Professional Documents
Culture Documents
NMS 1N02 PDF
NMS 1N02 PDF
SESSION NMS-1N02
NMS-1N02
9588_04_2004_c4
Objectives
This is an introduction on SNMP and MIB
For beginners
Will not delve into the technical details
SNMPv3: only an overview
NMS-1N02
9588_04_2004_c4
Agenda
Introduction
SNMPv1Everybody Should Know It
SNMPv2cThe De Facto Standard
All You Need to Know about MIBs
Exercise
SNMPv3The Official Standard
Notifications
SNMP Summary
NMS-1N02
9588_04_2004_c4
INTRODUCTION
NMS-1N02
9588_04_2004_c4
SNMP
Manager
SNMP
Agent
DB
NMS-1N02
9588_04_2004_c4
MIB
5
The Manager
The manager will try to provide
solutions for FCAPS
Fault monitoring
Configuration control
Accounting monitoring
Performance monitoring
Security control
NMS-1N02
9588_04_2004_c4
The Agent
The agent is embedded on the device
The agent responds to requests for information
and actions
The agent may send fault notification to the manager,
i.e. a trap
The agent is exchanging managed information with the
manager using the SNMP protocol
NMS-1N02
9588_04_2004_c4
The MIB
The MIB is the collection of managed objects
The SMIStructure of Management Informationdefines
the framework within which a MIB can be defined or
constructed
The managed objects are arranged in a hierarchical tree
NMS-1N02
9588_04_2004_c4
THE PROTOCOLSNMPV1
EVERYBODY SHOULD KNOW IT
NMS-1N02
9588_04_2004_c4
NMS-1N02
9588_04_2004_c4
10
SNMP Overview
Manager
Agent
Manager
Agent
getNext
get
MIB
MIB
Response
Manager
Agent
Response
Manager
Agent
set
MIB
Trap
Response
NMS-1N02
9588_04_2004_c4
11
SNMP
Manager Version = SNMPv1
SNMP
Agent
12
13
Advice:
Do not use public and/or private as community strings
Do not use cisco
NMS-1N02
9588_04_2004_c4
14
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
snmp-server
snmp-server
access-list
access-list
access-list
community
community
11 permit
11 permit
12 permit
public RO 11
private RW 12
172.17.246.225
172.17.246.226
172.17.246.225
15
16
Gauge
Length is 32 bits, an unsigned integer reflecting a
current value
Counter
Length is 32 bits, an unsigned counts something until it
reaches its maximum value, then wraps
TimeTicks
A measurement of time in hundredths of a second
OctetString
0 or more bytes of printable characters
IpAddress
NMS-1N02
9588_04_2004_c4
17
Counter
Like an odometer
ATTENTION
Counters do not necessarily start at zero, per standard
Counter can not be reset, per standard
Counters are not for direct human consumption
Require a DELTA function to compute rate
NMS-1N02
9588_04_2004_c4
18
SNMPv1: Summary
No security in SNMPv1
SNMPv1 uses Community Strings
SNMPv1 includes MIB View concept
SNMPv1 supports five operations
SNMPv1 is supported on all the Cisco devices
NMS-1N02
9588_04_2004_c4
19
NMS-1N02
9588_04_2004_c4
20
21
SNMP
Manager
SNMP
Agent
Version = SNMPv2c
Community string= clear text
SNMP PDU = GetResponse, Trap, Inform
NMS-1N02
9588_04_2004_c4
22
NMS-1N02
9588_04_2004_c4
23
variableBindings
Response
PDU Type requestID errStatus errIndex variableBindings
(0) noError
(1) tooBig
(2) noSuchName
(3) badValue
(4) readOnly
(5) genError
etc
24
SNMPv2c: Summary
SNMPv2c is based on SNMPv2
New operations (getBulk, informRequest)
New data types (Counter64, etc.)
