7. Managing SNMP Services
Introduction
This chapter explains the following Simple Network Management Protocol (SNMP) information:
· Links and traps
· Management Information Base (MIB)
· Configuring the SNMP Services
· Maintaining the SNMP configuration file
· Extendible MIB support
· SNMP Multiplexing (SMUX) peers support
· Agent X peers support
· Log file
SNMP Services allows network management stations to obtain timely information about the network activities of OpenVMS server hosts. The information describes such things as routing, line status, the volume of network traffic, and error conditions.
Links
In SNMP, network communication lines are called links. When counting the number of IP datagrams sent and received over most links, the SNMP agent returns the same numbers that are available through the SHOW NETWORKS command in TCPware's Network Control Utility (NETCU). These numbers indicate how many datagrams TCPware delivers.
Traps
A trap is an unsolicited message the SNMP agent sends to a management station to inform it that a change in the network occurred. The management station is responsible for diagnosing and monitoring any reported problems. For example, the SNMP agent sends traps to tell the management stations which communication lines are running and which are down.
The SNMP agent sends traps only to clients configured to receive traps, as defined in the SNMP agent configuration file (SNMPD.CONF). The SNMP agent supports all traps defined in the SNMP protocol, except EGP-Neighbor-Loss, Warm-Start, and Enterprise-Specific.
TCPware initially enables all supported traps. If for any reason you may want to disable them, you can do so by editing the SNMP agent configuration file. The changes take effect the next time you start the agent.
SNMP clients can enable or disable Authentication Failure Traps while the SNMP agent is running. These clients must have READ-WRITE community access, as described in the MIB Access Rules section.
Management Information Base
A Management Information Base (MIB) is a collection of network management data residing on the SNMP agent host. The network management station reads and writes MIB data to the agent. Related types of data in the MIB are in groups. Each piece of data within a group is a management object.
All management objects in a MIB are coded in ASN.1. Any authorized clients can access data in the MIB by using the SNMP Get and GetNext requests.
MIB-II is the MIB version for TCP/IP implementations. The SNMP agent supports all management objects defined in MIB-II, except those in the External Gateway Protocol (EGP) Group.
The below diagram shows an SNMP client and agent exchanging MIB data.
MIB Access Rules
Two kinds of rules restrict access to the MIB:
· Community access profiles
· The access mode assigned to each management object – NONE, READ-ONLY, READ-WRITE, and WRITE-ONLY. The SNMP protocol standard determines the access mode.
The network administrator assigns each SNMP agent and client to at least one community. A community consists of SNMP agents and clients that have the same access profile, or collection of rules that determine whether community members can:
· Read or write MIB data
· Receive traps
You define access profiles in the SNMP agent configuration file.
Clients with READ-WRITE community access can alter the values of certain management objects in the MIB.
MIB Groups
The below table summarizes the information in each MIB group.
See also RFC 1213, Management Information Base for Network Management of TCP/IP-based Internets: MIB-II, for complete information on each MIB group.
|
Group |
Contains objects... |
Which... |
|
System |
sysDescr |
Provide information about the agent host, such as the domain name, geographic location, and the name of a contact person. |
|
Interfaces |
ifNumber |
Provide generic information about each network interface, such as the speed, administrative status, and the maximum size of transmission units. Count the number of data errors, and the number of packets sent and received. Contain the Interfaces Table. |
|
Address Translation (AT) |
atTable |
Map the network (IP) address to the physical address. |
|
IP |
ipForwarding ipRouteIfIndex |
Count the number of datagrams sent, received, in error, discarded, fragmented, and reassembled. Contain the IP Address Table, IP Routing Table, and IP Address Translation Table. |
|
ICMP |
icmpInMsgs |
Count the number of ICMP messages sent, received, and in error. Also, count source quenches, redirects, and timestamps. |
|
TCP |
tcpRtoAlgorithm |
Count the number of active opens, passive opens, and failed attempts. Also, contain the TCP Connection Table. |
|
UDP |
udpInDatagrams |
Count the number of datagrams sent and received. Also, contain the UDP Listener Table. |
|
SNMP |
snmpInPkts |
Count the number of packets sent and received, invalid community names, and invalid version numbers, and SNMP errors. Also, count the number of requests, responses, and traps sent and received. |
Configuring SNMP Services
To configure SNMP services, follow these steps:
