Simple Network Management Protocol

Download Report

Transcript Simple Network Management Protocol

Simple Network
Management Protocol
Week 6
 MIB
data is input in encoded form.
 Information is then compiled into the
central MIB in the NCS.
Manageable Devices
Router
Bridge
Network
Router
Control Station
Proxies
 Many
devices to be managed do not
support appropriate protocols (UDP and
IP). Devices that were not intended to
operate in a TCP/IP environment (eg
bridges and modems) or for which full
management support is not preferable
(PCs, workstations, etc) may use a
proxy.
 A proxy may function for one or many of
these devices.
Proxy Agent
Management Station
Mapping function
Manager process
Agent process
SNMP
SNMP
UDP
UDP
IP
IP
Network Interface
Network
Interface
Proxied Device
Mgt Process
Protocol
architecture
used by
proxied
device
Network
Interface
Protocol
architecture
used by
proxied
device
Network
Interface
SNMP - Simple Network Management Protocol
 How
do NCSs receive or send
management information?
 Messages are sent using SNMP
Protocol Data Units (PDUs)
Version
Community
SNMP PDU
SNMP MESSAGE
PDU Type
request-id
GetRequest PDU,
GetNextRequest PDU,
SetRequest PDU
0 0
variablebindings
PDU Type
request-id
errorstatus
error- variablebindings
index
GetResponse PDU
PDU enterprise agent- generic- specific- time- variableType
addr
trap
trap
stamp bindings
Trap PDU
Name1 value1 …….
namen
variablebindings
valuen
Operations performed on objects:
 Get,
Set and Trap.
 Note that it is not possible to request
operations to be performed, just to
request a change to the state of a
value associated with an object.
Manager
Agent
Manager
Agent
GetRequest PDU
GetNextRequest
PDU
GetResponse PDU
GetResponse PDU
Get values
SetRequest PDU
Get next values
Trap PDU
GetResponse PDU
Set values
Send trap
12
SNMP Message Transmission
 PDU
is constructed using ASN.1
 PDU may be passed to an
authentication service
 Message is then constructed
 ASN.1 object encoded and passed to
transport service
SNMP Message Reception
 Message
syntax is checked and is
discarded if unable to parse
 Message version number is checked
and discarded if there is a mismatch
SNMP Message Reception
 Authentication
is attempted:
– If authentication fails, trap is issued
– If authentication succeeds, PDU is then
examined
 PDU
syntax is checked and discarded
if fails to parse
 SNMP operation is performed
Variable Bindings
 For
multiple-object requests and
responses, all values for the scalar
objects in a particular group from a
particular agent may be transferred
in the one PDU
GetRequest PDU
 Control
station may generate
 Type = GetRequest
 request-id = unique identifier for
each outstanding request (correlate
requests, ignore duplicates)
 variablebindings = list of object
instances for which values are
requested
GetRequest PDU
 Request
to read value(s) from
objects within the managed device.
GetNextRequest PDU
 Type
= GetNextRequest
 request-id = unique identifier for
each outstanding request (correlate
requests, ignore duplicates)
 variablebindings = list of object
instances for which next the value in
order are requested
GetNextRequest PDU
 Permits
the requesting of a series of
values in order.
 May allow the request of values for
unknown objects
SetRequest PDU
 Type
= SetRequest
 request-id = unique identifier for
each outstanding request (correlate
requests, ignore duplicates)
 variablebindings = list of object
instances for which next the value in
order are requested
SetRequest PDU
 Request
to write value(s) to objects
in a managed device.
Trap PDU
 Agent
notification of a significant
event.
 PDU Type = Trap PDU
 enterprise = management
subsystem that generated the trap
 agent-addr = IP address of the
object generating the trap
 generic-trap = type of trap
 specific-trap = nature of the trap
Trap PDU
 time-stamp
= time between last init
of device and the generation of the
trap
 variablebindings = additional info
relating to the trap
 No response is expected to this
message.
PDU Loss
 Since
all sets and gets have a
response returned, if this does not
return within a given time period it
can be assumed that the response
was lost. Repeat messages may be
sent until management station gives
up (agent is down or unreachable).
PDU Loss
 Trap
message loss will not be
detected. Thus traps should be used
for early warning of a significant
event, not as the only indication of
an event of significance.
SNMP GetRequest for data item sysDescr
Selection of a Management Station
Features:
 Extended MIB support
 Intuitive Interface
 Automatic Discovery
 Programmable Events
 Advanced Network Control
 OO Management
 Custom Icons
Polling
 To
obtain information from manageable
devices, an NCS must perform
GetRequest and GetNextRequest
operations.
 The management station polls the
devices for the requested information.
 The NCS must regularly poll devices to
obtain an up-to-date view of the network
conditions (congestion, device failure,
etc).
Polling
 The
load on the management station
may be significant if the number of
polled devices is large.
 Also, the network load due to polling
traffic may be excessive.
 The balance between loading and upto-date information is not easy to
compute.
 Trap directed Polling may limit traffic
SNMPv2
 In
SNMPv1 community variable being
sent in set messages means that
systems could be attacked at any
opportunity.
 New data structures where added.
SNMPv3
 Authentication
 Timeliness
 Privacy
 Discovery
(from other SNMP
engines)
 Key Management
WINSNMP
 Microsoft
and associated partners
have developed support for SNMP in
Windows Operating Systems via an
engine designed to support SNMP
protocols.
 Many developers have provided 16
and 32-bit WINSNMP.DLL support.
Programming for SNMP
 management
can be in any language
that supports calls to the DLL via
libraries or via function calls.
Examples
Ref: Optivity SNMP Debugging for Dummies, Bay Networks
So let’s put the information
absorbed so far into an example. If
you were to write the complete path
to the mgmt node, you would write
it as:
 iso(1) org(3) dod(6) internet(1)
mgmt(2)
 which is equivalent to the numerical
OID string of:
 .1.3.6.1.2

