06-SNMP Configuration
Chapters Download (155.29 KB)
Displaying and Maintaining SNMP
SNMPv1/SNMPv2c Configuration Example
SNMP Logging Configuration Example
Displaying and Maintaining MIB
When configuring SNMP, go to these sections for information you are interested in:
l Displaying and Maintaining SNMP
l SNMPv1/SNMPv2c Configuration Example
l SNMPv3 Configuration Example
l SNMP Logging Configuration Example
Simple Network Management Protocol (SNMP) offers the communication rules between a management device and the managed devices on the network; it defines a series of messages, methods and syntaxes to implement the access and management from the management device to the managed devices. SNMP has the following characteristics:
l Automatic network management: SNMP enables network administrators to search and modify information, find and diagnose network problems, plan for network growth, and obtain reports on network nodes.
l SNMP shields physical differences between various devices and thus realizes automatic management of products from various vendors. Offering only the basic set of functions, SNMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technologies. Thus, SNMP achieves effective management of devices from different vendors, especially in small, high-speed and low-cost network environments.
An SNMP-enabled network comprises a Network Management Station (NMS) and agents.
l An NMS is a station that runs the SNMP client software. It offers a user-friendly interface, facilitating network administrators to perform most network management tasks.
l An agent is a program resides in the device. It receives and handles requests sent from the NMS. Only under certain circumstances, such as interface state change, will the agent inform the NMS.
An NMS is a manager in an SNMP enabled network, whereas agents are managed by the NMS. The NMS and agents exchange management information through the SNMP protocol.
SNMP provides the following four basic operations:
l Get operation: The NMS gets the value of one or more objects of the agent.
l Set operation: The NMS can reconfigure the value of one or more objects in the agent MIB (Management Information Base) by means of this operation.
l Trap operation: The agent sends traps to the NMS through this operation.
l Inform operation: The NMS sends traps to other NMSs through this operation.
Currently, SNMP agents support SNMPv3 and are compatible with SNMPv1 and SNMPv2c.
l SNMPv1 uses community names for authentication, which defines the relationship between an SNMP NMS and an SNMP agent. SNMP packets with community names that did not pass the authentication on the device will simply be discarded. A community name performs a similar role as a password to regulate access from the NMS to the agent.
l SNMPv2c uses community names for authentication. Compatible with SNMPv1, it extends the functions of SNMPv1. SNMPv2c provides more operation modes such as GetBulk and InformRequest; it supports more data types such as Counter64 and provides various error codes, thus being able to distinguish errors in more detail.
l SNMPv3 offers an authentication mechanism that is implemented based on the User-based Security Model (USM). You can set the authentication and privacy functions. The former is used to authenticate the validity of the sending end of the authentication packets, preventing access of unauthorized users; the latter is used to encrypt packets between the NMS and agents, preventing the packets from being intercepted. USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy, authentication without privacy, or no authentication no privacy.
Successful interaction between an NMS and the agents requires consistency of SNMP versions configured on them. You can configure multiple SNMP versions for an agent to interact with different NMSs.
Any managed resource can be identified as an object, which is known as the managed object. Management Information Base (MIB) is a collection of all the managed objects. It defines the hierarchy of the objects and a set of characteristics associated with the managed objects, such as the object identifier (OID), access right and data type. Each agent has its own MIB. An NMS can read or write the managed objects in the MIB. The relationship between an NMS, agent and MIB is shown in Figure 1-1.
Figure 1-1 Relationship between an NMS, agent and MIB
MIB stores data using a tree structure. Each node of the tree represents a managed object that can be uniquely identified by a path starting from the root node. As illustrated in the following figure, the managed object B can be uniquely identified by a string of numbers {1.2.1.1}. This string is the OID of the managed object B.
Figure 1-2 MIB tree
As configurations for SNMPv3 differ substantially from those for SNMPv1 and SNMPv2c, their SNMP functionalities are introduced separately as follows.
