Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-SNMP configuration | 141.37 KB |
MIB and view-based MIB access control
Configuring SNMPv3 basic parameters
Configuring SNMP notifications
Configuring the SNMP agent to send notifications to a host
This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure.
Overview
SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics, and interconnect technologies.
SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.
SNMP framework
The SNMP framework comprises the following elements:
· SNMP manager—Works on an NMS to monitor and manage the SNMP-capable devices in the network.
· SNMP agent—Works on a managed device to receive and handle requests from the NMS, and sends notifications to the NMS when events, such as an interface state change, occur.
· Management Information Base (MIB)—Specifies the variables (for example, interface status and CPU usage) maintained by the SNMP agent for the SNMP manager to read and set.
Figure 1 Relationship between NMS, agent, and MIB
MIB and view-based MIB access control
A MIB stores variables called "nodes" or "objects" in a tree hierarchy and identifies each node with a unique OID. An OID is a dotted numeric string that uniquely identifies the path from the root node to a leaf node. For example, object B in Figure 2 is uniquely identified by the OID {1.2.1.1}.
A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privileges and is identified by a view name. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible.
A MIB view can have multiple view records each identified by a view-name oid-tree pair.
You control access to the MIB by assigning MIB views to SNMP groups or communities.
SNMP operations
SNMP provides the following basic operations:
· Get—NMS retrieves the SNMP object nodes in an agent MIB.
· Set—NMS modifies the value of an object node in an agent MIB.
· Notification—SNMP agent sends traps or informs to report events to the NMS. The difference between these two types of notification is that informs require acknowledgement but traps do not.
Protocol versions
An NMS and an SNMP agent must use the same SNMP version to communicate with each other. This software version supports only SNMPv3.
SNMPv3 uses a user-based security model (USM) to secure SNMP communication. You can configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for integrity, authenticity, and confidentiality.
|
|
NOTE: SNMPv1 and SNMPv2c commands and keywords are reserved at the CLI for future support. Even though you can configure these commands and keywords, they do not take effect. |
Configuring SNMPv3 basic parameters
SNMPv3 users are managed in groups. All SNMPv3 users in a group share the same security model, but can use different authentication and privacy key settings. To implement a security model for a user and avoid SNMP communication failures, make sure the security model configuration for the group and the security key settings for the user are compliant with Table 1 and match the settings on the NMS.
Table 1 Basic security setting requirements for different security models
|
Security model |
Security model keyword for the group |
Security key settings for the user |
Remarks |
|
Authentication with privacy |
privacy |
Authentication key, privacy key |
If the authentication key or the privacy key is not configured, SNMP communication will fail. |
|
Authentication without privacy |
authentication |
Authentication key |
If no authentication key is configured, SNMP communication will fail. The privacy key (if any) for the user does not take effect. |
|
No authentication, no privacy |
Neither authentication nor privacy |
None |
The authentication and privacy keys, if configured, do not take effect. |
To configure SNMPv3 basic parameters:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Enable the SNMP agent. |
snmp-agent |
By default, the SNMP agent is disabled. The SNMP agent is enabled when you perform any command that begins with snmp-agent except the snmp-agent calculate-password command. |
|
3. (Optional.) Configure the system contact. |
snmp-agent sys-info contact sys-contact |
The default is Hangzhou H3C Technologies Co.,Ltd. |
|
4. (Optional.) Configure the system location. |
snmp-agent sys-info location sys-location |
The default is Hangzhou, China. |
|
5. Enable SNMPv3. |
snmp-agent sys-info version { all | v3 } |
The default is SNMP v3. |
|
6. (Optional.) Change the local engine ID. |
snmp-agent local-engineid engineid |
By default, the local engine ID is the company ID plus the device ID.
After you change the local engine ID, the existing SNMPv3 users and encrypted keys become invalid, and you must re-configure them. |
|
7. (Optional.) Configure a remote engine ID. |
snmp-agent remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] engineid engineid |
By default, no remote engine ID is configured. To send informs to an SNMPv3 NMS, you must configure the SNMP engine ID of the NMS. |
|
8. (Optional.) Create or update a MIB view. |
snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ] |
By default, the MIB view ViewDefault is predefined. In this view, all the MIB objects in the iso subtree but the snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees are accessible. Each view-name oid-tree pair represents a view record. If you specify the same record with different MIB sub-tree masks multiple times, the most recent configuration takes effect. Except for the four sub-trees in the default MIB view, you can create up to 16 unique MIB view records. |
|
9. Create an SNMPv3 group. |
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * |
By default, no SNMP group exists. |
|
10. (Optional.) Convert a plaintext key to an encrypted key. |
snmp-agent calculate-password plain-password mode {md5 | sha } { local-engineid | specified-engineid engineid } |
N/A |
|
11. Create an SNMPv3 user. |
snmp-agent usm-user v3 user-name group-name [ remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | des56 } priv-password ] ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * |
If the cipher keyword is specified, the arguments auth-password and priv-password are used as encrypted keys. To send informs to an SNMPv3 NMS, you must configure the remote ip-address option to specify the IP address of the NMS. |
|
12. (Optional.) Configure the maximum SNMP packet size (in bytes) that the SNMP agent can handle. |
snmp-agent packet max-size byte-count |
By default, the SNMP agent can receive and send SNMP packets up to 1500 bytes. |
Configuring SNMP logging
|
|
IMPORTANT: Disable SNMP logging in normal cases to prevent a large amount of SNMP logs from decreasing device performance. |
The SNMP agent logs Get requests, Set requests, and Set responses, but does not log Get responses.
