|
|
This chapter provides an overview of the Simple Network Management Protocol (SNMP), an Application Layer protocol used extensively in the communications industry. This chapter also provides information on configuring SNMP features on your CSS. Information in this chapter applies to all CSS models except where noted.
This chapter includes the following sections:
SNMP is a network protocol that allows you to manage many network devices from one location. For example, you can set up SNMP to alert you if a certain condition occurs, such as an enabled device that stops responding.
SNMP has two major standard revisions, SNMPv1 and SNMPv2. Your CSS supports SNMPv2C (SNMP version 2C), known as "community-based SNMP", and standard Management Information Base (MIB-II) objects, along with an extensive set of enterprise objects. (MIBs are discussed later in this chapter in the section "Management Information Base (MIB)".)
SNMP2 is a superset of SNMP1 and includes a number of protocol enhancements. To learn more about this version of SNMP, refer to the Request For Comment (RFC) document, RFC 1592.
This overview contains the following sections:
SNMP uses software entities called managers and agents to manage network devices:
There are many different SNMP management applications, but they all perform the same basic task: they allow SNMP managers to communicate with agents to get statistics and receive alerts from the network devices. You can use any SNMP-compatible network management system to monitor and control a CSS.
There are several ways that the SNMP manager and the agent communicate.
SNMP obtains information from the network through a Management Information Base (MIB). The MIB is a database of code blocks called MIB objects. Each MIB object controls one specific function, such as counting how many bytes are transmitted through an agent's port. The MIB object is comprised of MIB variables, which define the MIB object name, description, default value, and so forth.
The collection of MIB objects is structured hierarchically. The MIB hierarchy is referred to as the MIB tree. The MIB tree is defined by the International Standards Organization (ISO). The MIB is installed on the manager, and is present within each agent in the SNMP network.
At the top of the tree is the broadest information about a network. Each branch and sub-branch of the tree gets progressively more specific, and the lowest branches of the tree contain the most specific MIB objects; the leaves contain the actual data. See Figure 10-2 for an example of how the MIB tree objects become more specific as the tree expands.
 |
Note There are two versions of the MIB tree as defined by ISO: MIB-I and MIB-II, which has more variables than MIB-I. Refer to the MIB-II standard in RFC 1213, "Management Information Base for Network Management of TCP/IP-based Internets: MIB-II". |
There are two types of MIB variables:
As shown in Figure 10-2, a number is associated with a MIB object name. This number is called the object identifier (or object ID), and it uniquely identifies the MIB object in the MIB tree. (The dotted lines represent other branches not relevant to this discussion.)
For example, the MIB object labeled arrowpoint (which contains the MIB objects specific to CSSs) in Figure 10-2 can be labeled:
iso.organization.dod.internet.private.enterprises.arrowpoint
or
1.3.6.1.4.1.2467
The MIB tree has a special branch set aside for specific vendors to build their own extensions; this is called the enterprise MIB branch. The MIB files in this branch, included on your CSS Documentation and System Software CD, comprise the CSS Enterprise MIB. (This is the highlighted MIB object in Figure 10-2.) The enterprise MIB files are categorized along functional boundaries.
For a list of MIB branches under the CSS Enterprise MIB, refer to Table 10-4 later in this chapter.
Each SNMP device or member is part of a community. An SNMP community determines the access that each SNMP device has.
You supply a name to the community. After that, all SNMP devices that are assigned to that community as members have the same access rights. The access rights that the CSS supports are:
|
Note An SNMP community does not restrict access per se; communities are positive identifiers only for the benefit of the SNMP software. Typically, a network administrator will create a read-write community and then add certain devices to that community. |
The CSSs support SNMPv2C (SNMP version 2C), known as "community-based SNMP," and standard Management Information Base (MIB-II) objects, along with an extensive set of enterprise objects. You can use any compatible network management system to monitor and manage a CSS.
Once you have set up the SNMP management software on the network devices, you are ready to configure SNMP settings on the CSS. You can configure two basic areas of SNMP functionality on the CSS; SNMP functions and RMON functions.
The following sections describe how to configure SNMP on the CSS. For information on configuring RMON, refer to Chapter , "Configuring Remote Monitoring".
