and UDP port 1024 being opened.
l
Executing the undo snmp-agent command
causes UDP port 161 and UDP port 1024 being closed as well.
Trap messages refer to those sent by managed
devices to the NMS without request. They are used to report some urgent and important
events (for example, the rebooting of managed devices).
Basic SNMP configuration is performed.
Table 1-4 Configure Trap
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enable the
device to send Trap packets
|
snmp-agent trap enable [ bgp [ backwardtransition | established
] * | configuration | flash | ospf [ process-id ]
[ ospf-trap-list ] | standard [ authentication |
coldstart | linkdown | linkup | warmstart ]* | system
| vrrp [ authfailure | newmaster ] ]
|
Optional
By
default, a port is enabled to send all types of Traps.
|
|
Enable the
port to send Trap packets
|
Enter port
view or interface view
|
interface
interface-type interface-number
|
|
Enable the port or interface to send Trap
packets
|
enable snmp trap updown
|
|
Quit to system view
|
quit
|
|
Set the destination for Trap packets
|
snmp-agent target-host trap address udp-domain { ip-address }
[ udp-port port-number ] params securityname security-string
[ v1 | v2c | v3 {authentication | privacy
} ]
|
Required
|
|
Set the source address for Trap packets
|
snmp-agent trap source interface-type interface-number
|
Optional
|
|
Set the size of the queue used to hold
the Traps to be sent to the destination host
|
snmp-agent trap queue-size size
|
Optional
The default is 100.
|
|
Set the aging time for Trap packets
|
snmp-agent trap life seconds
|
Optional
The default Trap packet aging time is 120
seconds.
|
Table 1-5 Enable
logging for network management
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable logging for network management
|
snmp-agent
log { set-operation | get-operation | all }
|
Optional;
By default, SNMP logging is disabled.
|
l
In the environment of a single device, use the display
logbuffer command to view the log of the get and set operations requested by
the NMS.
l
In a fabric environment, use the display
logbuffer command on the master device to view the log of the set operations
requested by the NMS. Use the display logbuffer command on the devices
receiving the get request to view the log of the get operations requested by the
NMS.
After the above configuration, you can execute
the display command in any view to view the running status of SNMP, and
to verify the configuration.
Table 1-6 Display SNMP
|
Operation
|
Command
|
Description
|
|
Display
the SNMP information about the current device
|
display
snmp-agent sys-info [ contact | location
| version ]*
|
These
commands can be executed in any view.
|
|
Display
SNMP packet statistics
|
display
snmp-agent statistics
|
|
Display
the engine ID of the current device
|
display
snmp-agent { local-engineid | remote-engineid
}
|
|
Display
group information about the device
|
display
snmp-agent group [ group-name ]
|
|
Display
SNMP user information
|
display
snmp-agent usm-user [ engineid engineid
| username user-name | group group-name ]
|
|
Display
Trap list information
|
display
snmp-agent trap-list
|
|
Display
the currently configured community name
|
display
snmp-agent community [ read | write
]
|
|
Display
the currently configured MIB view
|
display
snmp-agent mib-view [ exclude | include
| viewname view-name ]
|
I. Network requirements
l
An NMS and Switch A are connected through the
Ethernet. The IP address of the NMS is 10.10.10.1 and that of the VLAN
interface on Switch A is 10.10.10.2.
l
Perform the following configuration on Switch A:
setting the community name and access permission, administrator ID, contact and
switch location, and enabling the switch to sent trap packets.
II. Network diagram
Figure 1-2
Network diagram for SNMP configuration
III. Network procedure
# Set the community name, group name and
user.
<H3C> system-view
[H3C] snmp-agent
[H3C] snmp-agent sys-info version all
[H3C] snmp-agent community write public
[H3C] snmp-agent mib-view include
internet 1.3.6.1
[H3C] snmp-agent group v3
managev3group write-view internet
[H3C] snmp-agent usm-user v3
managev3user managev3group
# Set the VLAN-interface 2 as the interface
used by NMS. Add port GigabitEthernet1/0/2, which is to be used for network
management, to VLAN 2. Set the IP address of VLAN-interface 2 as 10.10.10.2.
[H3C] vlan 2
[H3C-vlan2] port GigabitEthernet 1/0/2
[H3C-vlan2] quit
[H3C] interface Vlan-interface 2
[H3C-Vlan-interface2] ip address 10.10.10.2
255.255.255.0
[H3C-Vlan-interface2] quit
# Enable the SNMP agent to send Trap
packets to the NMS whose IP address is 10.10.10.1. The SNMP community name to
be used is “public”.