Richer error handling
NMS-1N02
9588_04_2004_c4
25
NMS-1N02
9588_04_2004_c4
26
MIB Concepts
A MIB defines groups of attributes
Identifier
Syntax
Access level
27
MIB Structure
MIBs are hierarchically structured
Top levels controlled by IANA
Lower levels may be delegated
Each node given an integer identifier
Different MIBs may be combined into
a tree structure
28
NMS-1N02
9588_04_2004_c4
29
NMS-1N02
9588_04_2004_c4
30
NMS-1N02
9588_04_2004_c4
31
useHistory
18
probeConfig
19
3
org
alMatrix
16
17
alHost
15
nlMatrix
6 dod
internet
mgmt
13
12
11
Mib-2 1
Packet Capture
7
Statistics
NMS-1N02
9588_04_2004_c4
Filters
6
History
Alarms
Hosts
ProtocolDir
Events
ProtocolDist
Token Ring
AddressMap
10
RMON
nlHost
14
Traffic Matrix
Host TopN
RMON
TR RMON
RMON2
32
ACCESS
read-only
STATUS
mandatory
DESCRIPTION
"A textual description of the entity. This
value should include the full name and version identification
of the system's hardware type, software operating-system, and
networking software. It is mandatory that this only contain
printable ASCII characters."
::= { system 1 }
NMS-1N02
9588_04_2004_c4
33
object OBJECT-TYPE
SYNTAX
ACCESS
STATUS
DESCRIPTION
text
::= { parent object-oid }
NMS-1N02
9588_04_2004_c4
34
object OBJECT-TYPE
SYNTAX
ACCESS
OCTET STRING,
OBJECT IDENTIFIER,
INTEGER, IpAddress,
Counter, Gauge,
TimeTicks, etc
STATUS
DESCRIPTION
text
::= { parent object-oid }
NMS-1N02
9588_04_2004_c4
35
object OBJECT-TYPE
SYNTAX
ACCESS
STATUS
DESCRIPTION
text
::= { parent object-oid }
NMS-1N02
9588_04_2004_c4
OCTET STRING,
OBJECT IDENTIFIER,
INTEGER, IpAddress,
Counter, Gauge,
TimeTicks, etc
read-only
read-write
write-only
not-accessible
36
object OBJECT-TYPE
SYNTAX
ACCESS
STATUS
DESCRIPTION
text
::= { parent object-oid }
OCTET STRING,
OBJECT IDENTIFIER,
INTEGER, IpAddress,
Counter, Gauge,
TimeTicks, etc
read-only
read-write
write-only
not-accessible
mandatory
optional
obsolete
NMS-1N02
9588_04_2004_c4
37
Gauge
Length is 32 bits, an unsigned integer reflecting a
current value
Counter
Length is 32 bits, an unsigned counts something until it
reaches its maximum value, then wraps
TimeTicks
A measurement of time in hundredths of a second
OctetString
0 or more bytes of printable characters
IpAddress
NMS-1N02
9588_04_2004_c4
38
MAX-ACCESS
read-only
STATUS
current
DESCRIPTION
"A textual description of the entity. This value
should include the full name and version identification of the
system's hardware type, software operating-system, and
networking software."