· Get operation—The agent logs the IP address of the NMS, name of the accessed node, and node OID.
· Set operation—The agent logs the NMS' IP address, name of accessed node, node OID, variable value, and error code and index for the Set operation.
The SNMP module sends these logs to the information center as informational messages. You can configure the information center to output these messages to certain destinations, such as the console and the log buffer. The total output size for the node field (MIB node name) and the value field (value of the MIB node) in each log entry is 1024 bytes. If this limit is exceeded, the information center truncates the data in the fields. For more information about the information center, see "Configuring the information center."
To configure SNMP logging:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable SNMP logging. |
snmp-agent log { all | get-operation | set-operation } |
By default, SNMP logging is disabled. |
Configuring SNMP notifications
The SNMP Agent sends notifications (traps and informs) to inform the NMS of significant events, such as link state changes and user logins or logouts. Unless otherwise stated, the trap keyword in the command line includes both traps and informs.
Enabling SNMP notifications
Enable an SNMP notification only if necessary. SNMP notifications are memory-intensive and may affect device performance.
To generate linkUp or linkDown notifications when the link state of an interface changes, you must enable linkUp or linkDown notification globally by using the snmp-agent trap enable standard [ linkdown | linkup ] * command and on the interface by using the enable snmp trap updown command.
After you enable a notification for a module, whether the module generates notifications also depends on the configuration of the module. For more information, see the configuration guide for each module.
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable notifications globally. |
snmp-agent trap enable [ bgp | configuration | ospf [ authentication-failure | bad-packet | config-error | grhelper-status-change | grrestarter-status-change | if-state-change | lsa-maxage | lsa-originate | lsdb-approaching-overflow | lsdb-overflow | neighbor-state-change | nssatranslator-status-change | retransmit | virt-authentication-failure | virt-bad-packet | virt-config-error | virt-retransmit | virtgrhelper-status-change | virtif-state-change | virtneighbor-state-change ] * | standard [ authentication | coldstart | linkdown | linkup | warmstart ] * | system ] |
By default, all the traps are enabled globally. |
|
3. Enter interface view. |
interface interface-type interface-number |
N/A |
|
4. Enable link state notifications. |
enable snmp trap updown |
By default, link state notifications are enabled. |
Configuring the SNMP agent to send notifications to a host
You can configure the SNMP agent to send notifications as traps or informs to a host, typically an NMS, for analysis and management. Traps are less reliable and use fewer resources than informs, because an NMS does not send an acknowledgement when it receives a trap.
Configuration guidelines
When network congestion occurs or the destination is not reachable, the SNMP agent buffers notifications in a queue. You can configure the queue size and the notification lifetime (the maximum time that a notification can stay in the queue). A notification is deleted when its lifetime expires. When the notification queue is full, the oldest notifications are automatically deleted.
You can extend standard linkUp/linkDown notifications to include interface description and interface type, but must make sure that the NMS supports the extended SNMP messages.
To send informs, make sure:
· The SNMP agent and the NMS use SNMPv3.
· Configure the SNMP engine ID of the NMS when you configure SNMPv3 basic settings. Also, specify the IP address of the SNMP engine when you create the SNMPv3 user.
Configuration prerequisites
· Configure the SNMP agent with the same basic SNMP settings as the NMS. You must configure an SNMPv3 user, a MIB view, and a remote SNMP engine ID associated with the SNMPv3 user for notifications.
· The SNMP agent and the NMS can reach each other.