Examples
 These
5 groups are mandatory for
any SNMP manageable object:
 system(1) interfaces(2) at(3)
ip(4) icmp(5)
 A MIB-II compliant SNMP agent may
support more groups than these five,
but it is expected to support at least
these five groups.
Examples






Let’s call the combination of agent and object an “entity” for
simplicity’s sake. Here are some (but not all) of the objects in
this group:
sysDescr(1) A description of the entity in somewhat
“human” terms. This description may contain some very good
information. Then again, it may not.
sysObjectID(2) - A complete OID string defined by the vendor
who created the entity. This object is used extensively by Optivity
(and other SNMP applications) to quickly identify what kind of
SNMP agent the application is talking to.
sysUpTime(3) - Hey! This is the MIB object of our example. Go
back and read the DESCRIPTION to see what this object does.
sysContact(4) - This object could possibly contain the name of
the person locally responsible for the entity. Many times, this field
will be blank. It may be blank because no one remembered to set
a value for it. It might be blank because no one really wants to
take responsibility for the entity.
The other objects in this group may be blank as well, since they
represent things like the Name and Location of the entity.
Examples
 The
complete path to the
sysUpTime(3) object is:
 iso(1) org(3) dod(6) internet(1)
mgmt(2) mib(1) system(1)
sysUpTime(3)
or
 .1.3.6.1.2.1.1.3
Examples
 .1.3.6.1.2.1.1
which is equivalent to
 iso(1) org(3) dod(6) internet(1)
mgmt(2) mib(1) system(1)
when queried, it would return the value
for
 sysDescr, sysObjectID, sysUpTime,
sysContact, and all the other objects
within the system(1) node.
Example
Each MIB object also has what is called an
instance.
Imagine a router - a device with multiple
network interfaces. There exists a MIB object
that contains information about the type of
interface(s) used by an entity (where in this
case, the entity is a router). This MIB object
is:
 iso(1) org(3) dod(6) internet(1)
mgmt(2) mib(1) interfaces(2) ifTable(2)
ifEntry(1) ifType(3)
So in our example, we have four instances:
 ifType.1, ifType.2, ifType.3, and ifType.4.

Common Problems
Ref: Optivity SNMP Debugging for Dummies, Bay Networks


The agent is not responding to any
network requests at all, or the
network that the agent is on is not
reachable. You can quickly check
this by attempting to ping the
device in question.
The request sent used an SNMP
Community string to which the
agent was not authorized to
respond.
Common Problems
 Beware
of ping
- uses a different transport to SNMP
 TCP traffic may be getting through
whilst UPD based is getting dropped
- traffic congestion
 Use MIB browser (if SNMP traffic is
ok)
- Sun package is under Solstice Suite
of Management Utilities, or
snmpwalk
Common Problems
Network Management System (NMS)
reporting incorrect network utilisation –
Debug.
 The first basic step is to determine if the
agent itself is the source of this
misinformation.
Once this has been established, the issue
becomes much more defined and easier to
debug.

Common Problems
 How
to find in which MIB a particular
MIB object resides. Once you have
the name of the MIB object (which
you figured out by referencing
snpx.nnn), all you have to do is use
the grep command.
 $ cd /mibs/mibs/s5000
 $ grep s5AgInfoCurDfltGwAddr *.mib
Common Problems





You can also use this method to look for a MIB object
that you think might exist. For example, someone asks
you if there is a MIB object for the Next Active
Upstream Neighbor (NAUN) during a beacon condition
on a Token Ring network made up of System 5000
hubs (5510 NMMs). So, the first step would probably
be to grep for “Beacon” within the System 5000 mibs.
$ cd /mibs/mibs/s5000
Scanning through this output, you should notice the
line:
s5tok121.mib: s5TrRingInfoBeaconNaun MacAddress,
This tells us that the s5tok121.mib file contains a
reference to something called an
“s5TrRingInfoBeaconNaun”. This sounds like a pretty
close match.