::= { system 1 }
NMS-1N02
9588_04_2004_c4
39
object OBJECT-TYPE
SYNTAX
MAX-ACCESS
STATUS
DESCRIPTION
text
::= { parent object-oid }
NMS-1N02
9588_04_2004_c4
40
object OBJECT-TYPE
SYNTAX
MAX-ACCESS
STATUS
OCTET STRING,
OBJECT IDENTIFIER,
INTEGER, IpAddress,
Counter32,
Counter64,
Unsigned32,
Gauge32,
TimeTicks, etc
DESCRIPTION
text
::= { parent object-oid }
NMS-1N02
9588_04_2004_c4
41
object OBJECT-TYPE
SYNTAX
MAX-ACCESS
STATUS
DESCRIPTION
text
::= { parent object-oid }
NMS-1N02
9588_04_2004_c4
OCTET STRING,
OBJECT IDENTIFIER,
INTEGER, IpAddress,
Counter32,
Counter64,
Unsigned32,
Gauge32,
TimeTicks, etc
read-write
read-create
read-only
accessible-for-notify
not-accessible
42
object OBJECT-TYPE
SYNTAX
MAX-ACCESS
STATUS
DESCRIPTION
text
::= { parent object-oid }
OCTET STRING,
OBJECT IDENTIFIER,
INTEGER, IpAddress,
Counter32,
Counter64,
Unsigned32,
Gauge32,
TimeTicks, etc
read-write
read-create
read-only
accessible-for-notify
not-accessible
current
optional
deprecated
NMS-1N02
9588_04_2004_c4
43
UInteger32
Still 32 bits, but non-signed
Gauge32
An integer reflecting a current value
44
SNMP Indexing
A Device consist of many SNMP objects
EG Power supply, CPU, interfaces
NMS-1N02
9588_04_2004_c4
45
NMS-1N02
9588_04_2004_c4
46
}
ifIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value for each interface. Its value ranges
between 1 and the value of ifNumber. The value for each interface must
remain constant at least from one re-initialization of the entity's
network management system to the next re-initialization."
::= { ifEntry 1 }
NMS-1N02
9588_04_2004_c4
47
No persistence by default
NMS-1N02
9588_04_2004_c4
48
49
interfaces
ifTable
ifEntry(1)
SNMPWALK
GET-NEXT
ifDescr(2)
ifDescr.1
NMS-1N02
9588_04_2004_c4
50
interfaces
ifTable
ifEntry(1)
SNMPWALK
GET-NEXT
ifDescr(2)
ifDescr.1
GET-NEXT
ifDescr.2
NMS-1N02
9588_04_2004_c4
51
interfaces
ifTable
ifEntry(1)
SNMPWALK
GET-NEXT
ifDescr(2)
ifDescr.1
GET-NEXT
ifDescr.2
GET-NEXT
ifDescr.3
NMS-1N02
9588_04_2004_c4
52
interfaces
ifTable
ifEntry(1)
SNMPWALK
GET-NEXT
ifDescr(2)
ifDescr.1
GET-NEXT
ifDescr.2
ifDescr.3
GET-NEXT
GET-NEXT
ifDescr.4
GET-NEXT
ifDescr.5
GET-NEXT
GET-NEXT
ifDescr.6
ifDescr.7
NMS-1N02
9588_04_2004_c4
53
interfaces
ifTable
ifEntry(1)
SNMPWALK
ifDescr(2)
NMS-1N02
9588_04_2004_c4
54
interfaces
ifTable
ifEntry(1)
SNMPWALK
GETBULK
ifDescr(2)
ifDescr.1
ifDescr.2
ifDescr.3
ifDescr.4
ifDescr.5
ifDescr.6
ifDescr.7
NMS-1N02
9588_04_2004_c4
55
Polling an Object
SNMP GET request
Same idea for SET
request
Need to specify
IP address of agent
Community string
to gain access
OID of attribute
NMS-1N02
9588_04_2004_c4
56
Polling an Object
SNMP GET request
Same idea for SET
request
Need to specify
IP address of agent
Community string
to gain access
1
Load IF-MIB
OID of attribute
NMS-1N02
9588_04_2004_c4
57
Polling an Object
2 Find Object Instance
