H3C S3100-52P Operation Manual-Release 1602(V1.01)

HomeSupportSwitchesH3C S3100 Switch SeriesConfigure & DeployConfiguration GuidesH3C S3100-52P Operation Manual-Release 1602(V1.01)
27-SNMP-RMON Operation
Title Size Download
27-SNMP-RMON Operation 167.68 KB

Chapter 1  SNMP Configuration

When configuring SNMP, go to these sections for information you are interested in:

l           SNMP Overview

l           Configuring Basic SNMP Functions

l           Configuring Trap-Related Functions

l           Enabling Logging for Network Management

l           Displaying SNMP

l           SNMP Configuration Example

 

&  Note:

l      The configuration of creating a MIB view with the mask of a MIB subtree is added. See section Configuring Basic SNMP Functions.

l      The configuration of encrypting a plain-text password is added. See section Configuring Basic SNMP Functions.

l      The configuration of adding “interface description” and “interface type” into a linkUp/linkDown trap is added. See section Configuring Extended Trap Function.

 

1.1  SNMP Overview

The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes. In this way, network administrators can easily retrieve and modify the information about any node on the network. In the meantime, they can locate faults promptly and implement the fault diagnosis, capacity planning and report generating.

As SNMP adopts the polling mechanism and provides basic function set, it is suitable for small-sized networks with fast-speed and low-cost. SNMP is based on User Datagram Protocol (UDP) and is thus widely supported by many products.

1.1.1  SNMP Operation Mechanism

SNMP is implemented by two components, namely, network management station (NMS) and agent.

l           An NMS can be a workstation running client program. At present, the commonly used network management platforms include QuidView, Sun NetManager, IBM NetView, and so on.

l           Agent is server-side software running on network devices (such as switches).

An NMS can send GetRequest, GetNextRequest and SetRequest messages to the agents. Upon receiving the requests from the NMS, an agent performs Read or Write operation on the managed object (MIB, Management Information Base) according to the message types, generates the corresponding Response packets and returns them to the NMS.

When a network device operates improperly or changes to other state, the agent on it can also send traps on its own initiative to the NMS to report the events.

1.1.2  SNMP Versions

Currently, SNMP agent on a switch supports SNMPv3, and is compatible with SNMPv1 and SNMPv2c.

SNMPv3 adopts user name and password authentication.

SNMPv1 and SNMPv2c adopt community name authentication. The SNMP packets containing invalid community names are discarded. SNMP community name is used to define the relationship between SNMP NMS and SNMP agent. Community name functions as password. It can limit accesses made by SNMP NMS to SNMP agent. You can perform the following community name-related configuration.

l           Specifying MIB view that a community can access.

l           Set the permission for a community to access an MIB object to be read-only or read-write. Communities with read-only permissions can only query the switch information, while those with read-write permission can configure the switch as well.

l           Set the basic ACL specified by the community name.

1.1.3  Supported MIBs

An SNMP packet carries management variables with it. Management variable is used to describe the management objects of a switch. To uniquely identify the management objects of the switch, SNMP adopts a hierarchical naming scheme to organize the managed objects. It is like a tree, with each tree node representing a managed object, as shown in Figure 1-1. Each node in this tree can be uniquely identified by a path starting from the root.

Figure 1-1 Architecture of the MIB tree

MIB describes the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network devices. In the above figure, the managed object B can be uniquely identified by a string of numbers {1.2.1.1}. The number string is the object identifier (OID) of the managed object.

The common MIBs supported by switches are listed in Table 1-1.

Table 1-1 Common MIBs

MIB attribute

MIB content

Related RFC

Public MIB

 MIB II based on TCP/IP network device

RFC 1213

BRIDGE MIB

RFC 1493

RFC 2675

RIP MIB

RFC 1724

RMON MIB

RFC 2819

Ethernet MIB

RFC 2665

IF MIB

RFC 1573

Private MIB

DHCP MIB

QACL MIB

MSTP MIB

VLAN MIB

IPV6 ADDRESS MIB

MIRRORGROUP MIB

QINQ MIB

802.x MIB

HGMP MIB

NTP MIB

Device management

Interface management

 

1.2  Configuring Basic SNMP Functions

SNMPv3 configuration is quite different from that of SNMPv1 and SNMPv2c. Therefore, the configuration of basic SNMP functions is described by SNMP versions, as listed in the following two tables.