1. Invoke the CNFNET procedure by entering the following command at the DCL prompt:
$ @TCPWARE:CNFNET SNMP
2. Edit the SNMP configuration file, as described in the next section.
3. Restart TCPware or SNMP.
Configuration File
The SNMP configuration file is SNMPD.CONF. The TCPWARE_ROOT directory includes this file.
The SNMP configuration file defines:
· Values for a subset of MIB management objects.
· Clients and communities who can access the SNMP agent.
· MIB access privileges for each client and community.
· Authentication Failure, Link Up, and Link Down traps' status.
· AgentX peer details
· SMUX peer details
The COMMUNITY, SMUX_PEER, and AGENTX_PEER statements in the SNMPD.CONF file can take an optional mask after the internet address. The mask should be separated from the internet address with a / (slash). Valid values are from 0 to 32, with 32 being the default. Even though the TRAPS community will accept a mask, it is not currently used.
COMMUNITY OURNET 192.168.1.10 write !implied /32
COMMUNITY OURMGR 192.168.1.0/24 read
|
Note: after editing the configuration, stop and restart the SNMP agent so that the changes can take effect.
|
If you do not edit the configuration file, the SNMP agent uses default values.
File Format
Follow these guidelines when entering data in the SNMP configuration file:
· Allow one line for each item.
· Enter information in any order; in upper- or lowercase.
· Enter variable string information (id-string and contact-name) in upper- or lowercase, depending on the operating system. Some SNMP clients in your network (such as those running UNIX) may require information in a specific case.
· Place quotation marks (" ") around strings that contain spaces or that occupy more than one line in the file.
· Use a pound sign (#) or an exclamation point (!) to denote comments. SNMP ignores all information following these characters. It treats the pound sign and exclamation point like regular characters if they appear within quotation marks ("").
Values for MIB Objects
To define the values of several MIB objects in the SNMP configuration file, use the corresponding keywords listed in the table below.
|
MIB object name... |
Has keyword... |
|
system.sysDescr |
SYSDESCR |
|
system.sysContact |
SYSCONTACT |
|
system.sysLocation |
SYSLOCATION |
|
if.ifTable.ifEntry.ifDescr and if.ifTable.ifEntry.ifSpeed |
INTERFACE |
|
system.sysServices |
SYSSERVICES |
The following paragraphs explain how you define each item.
SYSDESCR [ id-string ]
The id-string should include the full name of the hardware, operating system, and networking software. For example:
SYSDESCR "AlphaServer 8400, VMS V7.3, Process Software TCPwarefor OpenVMS"
If you omit the id-string, TCPware tries to obtain this information from your current system. If the attempt fails, the default is System description is unknown.
SYSCONTACT [ contact-name ]
The contact-name specifies the person to contact for the host, and how you can contact this person (such as by mailbox address). For example:
SYSCONTACT "John Smith, X 1234, smith@example.com"
The default is System contact is unknown at this time.
SYSLOCATION [ system-location ]
The system-location specifies the geographical location of the host. For example:
SYSLOCATION "959 Concord Street, Framingham, MA"
The default is: System location is unknown at this time.
INTERFACE [ line-id line-speed description ]
The line-id specifies the line identification for the IP layer network device. The line-speed specifies the line speed in bits per second. The description specifies the manufacturer's name, product name, and hardware version for the interface. For example:
INTERFACE qna-1 10000000 "DELQA Ethernet Controller Version 1.0"
If you do not enter a description, TCPware tries to obtain one from your current system. If the attempt fails, the default is xxxxxxxx,0,Unknown.