1: ifDescr.1 Ethernet0/0
2: ifDescr.2 Serial0/0
3: ifDescr.3 Serial0/1
4: ifDescr.4 Loopback0
Need to specify
IP address of agent
Community string
to gain access
1
Load IF-MIB
SNMP WALK
IF-MIB
OID of attribute
NMS-1N02
9588_04_2004_c4
58
Polling an Object
2 Find Object Instance
1: ifDescr.1 Ethernet0/0
2: ifDescr.2 Serial0/0
3: ifDescr.3 Serial0/1
4: ifDescr.4 Loopback0
Need to specify
IP address of agent
SNMP WALK
IF-MIB
Community string
to gain access
Load IF-MIB
OID of attribute
OID for
ifInOctets
Instance 2
Serial0/0
3
GET 1.3.6.1.2.1.2.2.1.10.2
NMS-1N02
9588_04_2004_c4
59
Polling an Object
2 Find Object Instance
1: ifDescr.1 Ethernet0/0
2: ifDescr.2 Serial0/0
3: ifDescr.3 Serial0/1
4: ifDescr.4 Loopback0
Need to specify
IP address of agent
SNMP WALK
IF-MIB
Community string
to gain access
Load IF-MIB
OID of attribute
OID for
ifInOctets
Instance 2
Serial0/0
3
GET 1.3.6.1.2.1.2.2.1.10.2
4
NMS-1N02
9588_04_2004_c4
60
Polling an Object
2
1: ifDescr.1 Ethernet0/0
2: ifDescr.2 Serial0/0
3: ifDescr.3 Serial0/1
4: ifDescr.4 Loopback0
Need to specify
IP address of agent
SNMP WALK
IF-MIB
Community string
to gain access
Load IF-MIB
OID of attribute
OID for
ifInOctets
ifInOctets.2
Instance 2
Serial0/0
3
GET 1.3.6.1.2.1.2.2.1.10.2
4
NMS-1N02
9588_04_2004_c4
61
Polling an Object
Identify what objects need to be polled
Examples, Interface bytes, Interface packets,
CPU utilization
62
FTP site:
ftp://ftp.cisco.com/pub/mibs
External site:
http://jaguar.ir.miami.edu/%7Emarcus/snmptrans.html
NMS-1N02
9588_04_2004_c4
63
http://www.cisco.com/go/mibs
NMS-1N02
9588_04_2004_c4
64
65
Important MIBs
MIB II -> RFC1213
Interfaces Group MIB -> RFC 2863
RMON1 MIB -> RFC 2819
RMON2 MIB -> RFC 2021
Etc.
NMS-1N02
9588_04_2004_c4
66
NMS-1N02
9588_04_2004_c4
67
EXERCISES
NMS-1N02
9588_04_2004_c4
68
Exercise 1
Goal: find via SNMP the status of an interface
How does CiscoView determine the interface color?
NMS-1N02
9588_04_2004_c4
69
Exercise 1: Response
SNMP Object Navigator
Look for interface or ifTable or status
Find ifAdminStatus and ifOperStatus
snmpwalk on the ifAdminStatus and ifOperStatus
Look at the index (ifIndex)
Look at ifDescr
snmpwalk on the ifDescr
Correlate with the ifIndex
Try to use snmpset
Note: download any snmp utility
NMS-1N02
9588_04_2004_c4
70
Exercise 1: Response
NMS# snmpwalk <router> public ifAdminStatus
interfaces.ifTable.ifEntry.ifAdminStatus.1 = up(1)
interfaces.ifTable.ifEntry.ifAdminStatus.2 = up(1)
interfaces.ifTable.ifEntry.ifAdminStatus.3 = down(2)
71
NMS-1N02
9588_04_2004_c4
72
Router# sh snmp
Serial0/0:
Serial0/1:
Serial0/2:
mib ifmib
Ifindex =
Ifindex =
Ifindex =
ifindex
1
4
3
NMS-1N02
9588_04_2004_c4
73
Exercise 2
Goal: find via SNMP the equivalent of:
Local Address
Foreign Address
(state)
813BF810
cointreau.23
dhcp-peg3-cl3114.32881
ESTAB
813B41A0
20.0.0.1.179
20.0.0.2.22138
ESTAB