Switches now support configuring SNMPv3 users by using the Advanced Encryption Standard (AES), which is the new encryption standard in place of Data Encryption Standard (DES).

Follow these steps to configure basic SNMP functions (SNMPv1 and SNMPv2c):

To do…

Use the command…

Remarks

Enter system view

system-view

Enable SNMP agent

snmp-agent

Optional

Disabled by default.

You can enable SNMP agent by executing this command or any of the commands used to configure SNMP agent.

Set system information, and specify to enable SNMPv1 or SNMPv2c on the switch

snmp-agent sys-info { contact sys-contact | location sys-location | version { { v1 | v2c | v3 }* | all } }

Required

By default, the contact information for system maintenance is "Hangzhou H3C Technologies Co., Ltd.", the system location is "Hangzhou China", and the SNMP version is SNMPv3.

Set a community name and access permission

Direct configuration

Set a community name

snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]*

Required

l      You can set an SNMPv1/SNMPv2c community name through direct configuration.

l      Indirect configuration is compatible with SNMPv3. The added user is equal to the community name for SNMPv1 and SNMPv2c.

l      You can choose either of them as needed.

Indirect configuration

Set an SNMP group

snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

Add a user to an SNMP group

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

Set the maximum size of an SNMP packet for SNMP agent to receive or send

snmp-agent packet max-size byte-count

Optional

1,500 bytes by default.

Set the device engine ID

snmp-agent local-engineid engineid

Optional

By default, the device engine ID is “enterprise number + device information”.

Create/Update the view information

snmp-agent mib-view { included | excluded } view-name oid-tree [ mask mask-value ]

Optional

By default, the view name is ViewDefault and OID is 1.

 

Follow these steps to configure basic SNMP functions (SNMPv3):

To do…

Use the command…

Remarks

Enter system view

system-view

Enable SNMP agent

snmp-agent

Optional

Disabled by default.

You can enable SNMP agent by executing this command or any of the commands used to configure SNMP agent.

Set system information and specify to enable SNMPv3 on the switch

snmp-agent sys-info { contact sys-contact | location sys-location | version { { v1 | v2c | v3 }* | all } }

Optional

By default, the contact information for system maintenance is "Hangzhou H3C Technologies Co., Ltd.", the system location is "Hangzhou China", and the SNMP version is SNMPv3.

Set an SNMP group

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

Required

Encrypt a plain-text password to generate a cipher-text one

snmp-agent calculate-password plain-password mode { md5 | sha } { local-engineid | specified-engineid engineid }

Optional

This command is used if password in cipher-text is needed for adding a new user.

Add a user to an SNMP group

snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { des56 | aes128 } priv-password ] ] [ acl acl-number ]

Required

Set the maximum size of an SNMP packet for SNMP agent to receive or send

snmp-agent packet max-size byte-count

Optional

1,500 bytes by default.

Set the device engine ID

snmp-agent local-engineid engineid

Optional

By default, the device engine ID is “enterprise number + device information”.

Create or update the view information

snmp-agent mib-view { included | excluded } view-name oid-tree [ mask mask-value ]

Optional

By default, the view name is ViewDefault and OID is 1.

 

&  Note:

An S3100-52P Ethernet switch provides the following functions to prevent attacks through unused UDP ports.

l      Executing the snmp-agent command or any of the commands used to configure SNMP agent enables the SNMP agent, and at the same opens UDP port 161 used by SNMP agents and the UDP port used by SNMP trap respectively.

l      Executing the undo snmp-agent command disables the SNMP agent and closes UDP ports used by SNMP agent and SNMP trap as well.

 

1.3  Configuring Trap-Related Functions

1.3.1  Configuring Basic Trap Functions

traps refer to those sent by managed devices to the NMS without request. They are used to report some urgent and important events (for example, the rebooting of managed devices).

Note that basic SNMP configuration is performed before you configure basic trap function.

Follow these steps to configure basic trap function:

To do…

Use the command…

Remarks

Enter system view

system-view

Enable the switch to send traps to NMS

snmp-agent trap enable [ configuration | flash | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system ]

Optional

By default, a port is enabled to send all types of traps.