Follow these steps to configure SNMPv3:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the SNMP agent |
snmp-agent |
Optional Disabled by default You can enable the SNMP agent through this command or any command that begin with snmp-agent. |
|
Configure SNMP agent system information |
snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 | v2c | v3 }* } } |
Optional The defaults are as follows: Hangzhou H3C Technologies Co., Ltd. for contact; Hangzhou China for location, and SNMPv1 SNMPv2c SNMPv3 for the version. |
|
Configure a local engine ID for an SNMP entity |
snmp-agent local-engineid engineid |
Optional Company ID and device ID by default. |
|
Create or update the MIB view content for an SNMP agent |
snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ] |
Optional The MIB view name is ViewDefault and OID is 1 by default. |
|
Configure an SNMP agent group |
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] |
Required |
|
Convert the user-defined plain text password to a cipher text password |
snmp-agent calculate-password plain-password mode { md5 | sha | 3desmd5 | 3dessha } { local-engineid | specified-engineid engineid } |
Optional |
|
Add a new user to an SNMP agent group |
snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | des56 } priv-password ] ] [ acl acl-number ] |
Required If the cipher keyword is specified, the arguments auth-password and priv-password are considered as cipher text passwords. |
|
Configure the maximum size of an SNMP packet that can be received or sent by an SNMP agent |
snmp-agent packet max-size byte-count |
Optional 1,500 bytes by default. |
Follow these steps to configure SNMPv1 and SNMPv2c:
|
To do… |
Use the command… |
Remarks |
||
|
Enter system view |
system-view |
— |
||
|
Enable the SNMP agent |
snmp-agent |
Optional Disabled by default You can enable the SNMP agent through this command or any commands that begin with snmp-agent. |
||
|
Configure SNMP agent system information |
snmp-agent sys-info { contact sys-contact | location sys-location | version { { v1 | v2c | v3 }* | all } } |
Required The defaults are as follows: Hangzhou H3C Technologies Co., Ltd. for contact; Hangzhou China for location and SNMPv1 SNMPv2c SNMPv3 for the version. |
||
|
Configure a local engine ID for an SNMP entity |
snmp-agent local-engineid engineid |
Optional Company ID and device ID by default. |
||
|
Create or update MIB view content for an SNMP agent |
snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ] |
Optional The MIB view name is ViewDefault and OID is 1 by default. |
||
|
Configure SNMP NMS access right |
Configure directly |
Create an SNMP community |
snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]* |
Use either approach. Both commands can be used to configure SNMP NMS access rights. The second command was introduced to be compatible with SNMPv3. The community name configured on the NMS should be consistent with the username configured on the agent. |
|
Configure indirectly |
Configure an SNMP group |
snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] |
||
|
Add a user to an SNMP group |
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] |
|||
|
Configure the maximum size of an SNMP packet that can be received or sent by an SNMP agent |
snmp-agent packet max-size byte-count |
Optional 1,500 bytes by default. |
||
The validity of a USM user depends on the engine ID of the SNMP agent. If the engine ID generated when the USM user is created is not identical to the current engine ID, the USM user is invalid.
SNMP logs the Get and Set operations that the NMS performs on the SNMP agent. When the GET operation is performed, the agent logs the IP address of the NMS, node name of the GET operation and OID of the node. When the SET operation is performed, the agent logs the IP address of the NMS, node name of the SET operation, OID of the node, the value configured and the error code and error index of the SET response. These logs will be sent to the information center, and the level of them is informational, that is, they are taken as the system prompt information. With parameters for the information center configured, the output rules for SNMP logs are decided (that is, whether the logs are permitted to display and the output destinations).
SNMP logs Get requests, Set requests and Set responses, but does not log Get responses.