NMS-1N02
9588_04_2004_c4
74
Exercise 2: Response
tcpConnTable, with 4 indexes:
tcpConnLocalAddress, tcpConnLocalPort,
tcpConnRemAddress, tcpConnRemPort
NMS# snmpwalk cointreau public tcpConnTable
tcpConnState.10.48.71.7.23.144.254.5.46.32881 = established(5)
tcpConnState.20.0.0.1.179.20.0.0.2.22138 = established(5)
tcpConnLocalAddress.10.48.71.7.23.144.254.5.46.32881 = IpAddress: 10.48.71.7
tcpConnLocalAddress.20.0.0.1.179.20.0.0.2.22138 = IpAddress: 20.0.0.1
tcpConnLocalPort.10.48.71.7.23.144.254.5.46.32881 = 23
tcpConnLocalPort.20.0.0.1.179.20.0.0.2.22138 = 179
tcpConnRemAddress.10.48.71.7.23.144.254.5.46.32881 = IpAddress: 144.254.5.46
tcpConnRemAddress.20.0.0.1.179.20.0.0.2.22138 = IpAddress: 20.0.0.2
tcpConnRemPort.10.48.71.7.23.144.254.5.46.32881 = 32881
tcpConnRemPort.20.0.0.1.179.20.0.0.2.22138 = 22138
NMS-1N02
9588_04_2004_c4
75
Exercise 2: Response
Local Address
Foreign Address
(state)
813BF810
cointreau.23
dhcp-peg3-cl3114.32881
ESTAB
813B41A0
20.0.0.1.179
20.0.0.2.22138
ESTAB
tcpConnState.20.0.0.1.179.20.0.0.2.22138 = established(5)
NMS-1N02
9588_04_2004_c4
76
THE PROTOCOLSNMPv3
THE OFFICIAL STANDARD
NMS-1N02
9588_04_2004_c4
77
78
SNMPv3 Framework
RFC 3410: Introduction and Applicability Statements for
Internet-Standard Management Framework
RFC 3411: An Architecture for Describing SNMP Management
Frameworks
RFC 3412: Message Processing and Dispatching for SNMP
RFC 3413: SNMPv3 Applications
RFC 3414: User-Based Security Model (USM) for version
3 of SNMPv3
RFC 3415: View-Based Access Control Model (VACM)
for SNMP
RFC 3584: Coexistence between version 1, 2, and 3 of SNMP
NMS-1N02
9588_04_2004_c4
79
SNMPv3 Framework
The existing SNMPv1 and SNMPv2c PDUs must be
used within the new architecture
An implementation referred to as SNMPv3 consists
of the security and architecture features defined in
RFC 3410 through 3415 plus the PDU format and
functionality defined in the SNMPv2c documents
Hence no new SNMPv3 PDUs defined
SNMPv1, SNMPv2c, SNMPv3 are sharing the same
basic structure and components:
Manager, agent, protocol, management information
80
NMS-1N02
9588_04_2004_c4
81
AuthNoPriv
NoAuthNoPriv
AuthPriv
NoAuthPriv
NMS-1N02
9588_04_2004_c4
82
SNMPv3
View-Based Access Control Model Logic
NMS-1N02
9588_04_2004_c4
83
SNMPv3
View-Based Access Control Model Logic
what
which
object-type object-instance
variableName
NMS-1N02
9588_04_2004_c4
84
SNMPv3
View-Based Access Control Model Logic
who
what
securityModel securityName
which
object-type object-instance
variableName
vacmSecurityToGroupTable
groupName
NMS-1N02
9588_04_2004_c4
85
SNMPv3
View-Based Access Control Model Logic
who
how
securityModel securityName
securityModel securityLevel
vacmSecurityToGroupTable
what
which
object-type object-instance
variableName
groupName
NMS-1N02
9588_04_2004_c4
86
SNMPv3
View-Based Access Control Model Logic