Consider the following information before you set up SNMP on your network:
The following sections describe how to define the CSS as an SNMP agent. Read these sections for a complete description of the commands associated with this procedure. If you are familiar with this procedure, refer to Table 10-1 as a quick start configuration reference for this task.
| Task and Command Example |
|---|
1. Define the SNMP community strings for each access type, read-only or read-write. (config)# snmp community public read-only |
2. Provide the SNMP contact name. (config)# snmp contact "fred n mandy" |
3. Provide an SNMP contact location. (config)# snmp location "Operations" |
4. Provide the SNMP device name. (config)# snmp name "arrowpoint.com" |
5. Turn on generic traps. (config)# snmp trap-type generic |
6. Assign trap receivers and community. You can specify a maximum of five trap hosts. By default, all traps are disabled. The trap-host IP address must correspond to a management station that is monitoring for traps. The community information provided at the end of the trap-host command is included in the trap, and may be used by the management station to filter incoming traps. (config)# snmp trap-host 172.16.3.6 trap |
7. Turn on authentication failure traps. An authentication failure occurs if an unauthorized SNMP manager sends an invalid or incorrect community name to an SNMP agent. If this occurs, the agent sends an authentication trap to the trap host. (config)# snmp auth-traps |
8. Enable global enterprise traps. (config)# snmp trap-type enterprise |
9. Set a trap to notify the trap host of failed login attempts. Login failure traps provide the username and source IP address of the person who failed to log in. (config)# snmp trap-type enterprise login-failure |
10. Set a trap to notify the trap host when the CSS reboots directly through SNMP or through the CLI. The reload trap is set if a management station generates a CSS reload by setting the reload object, or if there is a reboot through the CLI. (config)# snmp trap-type enterprise reload |
11. Set a trap to notify the trap host when a service changes its state. Service traps are generated on the transition from Alive to Down, and from Down to Alive. The Dying state does not have an associated trap. (config)# snmp trap-type enterprise service-transition |
12. Configure the trap host for reload enable ability. Reload enable allows a management station with the proper WRITE community privilege to reboot the CSS. (config)# snmp reload-enable 100 |
Use the snmp community command to set or modify SNMP community names and access properties. You may specify as many community names as you wish. The syntax for this global configuration mode command is:
snmp community community_name [read-only|read-write]
The variables and options are:
For example:
(config)# snmp community sqa read-write
To remove a community name, enter:
(config)# no snmp community sqa
Use the snmp contact command to set or modify the contact name for the SNMP system. You can specify only one contact name. The syntax for this global configuration mode command is:
snmp contact "contact_name"
Enter the contact name as an unquoted text string with a maximum of
255 characters including spaces. You can also include information on how to contact the person; for example, a phone number or email address.
For example:
(config)# snmp contact "Fred N. Mandy"
To remove the contact name, enter:
(config)# no snmp contact
Use the snmp location command to set or modify the SNMP system location. You can specify only one location. The syntax for this global configuration mode command is:
snmp location "location"
Enter the location as the physical location of the system. Enter a quoted text string with a maximum length of 255 characters.
For example:
(config)# snmp location "sqa_lab1"
To remove the location, enter:
(config)# no snmp location
Use the snmp name command to set or modify the SNMP name for this system. You can specify only one name. The syntax for this global configuration mode command is:
snmp name "name"
Enter the SNMP name as the unique name assigned to a system by the administrator. Enter a quoted text string with a maximum of 255 characters. The standard name convention is the system's fully-qualified domain name (for example, sqa@arrowpoint.com).
For example:
(config)# snmp name "sqa@arrowpoint.com"
To remove the SNMP name for a system, enter:
(config)# no snmp name
Use the snmp trap-type generic command to enable SNMP generic trap types. The generic SNMP traps consist of cold start, warm start, link down, and link up.
For example:
(config)# snmp trap-type generic
To disable a generic trap, enter:
(config)# no snmp trap-type generic
Use the snmp trap-host command to set or modify the SNMP host to receive traps from a CSS. You can specify a maximum of five hosts. The syntax for this global configuration mode command is:
snmp trap-host ip_address or host community_name
The variables are:
For example:
(config)# snmp trap-host 172.16.3.6 sqa@arrowpoint.com
To remove a specified trap host, enter:
(config)# no snmp trap-host 172.16.3.6
Use the snmp auth-traps command to enable reception of SNMP authentication traps. The CSS generates these traps when an SNMP management station attempts to access your system with invalid community names.