Enable the port to send traps

Enter port view or interface view

interface interface-type interface-number

Enable the port or interface to send traps

enable snmp trap updown

Quit to system view

quit

Set the destination for traps

snmp-agent target-host trap address udp-domain { ip-address } [ udp-port port-number ] params securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ]

Required

Set the source address for traps

snmp-agent trap source interface-type interface-number

Optional

Set the size of the queue used to hold the traps to be sent to the destination host

snmp-agent trap queue-size size

Optional

The default is 100.

Set the aging time for traps

snmp-agent trap life seconds

Optional

120 seconds by default.

 

1.3.2  Configuring Extended Trap Function

The extended trap function refers to adding “interface description” and “interface type” into the linkUp/linkDown trap. When receiving this extended trap, NMS can immediately determine which interface on the device fails according to the interface description and type.

Follow these steps to configure extended trap function:

To do…

Use the command…

Remarks

Enter system view

system-view

Configure the extended trap function

snmp-agent trap ifmib link extended

Optional

By default, the linkUp/linkDown trap adopts the standard format defined in IF-MIB. For details, refer to RFC 1213.

 

1.4  Enabling Logging for Network Management

Follow these steps to enable logging for network management:

To do…

Use the command…

Remarks

Enter system view

system-view

Enable logging for network management

snmp-agent log { set-operation | get-operation | all }

Optional

Disabled by default.

 

&  Note:

l      When SNMP logging is enabled on a device, SNMP logs are output to the information center of the device. With the output destinations of the information center set, the output destinations of SNMP logs will be decided.

l      The severity level of SNMP logs is informational, that is, the logs are taken as general prompt information of the device. To view SNMP logs, you need to enable the information center to output system information with informational level.

l      For detailed description on system information and information center, refer to the Information Center Configuration part in this manual.

 

1.5  Displaying SNMP

To do…

Use the command…

Remarks

Display the SNMP information about the current device

display snmp-agent sys-info [ contact | location | version ]*

Available in any view.

Display SNMP packet statistics

display snmp-agent statistics

Display the engine ID of the current device

display snmp-agent { local-engineid | remote-engineid }

Display group information about the device

display snmp-agent group [ group-name ]

Display SNMP user information

display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ]*

Display trap list information

display snmp-agent trap-list

Display the currently configured community name

display snmp-agent community [ read | write ]

Display the currently configured MIB view

display snmp-agent mib-view [ exclude | include | viewname view-name ]

 

1.6  SNMP Configuration Example

1.6.1  SNMP Configuration Example

I. Network requirements

l           An NMS and Switch A (SNMP agent) are connected through the Ethernet. The IP address of the NMS is 10.10.10.1 and that of the VLAN interface on Switch A is 10.10.10.2.

l           Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, contact and switch location, and enabling the switch to sent traps.

Thus, the NMS is able to access Switch A and receive the traps sent by Switch A.

II. Network diagram

Figure 1-2 Network diagram for SNMP configuration

III. Network procedure

# Enable SNMP agent, and set the SNMPv1 and SNMPv2c community names.

<Sysname> system-view

[Sysname] snmp-agent

[Sysname] snmp-agent sys-info version all

[Sysname] snmp-agent community read public

[Sysname] snmp-agent community write private

# Set the access right of the NMS to the MIB of the SNMP agent.

[Sysname] snmp-agent mib-view include internet 1.3.6.1

# For SNMPv3, set:

l           SNMPv3 group and user

l           security to the level of needing authentication and encryption

l           authentication protocol to HMAC-MD5

l           authentication password to passmd5

l           encryption protocol to AES

l           encryption password to cfb128cfb128

[Sysname] snmp-agent group v3 managev3group privacy write-view internet

[Sysname] snmp-agent usm-user v3 managev3user managev3group authentication-mode md5 passmd5 privacy-mode aes128 cfb128cfb128

# Set the VLAN-interface 2 as the interface used by NMS. Add port Ethernet 1/0/2, which is to be used for network management, to VLAN 2. Set the IP address of VLAN-interface 2 as 10.10.10.2.