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable SNMP logging |
snmp-agent log { all | get-operation | set-operation } |
Required Disabled by default. |
|
Configure SNMP log output rules |
info-center source { module-name | default } channel { channel-number | channel-name } [ debug { level severity | state state } * | log { level severity | state state } * | trap { level severity | state state } * ] * |
Optional By default, SNMP logs are output to loghost and logfile only. To output SNMP logs to other destinations such as the console or a monitor terminal, you need to set the output destinations with this command. |
l A large number of logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable SNMP logging.
l The size of SNMP logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record cannot exceed 1K bytes; otherwise, the exceeding part will not be displayed.
l For the detailed description of system information, the information center and the info-center source command, refer to Information Center Configuration in the System Volume.
The SNMP agent sends traps to the NMS to inform the NMS of critical and important events (such as reboot of a managed device). Two types of traps are available: generic traps and vendor-specific traps. Generic traps supported on the device include: authentication, coldstart, linkdown, linkup and warmstart. The others are self-defined traps, which are generated by different modules. As traps that occupy large device memory affect device performance, it is recommended not to enable the trap function for all modules but for the specific modules as needed.
With the trap function enabled on a module, the traps generated by the module will be sent to the information center. The information center has seven information output destinations. By default, traps of all modules are allowed to be output to the console, monitor terminal (monitor), loghost, and logfile; traps of all modules and with level equal to or higher than warnings are allowed to be output to the trapbuffer and SNMP module (snmpagent); and traps cannot be sent to the logbuffer. You can set parameters for the information center based on the levels of the traps generated by each module, and thus decide the output rules of traps (that is, whether traps are allowed to be output and the output destinations). For the configuration of the information center, refer to Information Center Configuration in the System Volume.
Follow these steps to enable the trap function:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the trap function globally |
snmp-agent trap enable [ configuration | flash | standard [ authentication | coldstart | linkdown | linkup | warmstart ] * | system | vrrp [ authfailure | newmaster ] ] |
Optional By default, the trap function of other modules is enabled. |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Enable the trap function of interface state changes |
enable snmp trap updown |
Optional Enabled by default. |
To enable an interface to send linkUp/linkDown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command to enable this function globally.
To send traps to the NMS, you need to make the following preparations:
l Basic SNMP configurations have been completed. These configurations include version configuration: community name is needed when SNMPv1 and v2c are adopted; username and MIB view are needed if SNMPv3 is adopted.
l A connection has been established between the device and the NMS, and they can operate each other.
After traps are sent to the SNMP module, the SNMP module saves the traps in the trap queue. You can set the size of the queue and the holding time of the traps in the queue, and you can also send the traps to the specified destination host (usually the NMS).
Follow these steps to configure trap parameters:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure target host attribute for traps |
snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number ] params securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ] |
Optional To send the traps to the NMS, this command is required, and you must specify ip-address as the IP address of the NMS. |
|
Configure the source address for traps |
snmp-agent trap source interface-type interface-number |
Optional |
|
Extend the standard linkUp/linkDown traps defined in RFC |
snmp-agent trap if-mib link extended |
Optional Standard linkUp/linkDown traps defined in RFC are used by default. |
|
Configure the size of the trap send queue |
snmp-agent trap queue-size size |
Optional 100 by default |
|
Configure the holding time of the traps in the queue |
snmp-agent trap life seconds |
Optional 120 seconds by default |
l An extended linkUp/linkDown trap is the standard linkUp/linkDown trap (defined in RFC) appended with interface description and interface type information. If the extended messages are not supported on the NMS, disable this function to let the device send standard linkUp/linkDown traps.
l If the sending queue of traps is full, the system will automatically delete some oldest traps to receive new traps.
l The system will automatically delete the traps whose holding time expires.