who
how
why
securityModel securityName
securityModel securityLevel
what
object-type object-instance
viewType
vacmSecurityToGroupTable
which
variableName
groupName
NMS-1N02
9588_04_2004_c4
87
SNMPv3
View-Based Access Control Model Logic
who
how
securityModel securityName
securityModel securityLevel
vacmSecurityToGroupTable
groupName
why
what
which
object-type object-instance
viewType
variableName
vacmAccessTable
viewName
vacmViewTreeFamilyTable
yes
no
reject
NMS-1N02
9588_04_2004_c4
88
SNMPv3
View-Based Access Control Model Logic
who
where
why
how
what
which
contextName
securityModel securityName
securityModel securityLevel
object-type object-instance
vacmContextTable
viewType
vacmSecurityToGroupTable
groupName
variableName
vacmAccessTable
viewName
vacmViewTreeFamilyTable
yes
no
reject
NMS-1N02
9588_04_2004_c4
89
SNMPv3
View-Based Access Control Model Logic
Security
User
who
where
how
what
which
contextName
securityModel securityName
securityModel securityLevel
object-type object-instance
vacmContextTable
vacmSecurityToGroupTable
viewType
variableName
Read or Write
groupName
Group
vacmAccessTable
viewName
View
vacmViewTreeFamilyTable
yes
no
reject
NMS-1N02
9588_04_2004_c4
90
NMS-1N02
9588_04_2004_c4
91
92
The default Views restrict the access to the USM, VACM and
COMMUNITY MIBS
Pay attention not to enable a security holes when playing with
views in SNMPv3!
NMS-1N02
9588_04_2004_c4
93
NOTIFICATIONS
NMS-1N02
9588_04_2004_c4
94
95
SNMP
Manager
SNMP
Agent
NMS-1N02
9588_04_2004_c4
96
1
Load MIB
SNMP
Manager
SNMP
Agent
NMS-1N02
9588_04_2004_c4
97
Load MIB
SNMP
Manager
SNMP
Agent
NMS-1N02
9588_04_2004_c4
98
Remote
Device
Goes Down
1
Load MIB
SNMP Notication
Instance 4
Serial 1/2
SNMP
Agent
SNMP
Manager
99
2
Remote
Device
Goes Down
1
Load MIB
SNMP Notication
Instance 4
Serial 1/2
SNMP
Agent
SNMP
Manager
OID for
linkDown
Trap PDU 1.3.6.1.2.1.11.0.2
linkDown Notification Delivered to the NMS
100
2
Remote
Device
Goes Down
1
Load MIB
SNMP Notication
Instance 4
Serial 1/2
SNMP
Agent
SNMP
Manager
OID for
linkDown
Trap PDU 1.3.6.1.2.1.11.0.2
linkDown Notification Delivered to the NMS
101
With IF-MIB
Installed,
Descriptions Have
Replaced the String
of Numbers
NMS-1N02
9588_04_2004_c4
102
SNMP SUMMARY
NMS-1N02
9588_04_2004_c4
103
SNMP Versions
Auth
SNMPv1
noAuthNoPriv
Community
String
SNMPv2c
noAuthNoPriv
Community
String
SNMPv3
SNMPv3
authNoPriv
MD5 or SHA
SNMPv3
authPriv
MD5 or SHA
Encryption
What
Happens
Level
Uses a Username
Match for Authentication
Provides Authentication
Based on HMAC-MD5 or
HMAC-SHA Algorithms
DES
104
SNMPv1
SNMPv2
SNMPv2c
SNMPv3
NMS-1N02
9588_04_2004_c4
Since 10.3
10.3, 11.0, 11.1, 11.2
105
Conclusion
Good background information about
SNMP and MIBs
Prepared to attend any Networkers NMS tutorials
Thank you
NMS-1N02
9588_04_2004_c4
106
107
108
NMS-1N02
9588_04_2004_c4
109