For example:
(config)# snmp auth-traps
To disable reception of authentication traps, enter:
(config)# no snmp auth-traps
Use the snmp trap-type enterprise command to enable SNMP enterprise trap types. You can enable the CSS to generate enterprise traps when denial of service attack events occur, a login fails, or a CSS service transitions state.
|
Note For information on configuring Denial of Service enterprise traps, refer to "Configuring Denial of Service (DoS)" later in this chapter. |
The options for this global configuration mode command are:
For example, to enable enterprise traps, enter:
(config)# snmp trap-type enterprise
To disable all enterprise traps, enter:
(config)# no snmp trap-type enterprise
To prevent the CSS from generating traps when a login fails, enter:
(config)# no snmp trap-type enterprise login-failure
To prevent the CSS from generating traps when a CSS reload occurs, enter:
(config)# no snmp trap-type enterprise reload
To prevent the CSS from generating traps when the service transitions state, enter:
(config)# no snmp trap-type enterprise service-transition
To prevent the CSS from generating traps when a redundant CSS transitions state, enter:
(config)# no snmp trap-type enterprise redundancy-transition
Use the snmp reload-enable command to reboot the CSS using SNMP. The syntax and options for this global configuration mode command are:
Enter the reload_value as the object used to control apSnmpExtReloadSet, providing the SNMP-based reboot. When the object is set to 0, an SNMP reboot is not allowed. When the object is set between 1 to 232, a reboot may be caused with any write value to apSnmpExtReloadSet. For security purposes, this object always returns
0 when read.
For example:
(config)# snmp reload-enable
To prevent users from rebooting the CSS using SNMP (default behavior), enter:
(config)# no snmp reload-enable
You can configure special enterprise traps to notify the trap host of Denial of Service (DoS) attacks on your system. You can also use the CLI to display detailed information about DoS attacks and reset the DoS statistics for your CSS to zero. This section describes how to configure DoS traps. If you are familiar with this procedure, use Table 10-2 as a quick start configuration reference.
| Task and Command Example |
|---|
1. Set the trap threshold to notify the trap host of DoS attacks with illegal addresses, either source or destination. (config)# snmp trap-type enterprise dos-illegal-attack trap-threshold 1 |
2. Set the trap threshold to notify the trap host of DoS LAND attacks. (config)# snmp trap-type enterprise dos-land-attack trap-threshold 1 |
3. Set the trap threshold to notify the trap host of DoS smurf attacks. (config)# snmp trap-type enterprise dos-smurf-attack trap-threshold 1 |
4. Set the trap threshold to notify the trap host of DoS SYN attacks. (config)# snmp trap-type enterprise dos-syn-attack trap-threshold 10 |
5. Display information about DoS attacks. (config)# show dos summary |
6. As required, reset the DoS statistics for a CSS to zero. (config)# zero dos statistics |
Use the snmp trap-type enterprise command to enable the CSS to generate SNMP enterprise traps when a denial of service (DoS) attack event occurs. One trap is generated each second when the number of attacks during that second exceeds the threshold for the configured DoS attack type.
The syntax for this global configuration mode command is:
snmp trap-type enterprise dos_attack_type {trap-threshold threshold_value}
The dos_attack_type variable is the type of denial of service attack event to trap. The options are:
|
Note You can override a default trap threshold by using the trap-threshold option. For the threshold_value, enter a number from 1 to 65535. |
For example, to enable the CSS to generate traps for packets that have identical source and destination addresses, enter:
(config)# snmp trap-type enterprise dos-land-attack
To prevent the CSS from generating denial of service attack event traps, enter:
(config)# no snmp trap-type enterprise dos_attack_type
For example:
(config)# no snmp trap-type enterprise dos-land-attack
Use the show dos summary command to display information about DoS attacks. To display more detailed information, use the show dos command.
For example:
(config)# show dos summary
After you configure SNMP, display the SNMP configuration. For example:
(config)# show running-config
The main tasks you need to do to manage SNMP on the CSS are:
By default, the CSS enables SNMP access to its command base, but you must first create community strings using the snmp community command before the trap host can communicate with the CSS.