[Sysname] vlan 2

[Sysname-vlan2] port Ethernet 1/0/2

[Sysname-vlan2] quit

[Sysname] interface Vlan-interface 2

[Sysname-Vlan-interface2] ip address 10.10.10.2 255.255.255.0

[Sysname-Vlan-interface2] quit

# Enable the SNMP agent to send traps to the NMS whose IP address is 10.10.10.1. The SNMP community name to be used is public.

[Sysname] snmp-agent trap enable standard authentication

[Sysname] snmp-agent trap enable standard coldstart

[Sysname] snmp-agent trap enable standard linkup

[Sysname] snmp-agent trap enable standard linkdown

[Sysname] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public

IV. Configuring the NMS

The S3100-52P Ethernet switch support H3C’s QuidView NMS. SNMPv3 adopts user name and password authentication. When you use H3C’s QuidView NMS, you need to set user names and choose the security level in [Quidview Authentication Parameter]. For each security level, you need to set authorization mode, authorization password, encryption mode, encryption password, and so on. In addition, you need to set timeout time and maximum retry times.

You can query and configure an Ethernet switch through the NMS. For more information, refer to the corresponding manuals of H3C’s NMS products.

 

&  Note:

Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully.

 


Chapter 2  RMON Configuration

When configuring RMON, go to these sections for information you are interested in:

l           Introduction to RMON

l           RMON Configuration

l           Displaying RMON

l           RMON Configuration Example

2.1  Introduction to RMON

Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards. RMON is mainly used to monitor the data traffic across a network segment or even the entire network, and is currently a commonly used network management standard.

An RMON system comprises of two parts: the network management station (NMS) and the agents running on network devices. RMON agents operate on network monitors or network probes to collect and keep track of the statistics of the traffic across the network segments to which their ports connect, such as the total number of the packets on a network segment in a specific period of time and the total number of packets successfully sent to a specific host.

l           RMON is fully based on SNMP architecture. It is compatible with the current SNMP implementations.

l           RMON enables SNMP to monitor remote network devices more effectively and actively, thus providing a satisfactory means of monitoring remote subnets.

l           With RMON implemented, the communication traffic between NMS and SNMP agents can be reduced, thus facilitating the management of large-scale internetworks.

2.1.1  Working Mechanism of RMON

RMON allows multiple monitors. It can collect data in the following two ways:

l           Using the dedicated RMON probes. When an RMON system operates in this way, the NMS directly obtains management information from the RMON probes and controls the network resources. In this case, all information in the RMON MIB can be obtained.

l           Embedding RMON agents into network devices (such as routers, switches and hubs) directly to make the latter capable of RMON probe functions. When an RMON system operates in this way, the NMS collects network management information by exchanging information with the SNMP agents using the basic SNMP commands. However, this way depends on device resources heavily and an NMS operating in this way can only obtain the information about these four groups (instead of all the information in the RMON MIB): alarm group, event group, history group, and statistics group.

An H3C S3100-52P Ethernet switch implements RMON in the second way. With an RMON agent embedded in, an S3100-52P Ethernet switch can serve as a network device with the RMON probe function. Through the RMON-capable SNMP agents running on the Ethernet switch, an NMS can obtain the information about the total traffic, error statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks.

2.1.2  Commonly Used RMON Groups

I. Event group

Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.

You can specify a network device to act in one of the following ways in response to an event:

l           Logging the event

l           Sending traps to the NMS

l           Logging the event and sending traps to the NMS

l           No processing

II. Alarm group

RMON alarm management enables monitoring on specific alarm variables (such as the statistics of a port). When the value of a monitored variable exceeds the threshold, an alarm event is generated, which then triggers the network device to act in the way defined in the events. Events are defined in event groups.

With an alarm entry defined in an alarm group, a network device performs the following operations accordingly:

l           Sampling the defined alarm variables periodically

l           Comparing the samples with the threshold and triggering the corresponding events if the former exceed the latter

III. Extended alarm group

With extended alarm entry, you can perform operations on the samples of alarm variables and then compare the operation results with the thresholds, thus implement more flexible alarm functions.