Configuration procedure
To configure the SNMP agent to send notifications to a host:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a target host. |
· (Approach 1) Send traps to the target host: · (Approach 2) Send informs to the target host: |
Use either approach. By default, no target host is configured. Current software version does not support SNMPv1 and SNMPv2c. The v1 and v2c keywords are reserved at the CLI only for future support. |
|
3. (Optional.) Configure a source address for notifications. |
snmp-agent { inform | trap } source interface-type { interface-number | interface-number.subnumber } |
By default, SNMP uses the IP address of the outgoing routed interface as the source IP address. |
|
4. (Optional.) Enable extended linkUp/linkDown notifications. |
snmp-agent trap if-mib link extended |
By default, the SNMP agent sends standard linkup/linkDown notifications. |
|
5. (Optional.) Configure the notification queue size. |
snmp-agent trap queue-size size |
By default, the notification queue can hold 100 notification messages. |
|
6. (Optional.) Configure the notification lifetime. |
snmp-agent trap life seconds |
The default notification lifetime is 120 seconds. |
Displaying the SNMP settings
Execute display commands in any view.
|
Task |
Command |
|
Display SNMP agent system information, including the contact, physical location, and SNMP version. |
display snmp-agent sys-info [ contact | location | version ] |
|
Display SNMP agent statistics. |
display snmp-agent statistics |
|
Display the local engine ID. |
display snmp-agent local-engineid |
|
Display SNMP group information. |
display snmp-agent group [ group-name ] |
|
Display remote engine IDs. |
display snmp-agent remote [ ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address [ vpn-instance vpn-instance-name ] ] |
|
Display basic information about the notification queue. |
display snmp-agent trap queue |
|
Display the modules that can generate notifications and their notification status (enable or disable). |
display snmp-agent trap-list |
|
Display SNMPv3 user information. |
display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ] * |
|
Display MIB view information. |
display snmp-agent mib-view [ exclude | include | viewname view-name ] |
SNMPv3 configuration example
Network requirements
As shown in Figure 3, the NMS (1.1.1.2/24) uses SNMPv3 to monitor and manage the interface status of the agent (1.1.1.1/24). The agent automatically sends notifications to report events to the NMS. The default UDP port 162 is used for SNMP notifications.
The NMS and the agent perform authentication when they set up an SNMP session. The authentication algorithm is MD5 and the authentication key is authkey. The NMS and the agent also encrypt the SNMP packets between them by using the DES algorithm and the privacy key prikey.
Configuration procedure
1. Configure the agent:
# Configure the IP address of the agent, and make sure the agent and the NMS can reach each other. (Details not shown.)
# Assign the NMS (SNMPv3 group managev3group) read and write access to the objects under the snmp node (OID 1.3.6.1.2.1.11), and deny its access to any other MIB object.
<Agent> system-view
[Agent] undo snmp-agent mib-view ViewDefault
[Agent] snmp-agent mib-view included test snmp
[Agent] snmp-agent group v3 managev3group privacy read-view snmp write-view test
# Add the user managev3user to the SNMPv3 group managev3group, and set the authentication algorithm to MD5, authentication key to authkey, encryption algorithm to DES56, and privacy key to prikey.
[Agent] snmp-agent usm-user v3 managev3user managev3group simple authentication-mode md5 authkey privacy-mode des56 prikey
# Configure contact and physical location information for the agent.
[Agent] snmp-agent sys-info contact Mr.Wang-Tel:3306
[Agent] snmp-agent sys-info location telephone-closet,3rd-floor
# Enable notifications, specify the NMS at 1.1.1.2 as a trap destination, and set the username to managev3user for the traps.
[Agent] snmp-agent trap enable
[Agent] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname managev3user v3 privacy
2. Configure the SNMP NMS:
¡ Specify SNMPv3.
¡ Create the SNMPv3 user managev3user.
¡ Enable both authentication and privacy functions.
¡ Use MD5 for authentication and DES56 for encryption.
¡ Set the authentication key to authkey and the privacy key to prikey.
¡ Set the timeout time and maximum number of retries.
For information about configuring the NMS, see the NMS manual.
|
|
NOTE: The SNMP settings on the agent and the NMS must match. |
3. Verify the configuration:
# Try to get the MTU value of NULL0 interface from the agent. The get attempt succeeds.
Send request to 1.1.1.1/161 ...
Protocol version: SNMPv3
Operation: Get
Request binding:
1: 1.3.6.1.2.1.2.2.1.4.135471
Response binding:
1: Oid=ifMtu.135471 Syntax=INT Value=1500
Get finished
# Try to get the device name from the agent. The get attempt fails because the NMS has no access right to the node.
Send request to 1.1.1.1/161 ...
Protocol version: SNMPv3
Operation: Get
Request binding:
1: 1.3.6.1.2.1.1.5.0
Response binding:
1: Oid=sysName.0 Syntax=noSuchObject Value=NULL
Get finished
# Execute the shutdown or undo shutdown command on an idle interface on the agent. You can see the link state change traps on the NMS:
1.1.1.1/3374 V3 Trap = linkdown
SNMP Version = V3
Community = managev3user
Command = Trap
1.1.1.1/3374 V3 Trap = linkup
SNMP Version = V3
Community = managev3user