[H3C] snmp-agent trap enable standard
authentication
[H3C] snmp-agent trap enable standard
coldstart
[H3C] snmp-agent trap enable standard
linkup
[H3C] snmp-agent trap enable standard
linkdown
[H3C] snmp-agent target-host trap
address udp-domain 10.10.10.1 udp-port 5000 params securityname public
IV. Configuring the NMS
The S5600 series Ethernet switches support H3C’s
QuidView NMS. SNMPv3 adopts user name and password authentication. When you use
H3C’s QuidView NMS, you need to set user names and choose the security
level in [Quidview Authentication Parameter]. For each security level, you need
to set authorization mode, authorization password, encryption mode, encryption
password, and so on. In addition, you need to set timeout time and maximum retry
times.
You can query and configure an Ethernet
switch through the NMS. For more information, refer to the corresponding manuals
of H3C’s NMS products.
Authentication-related
configuration on an NMS must be consistent with that of the devices for the NMS
to manage the devices successfully.
Remote monitoring (RMON) is a kind of
management information base (MIB) defined by Internet Engineering Task Force
(IETF). It is the most important enhancement made to MIB II standards. RMON is
mainly used to monitor the data traffic across a network segment or even the
entire network, and is currently a commonly used network management standard.
An RMON system comprises of two parts: the
network management station (NMS) and the agents running on network devices.
RMON agents operate on network monitors or network probes to collect and keep
track of the statistics of the traffic across the network segments to which
their ports connect, such as the total number of the packets on a network
segment in a specific period of time and the total number of packets successfully
sent to a specific host.
RMON is fully based on simple network
management protocol (SNMP) architecture. As it is compatible with the current
SNMP implementations, you can implement RMON without modifying the existing SNMP
implementation. RMON enables SNMP to monitor remote network devices more
effectively and actively, thus providing a satisfactory means of monitoring remote
subnets. With RMON implemented, the communication traffic between NMS and
agents can reduced, thus facilitating the management of large-scale internetworks.
RMON allows multiple monitors. It can collect
data in the following two ways:
l
Using the dedicated RMON probes. When an RMON
system operates in this way, the NMS directly obtains management information
from the RMON probes and controls the network resources. In this case, all
information in the RMON MIB can be obtained.
l
Embedding RMON agents into network devices (such
as routers, switches and hubs) directly to make the latter capable of RMON
probe functions. When an RMON system operates in this way, the NMS collects
network management information by exchanging information with the SNMP agents
using the basic SNMP commands. However, this way depends on device resources
heavily and an NMS operating in this way can only obtain the information about
these four groups (instead of all the information in the RMON MIB): alarm
group, event group, history group, and statistics group.
An S5600 Ethernet switch implements RMON in
the second way. With an RMON agent embedded in, an S5600 Ethernet switch can
serve as a network device with the RMON probe function. Through the
RMON-capable SNMP agents running on the Ethernet switch, an NMS can obtain the
information about the total traffic, error statistics and performance
statistics of the network segments to which the ports of the managed network
devices are connected. Thus, the NMS can further manage the networks.
I. Event group
Event group is used to define the indexes
of events and the processing methods of the events. The events defined in an
event group are mainly used by entries in the alarm group and extended alarm
group to trigger alarms.
You can specify a network device to act in
one of the following ways in response to an event:
l
Logging the event
l
Sending trap messages to the NMS
l
Logging the event and sending trap messages to
the NMS
l
No processing
II. Alarm group
RMON alarm management enables monitoring on
specific alarm variables (such as the statistics of a port). When the value of
a monitored variable exceeds the threshold, an alarm event is generated, which
triggers the network device to act in the preset way. Events are defined in
event groups.
With an alarm entry defined in an alarm
group, a network device performs the following operations accordingly:
l
Sampling the defined alarm variables periodically
l
Comparing the samples with the threshold and
triggering the corresponding events if the former exceed the latter
III. Extended alarm group
With extended alarm entry, you can perform
operations on the samples of alarm variables and then compare the operation
results with the thresholds, thus implement more flexible alarm functions.
With an extended alarm entry defined in an
extended alarm group, the network devices perform the following operations accordingly:
l
Sampling the alarm variables referenced in the
defined extended alarm expressions periodically
l
Performing operations on the samples according
to the defined expressions
l
Comparing the operation results with the
thresholds and triggering corresponding events if the operation result exceeds
the thresholds.
IV. History group
After a history group is configured, the
Ethernet switch collects network statistics information periodically and stores
the statistics information temporarily for later use. A history group can
provide the history data of the statistics on network segment traffic, error
packets, broadcast packets, and bandwidth utilization.