|
To do… |
Use the command… |
Remarks |
|
Display SNMP agent system information, including the contact, location, and version of the SNMP |
display snmp-agent sys-info [ contact | location | version ]* |
Available in any view |
|
Display SNMP agent statistics |
display snmp-agent statistics |
|
|
Display the SNMP agent engine ID |
display snmp-agent local-engineid |
|
|
Display SNMP agent group information |
display snmp-agent group [ group-name ] |
|
|
Display basic information of the trap queue |
display snmp-agent trap queue |
|
|
Display the modules that can send traps and whether their trap sending is enabled or not |
display snmp-agent trap-list |
|
|
Display SNMPv3 agent user information |
display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ] * |
|
|
Display SNMPv1 or v2c agent community information |
display snmp-agent community [ read | write ] |
|
|
Display MIB view information for an SNMP agent |
display snmp-agent mib-view [ exclude | include | viewname view-name ] |
l As shown in Figure 1-3, the NMS connects to the agent through an Ethernet.
l The IP address of the NMS is 1.1.1.2/24.
l The IP address of the agent is 1.1.1.1/24.
l The NMS monitors and manages the agent using SNMPv1 or SNMPv2c. The agent reports errors or faults to the NMS.
Figure 1-3 Network diagram for SNMPv1/v2c
1) Configuring the SNMP agent
# Configure the IP address of the agent as 1.1.1.1/24 and make sure that there is a route between the agent and the NMS. (The configuration procedure is omitted here)
# Configure the SNMP basic information, including the version and community name.
<Sysname> system-view
[Sysname] snmp-agent sys-info version v1 v2c
[Sysname] snmp-agent community read public
[Sysname] snmp-agent community write private
# Configure the contact person and physical location information of the switch.
[Sysname] snmp-agent sys-info contact Mr.Wang-Tel:3306
[Sysname] snmp-agent sys-info location telephone-closet,3rd-floor
# Enable the sending of traps to the NMS with an IP address of 1.1.1.2/24, using public as the community name.
[Sysname] snmp-agent trap enable
[Sysname] snmp-agent target-host trap address udp-domain 1.1.1.2 udp-port 5000 params securityname public
2) Configuring the SNMP NMS
With SNMPv2c, the user needs to specify the read only community, the read and write community, the timeout time, and number of retries. The user can inquire and configure the device through the NMS.
The configurations on the agent and the NMS must match.
l As shown in Figure 1-4, the NMS connects to the agent through an Ethernet.
l The IP address of the NMS is 1.1.1.2/24.
l The IP address of the agent is 1.1.1.1/24.
l The NMS monitors and manages the interface status of the agent using SNMPv3. The agent reports errors or faults to the NMS. The inbound port for traps on the NMS is 5000.
Figure 1-4 Network diagram for SNMPv3
1) Configuring the agent
# Configure the IP address of the agent as 1.1.1.1/24 and make sure that there is a route between the agent and the NMS. (The configuration procedure is omitted here)
# Configure the access right: the user can read and write the objects under the interface node with the OID of 1.3.6.1.2.1.2, and cannot access other MIB objects. Set the user name to managev3user, authentication protocol to MD5, authentication key to authkey, the privacy protocol to DES56, and the privacy password to prikey.
<Sysname> system-view
[Sysname] undo snmp-agent mib-view ViewDefault
[Sysname] snmp-agent mib-view included test interfaces
[Sysname] snmp-agent group v3 managev3group read-view test write-view test
[Sysname] snmp-agent usm-user v3 managev3user managev3group authentication-mode md5 authkey privacy-mode des56 prikey
# Configure the contact person and physical location information of the Switch.
[Sysname] snmp-agent sys-info contact Mr.Wang-Tel:3306
[Sysname] snmp-agent sys-info location telephone-closet,3rd-floor
# Enable sending of traps to the NMS with an IP address of 1.1.1.2/24, using public as the community name.
[Sysname] snmp-agent trap enable
[Sysname] snmp-agent target-host trap address udp-domain 1.1.1.2 udp-port 5000 params securityname public
2) Configuring the SNMP NMS
SNMPv3 uses an authentication and privacy security model. On the NMS, the user needs to specify the username and security level, and based on that level, configure the authentication mode, authentication password, privacy mode, and privacy password. In addition, the timeout time and number of retries should also be configured. The user can inquire and configure the device through the NMS.