With an extended alarm entry defined in an extended alarm group, the network devices perform the following operations accordingly:

l           Sampling the alarm variables referenced in the defined extended alarm expressions periodically

l           Performing operations on the samples according to the defined expressions

l           Comparing the operation results with the thresholds and triggering corresponding events if the operation result exceeds the thresholds.

IV. History group

After a history group is configured, the Ethernet switch collects network statistics information periodically and stores the statistics information temporarily for later use. A history group can provide the history data of the statistics on network segment traffic, error packets, broadcast packets, and bandwidth utilization.

With the history data management function, you can configure network devices to collect history data, sample and store data of a specific port periodically.

V. Statistics group

Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created.

The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets.

With the RMON statistics management function, you can monitor the use of a port and make statistics on the errors occurred when the ports are being used.

2.2  RMON Configuration

Before performing RMON configuration, make sure the SNMP agents are correctly configured. For the information about SNMP agent configuration, refer to section Configuring Basic SNMP Functions.

Follow these steps to configure RMON:

To do…

Use the command…

Remarks

Enter system view

system-view

Add an event entry

rmon event event-entry [ description string ] { log | trap trap-community | log-trap log-trapcommunity | none } [ owner text ]

Optional

Add an alarm entry

rmon alarm entry-number alarm-variable sampling-time { delta | absolute } rising_threshold threshold-value1 event-entry1 falling_threshold threshold-value2 event-entry2 [ owner text ]

Optional

Before adding an alarm entry, you need to use the rmon event command to define the event to be referenced by the alarm entry.

Add an extended alarm entry

rmon prialarm entry-number prialarm-formula prialarm-des sampling-timer { delta | absolute | changeratio } rising_threshold threshold-value1 event-entry1 falling_threshold threshold-value2 event-entry2 entrytype { forever | cycle cycle-period } [ owner text ]

Optional

Before adding an extended alarm entry, you need to use the rmon event command to define the event to be referenced by the extended alarm entry.

Enter Ethernet port view

interface interface-type interface-number

Add a history entry

rmon history entry-number buckets number interval sampling-interval [ owner text ]

Optional

Add a statistics entry

rmon statistics entry-number [ owner text ]

Optional

 

&  Note:

l      The rmon alarm and rmon prialarm commands take effect on existing nodes only.

l      For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.

 

2.3  Displaying RMON

To do…

Use the command…

Remarks

Display RMON statistics

display rmon statistics [ interface-type interface-number | unit unit-number ]

Available in any view.

Display RMON history information

display rmon history [ interface-type interface-number | unit unit-number ]

Display RMON alarm information

display rmon alarm [ entry-number ]

Display extended RMON alarm information

display rmon prialarm [ prialarm-entry-number ]

Display RMON events

display rmon event [ event-entry ]

Display RMON event logs

display rmon eventlog [ event-entry ]

 

2.4  RMON Configuration Example

I. Network requirements

l           The switch to be tested is connected to a remote NMS through the Internet. Ensure that the SNMP agents are correctly configured before performing RMON configuration.

l           Create an entry in the extended alarm table to monitor the information of statistics on the Ethernet port, if the change rate of which exceeds the set threshold, the alarm events will be triggered.

II. Network diagram

Figure 2-1 Network diagram for RMON configuration

III. Configuration procedures

# Add the statistics entry numbered 1 to take statistics on Ethernet 1/0/1.

<Sysname> system-view

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] rmon statistics 1

[Sysname-Ethernet1/0/1] quit

# Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm.

[Sysname] rmon event 1 log

[Sysname] rmon event 2 trap 10.21.30.55

# Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by Ethernet 1/0/1 that are in correct data format and sample it in every 10 seconds.  When the change ratio between samples reaches the rising threshold of 50, event 1 is triggered; when the change ratio drops under the falling threshold, event 2 is triggered.

[Sysname] rmon prialarm 2 (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1

# Display the RMON extended alarm entry numbered 2.

[Sysname] display rmon prialarm 2

Prialarm table 2 owned by user1 is VALID.

  Samples type            : changeratio

  Variable formula : (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1)

  Description             : test

  Sampling interval      : 10(sec)

  Rising threshold       : 100(linked with event 1)

  Falling threshold      : 10(linked with event 2)

  When startup enables  : risingOrFallingAlarm

  This entry will exist : forever.

  Latest value            : 0        

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网