With the history data management function,
you can configure network devices to collect history data, sample and store data
of a specific port periodically.
V. Statistics group
Statistics group contains the statistics of
each monitored port on a network device. An entry in a statistics group is an
accumulated value counting from the time when the statistics group is created.
The statistics include the number of the
following items: collisions, packets with cyclic redundancy check (CRC) errors,
undersize (or oversize) packets, broadcast packets, multicast packets, and
received bytes and packets.
With the RMON statistics management
function, you can monitor the use of a port and make statistics on the errors
occurred when the ports are being used.
It is required to
configure the history group and the statistics group in port view because they
are port-oriented RMON groups.
Before performing RMON configuration, make
sure the SNMP agents are correctly configured. For the information about SNMP
agent configuration, refer to section 1.2 “Configuring Basic SNMP Functions”.
Table 2-1 Configure RMON
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Add an event entry
|
rmon event event-entry [ description string
] { log | trap trap-community | log-trap
log-trapcommunity | none } [ owner text
]
|
Optional
|
|
Add an alarm entry
|
rmon alarm
entry-number alarm-variable sampling-time { delta
| absolute } rising-threshold threshold-value1
event-entry1 falling-threshold threshold-value2
event-entry2 [ owner text ]
|
Optional
Before adding an alarm entry, you need to
use the rmon event command to define the event to be referenced by the
alarm entry.
|
|
Add an extended alarm entry
|
rmon prialarm entry-number prialarm-formula prialarm-des sampling-timer { delta | absolute | changeratio } rising-threshold
threshold-value1 event-entry1 falling-threshold
threshold-value2 event-entry2 entrytype { forever | cycle
cycle-period } [ owner text ]
|
Optional
Before adding an extended alarm entry,
you need to use the rmon event command to define the event to be referenced
by the extended alarm entry.
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Add a history entry
|
rmon history entry-number buckets number interval
sampling-interval [ owner text ]
|
Optional
|
|
Add a statistics entry
|
rmon statistics entry-number [ owner text ]
|
Optional
|
l
The rmon alarm and rmon prialarm
commands take effect on existing nodes only.
l
For each port, only one RMON statistics entry
can be created. That is, if an RMON statistics entry is already created for a
given port, you will fail to create another statistics entry with a different
index for the same port.
After the above configuration, you can
execute the display command in any view to display the RMON running
status, and to verify the configuration.
Table 2-2 Display RMON
|
Operation
|
Command
|
Description
|
|
Display
RMON statistics
|
display
rmon statistics [ interface-type
interface-number | unit unit-number ]
|
These
commands can be executed in any view.
|
|
Display
RMON history information
|
display
rmon history [ interface-type interface-number
| unit unit-number ]
|
|
Display
RMON alarm information
|
display
rmon alarm [ entry-number ]
|
|
Display
extended RMON alarm information
|
display
rmon prialarm [ prialarm-entry-number ]
|
|
Display
RMON events
|
display
rmon event [ event-entry ]
|
|
Display
RMON event logs
|
display
rmon eventlog [ event-entry ]
|
I. Network requirements
l
Ensure that the SNMP agents are correctly
configured before performing RMON configuration.
l
The switch to be tested has a configuration
terminal connected to its console port and is connected to a remote NMS through
Internet. Create an entry in the Ethernet statistics table to generate
statistics on the Ethernet port performance for network management.
II. Network diagram
Figure 2-1
Network diagram for RMON configuration
III. Configuration procedures
# Configure RMON.
<H3C> system-view
[H3C] interface GigabitEthernet1/0/1
[H3C-GigabitEthernet1/0/1] rmon statistics 1 owner user1-rmon
# View RMON configuration.
[H3C-GigabitEthernet1/0/1] display
rmon statistics GigabitEthernet1/0/1
Statistics entry 1 owned by
user1-rmon is VALID.
Interface : GigabitEthernet1/0/1<ifIndex.4227626>
etherStatsOctets :
0 , etherStatsPkts : 0
etherStatsBroadcastPkts :
0 , etherStatsMulticastPkts : 0
etherStatsUndersizePkts :
0 , etherStatsOversizePkts : 0
etherStatsFragments :
0 , etherStatsJabbers : 0
etherStatsCRCAlignErrors :
0 , etherStatsCollisions : 0
etherStatsDropEvents (insufficient
resources): 0
Packets received according to
length:
64 : 0 , 65-127 :
0 , 128-255 : 0
256-511: 0 , 512-1023:
0 , 1024-1518: 0