The configurations on the agent and the NMS must match.
l As shown in Figure 1-5, the NMS and the agent are connected through an Ethernet.
l The IP address of the NMS is 1.1.1.2/24
l The IP address of the agent is 1.1.1.1/24
l Configure SNMP logging on the agent to record the operations performed by the NMS to the agent
Figure 1-5 Network diagram for SNMP logging
For the configurations for the NMS and agent, refer to SNMPv1/SNMPv2c Configuration Example and SNMPv3 Configuration Example.
# Enable logging display on the terminal. (This function is enabled by default, so that you can omit this configuration).
<Sysname> terminal monitor
<Sysname> terminal logging
# Enable the information center to output the system information with the severity level equal to or higher than informational to the console port.
<Sysname> system-view
[Sysname] info-center source snmp channel console log level informational
# Enable SNMP logging on the agent to log the GET and SET operations of the NMS.
[Sysname] snmp-agent log get-operation
[Sysname] snmp-agent log set-operation
l The following log information is displayed on the terminal when the NMS performs the Get operation to the agent.
%Jan 1 02:49:40:566 2006 Sysname SNMP/6/GET:
seqNO = <10> srcIP = <1.1.1.2> op = <get> node = <sysName(1.3.6.1.2.1.1.5.0)> value=<>
l The following log information is displayed on the terminal when the NMS performs the Set operation to the agent.
%Jan 1 02:59:42:576 2006 Sysname SNMP/6/SET:
seqNO = <11> srcIP = <1.1.1.2> op = <set> errorIndex = <0> errorStatus =<noError> node = <sysName(1.3.6.1.2.1.1.5.0)> value = <Sysname>
Table 1-1 Description on the output field of SNMP log
|
Field |
Description |
|
Jan 1 02:49:40:566 2006 |
The time when the SNMP log is generated |
|
seqNO |
Serial number of the SNMP log (The system numbers the recorded SNMP logs automatically; the serial number starts from 0) |
|
srcIP |
IP address of the NMS |
|
op |
SNMP operation type (GET or SET) |
|
node |
Node name of the SNMP operations and OID of the instance |
|
erroIndex |
Error index, with 0 meaning no error |
|
errorstatus |
Error status, with noError meaning no error |
|
value |
Value set when the SET operation is performed (This field is null, meaning the value obtained with the GET operation is not logged.) When the value is a string of characters and the string contains characters not in the range of ASCII 0 to 127 or invisible characters, the string is displayed in hexadecimal. For example, value = <81-43>[hex] |
The system information of the information center can be output to the terminal or to the log buffer. In this example, SNMP log is output to the terminal. For configuration of SNMP log output to other destinations, see Information Center Configuration in the System Volume.
When configuring MIB style, go to these sections for information you are interested in:
l Displaying and Maintaining MIB
H3C private MIB involves two styles, H3C compatible MIB and H3C new MIB. In the H3C compatible MIB style, the device sysOID is under the H3C’s enterprise ID 25506, and the private MIB is under the enterprise ID 2011. In the H3C new MIB style, both the device sysOID and the private MIB are under the H3C’s enterprise ID 25506. These two styles of MIBs implement the same management function except for their root nodes. A device is shipped with MIB loaded and the MIB style may vary depending on the device model. To implement NMS’s flexible management of the device, the device allows you to configure the MIB style, that is, you can switch between the two styles of MIBs. However, you need to ensure that the MIB style of the device is the same as that of the NMS.
Follow these steps to set the MIB style:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the MIB style of the device |
mib-style [ new | compatible ] |
Optional new by default |
The modified MIB style takes effect only after you reboot the device. Therefore, you are recommended to reboot the device after setting the MIB style to ensure that modification of the MIB style takes effect.
|
To do… |
Use the command… |
Remarks |
|
Display the MIB style |
display mib-style |
Available in any view |