|
Note SNMP is not a secure network environment. Do not use SNMP by itself to provide security for your network. |
To look up a MIB object, including the variables that make up the object:
1. Access global configuration mode by entering:
# config
2. Access rmon-alarm mode by entering:
(config)# rmon-alarm index_number
3. Display the MIB object by entering:
(config-rmonalarm[1])# lookup object
For example, you want to look up a MIB object, but you are not sure of its exact name. You already know that the MIB you want is part of the apFlowMgrExt group of objects. In this case, issue the lookup command with the question mark (?) character, as shown:
(config-rmonalarm[1])# lookup apFlowMgrExt ? apFlowMgrExtDoSAttackEventType
apFlowMgrExtDoSAttackEventCount
apFlowMgrExtDoSAttackIndex
apFlowMgrExtDosTotalSmurfAttacks
apFlowMgrExtDosTotalIllegalSourceAttacks
apFlowMgrExtDosTotalZeroPortAttacks
apFlowMgrExtDosTotalLandAttacks
apFlowMgrExtDosTotalSynAttacks
apFlowMgrExtDosTotalAttacks
apFlowMgrExtIdleTimer
apFlowMgrExtPortIdleValue
apFlowMgrExtPortIdle
apFlowMgrExtReserveCleanTimer
apFlowMgrExtPermanentPort4
apFlowMgrExtPermanentPort3
apFlowMgrExtPermanentPort2
apFlowMgrExtPermanentPort1
apFlowMgrExtFlowTraceDuration
apFlowMgrExtFlowTraceMaxFileSize
apFlowMgrExtFlowTraceState
The example above shows that using the question mark (?) character as a wildcard returns all of the apFlowMgrExt MIB objects. You can now issue the lookup command on the exact MIB you want. For example:
(config-rmonalarm[1])# lookup apFlowMgrExtDOSAttackEventCount ASN Name: apFlowMgrExtDOSAttackEventCount
MIB: flowmgrext
Object Identifer: 1.3.6.1.4.1.2467.1.36.27.1.6
Argument Type: Integer
Range: 0-4294967295
Description: This is the number of times this DoS attack had occurred.
You can also display a list of all the Enterprise MIBs by using the lookup command without any MIB object names, as in the following example:
(config-rmonalarm[1])# lookup ?
|
Note This command omits MIB objects of type string and MAC address. |
Table 10-3 contains some of the MIB groups that provide useful statistics.
| MIB Name | Description |
|---|---|
RFC-1398 | |
RFC-1757 | |
svcExt.mib | Service variables (including TCP connections) |
cntExt.mib | Content rule variables (including frame statistics) |
The traplog file contains all of the traps, both generic and enterprise, that have occurred. The network device writes to the traplog file whether the SNMP trap configuration is enabled or not.
To show the trap log since the last CSS reboot, issue the show log command as shown:
# show log traplog
|
Note By default, the following events generate level critical-2 messages: |
For information about commands available in this mode, refer to Chapter , "Configuring Remote Monitoring (RMON)" in this guide.
Table 10-4 describes the CSS MIB objects directly under the CSS Enterprise MIB (1.3.6.1.4.1.2467). To find out how you can look up object information, see the section "Using the CSS to Look Up MIB Objects" in this chapter.
| Name and Description | Subordinate Objects to Monitor | Related CLI Command |
|---|---|---|
bridgeExt Configuration and monitoring of all bridge-related parameters | — | (config)# bridge ? |
svcExt Configuration and monitoring of all service-related parameters | apSvcConnections | (config-service)# ? |
cntExt Configuration and monitoring of all content rule pararmeters | apCntHits | (config-owner- |
grpExt Configuration of all group-related parameters | — | (config-group)# ? |
nqlExt | — | — |
schedExt Command scheduler | — | (config)# cmd-scheduler ? |
cntsvcExt Monitoring of services attached to rules | apCntsvcHits (config-service)# ? | |
grpsvcExt Groups attached to services (Configuration only) | — | (config)# group ? |
logExt Logging options (Configuration only) | — | (config)# logging ? |
snmpExt SNMP traps and communities | — | (config)# snmp ? |
aclExt Access Control Lists | — | (config-acl)# ? |
ownExt Owners | — | (config-owner)# ? |
ftpExt Configuration of FTP records | — | (config)# ftp-record |
bootExt Boot Configuration | — | (config-boot)# ? |
appExt CAPP configuration | apAppPktsTx | (config)# app ? |
chassisMgrExt Chassis inventory | apChassisMgrExtCpuUtilization — | |
cnthotExt Content rule hot list information | apCnthotRate | (config-owner- |
enetExt Configuration of the PHY state for Ethernet ports | apEnetPhyConfigActual | (config-interface)# phy ? |
dnsServerExt DNS Server information | — | (config)# dns-server ? |
cntdnsExt Content rule DNS statistics | — | (config)# dns hotlist ? |
eqlExt | — | (config-eql)# ? |
sshdExt Secure Shell configuration | — | (config)# sshd ? |
schedExt | — | (config)# cmd-scheduler ? |
kalExt | apKalState | (config)# keepalive |
apdnshotExt | apDnshotName | (config)# domain hotlist |
urqlExt URQL mode (configuration only) | — | — |
FlowMgrExt Flow Manager statistics | Supported objects: (config)# flow ? | |
ap64Stats 64 bit extensions:
| Entire tree branch of this object | — |
Posted: Tue Dec 12 05:44:01 PST 2000
Copyright 1989-2000©Cisco Systems Inc.