SYSSERVICES services-set-number
The SNMP agent uses a default value of 72 for this MIB object. You can override this value in the configuration file. RFC 1213, Management Information Base for Network Management of TCP/IP-based Internets: MIB-II, explains how to calculate the value of services-set-number.
Community Parameters
The SNMP configuration file must contain the following information for each client permitted access to the SNMP agent:
COMMUNITY community-name internet-address[/mask] type
|
community-name |
Specifies the name of the community to which the client belongs. This parameter is case-sensitive. |
|
internet-address |
Specifies the client's internet address. If you enter 0.0.0.0, any address can use the community. |
|
mask |
Specifies the number of bits in the internet address that must match the specified address. The default value is 32. |
|
type |
Defines the access profile as one of the following: · READ-ONLY - The client can retrieve data from the MIB on this host · READ-WRITE - The client can retrieve data from and write data to the MIB on this host · TRAPS - The client will receive all enabled traps |
COMMUNITY public 0.0.0.0 is defined as READ-ONLY if no other communities are defined. The below example shows some community parameters defined in the configuration file.
community northeast 192.168.4.56
READ-ONLY
community northeast 192.168.220.1 READ-WRITE
community southwest 192.168.23.1 READ-WRITE
community southwest 192.168.23.1 TRAPS
· Client 192.168.4.56 in the northeast community has READ-ONLY access to the MIB, while client 192.168.220.1 in the same community has READ-WRITE access.
· Client 192.168.23.1 belongs to the southwest community. This community has READ-WRITE access to the MIB and trap information will be sent to this client.
Disabling Traps
All traps that the SNMP agent supports are initially enabled. You can disable traps by editing the configuration file. These changes take effect the next time you start the agent. The below table shows how to disable traps.
|
Disable this trap... |
By entering... |
|
Authentication Failure |
no-auth-traps |
|
Link Up |
no-link-traps |
|
Link Down |
no-link-traps |
|
Note: SNMP clients can enable or disable the Authentication Failure Trap while the SNMP agent is running. These clients must have READ-WRITE community access.
|
Generating Traps
To generate an SNMP trap, define the symbol:
$ TRAP_GEN :== $TCPWARE:TRAP_GEN
Then type:
$ TRAP_GEN ENTERPRISE GENERIC_TRAP SPECIFIC_TRAP [TRAP_SPECIFIC_VALUES....]
|
enterprise |
Identifies the location in the MIB tree that this trap pertains to. An example would be: 1.3.6.1.4.105.3, denoting a location in Process Software's portion of the MIB tree. |
|
generic_trap |
An integer representing the generic trap value. |
|
specific_trap |
An integer representing the specific trap value. |
|
trap_specific_values |
Arbitrary strings separated by spaces that are passed to the agent receiving the trap as octet strings. |
The TRAP_GEN program uses the trap community definitions in the TCPWARE:SNMPD.CONF file to determine where to send the trap.
By default, traps are sent out of the first interface configured on the system. To use a different interface, use the hostid parameter in the configuration file:
HOSTID ip-address
HostId 192.168.1.5
The HOSTID parameter is used to specify the IP address to use when sending traps on a system with multiple interfaces. The IP address specified in the HOSTID statement is checked against the addresses configured on the system.
V2TRAPS
The SNMP agent sends SNMP v1 traps by default. To change to sending SNMP v2 traps by default include V2TRAPS in the configuration file.
Receiving Traps
TCPware also provides a program that will listen for traps and format them for display. In order to invoke this program, run TCPWARE:TRAP_LISTEN. It prompts for an optional file to log information to (default is the terminal) and the port number to listen on (default is 162).
SNMP Multiplexing Peers
The SNMP Multiplexing (SMUX) protocol is an SNMP subagent extension protocol. Each subagent or peer registers a MIB subtree with the SNMP agent. Requests for objects residing in a registered MIB subtree are passed from the SNMP agent using the SMUX protocol to the subagent. The subagent passes the results of an SNMP query back to the SNMP agent. The practical limit to the number of peers is 30.
The SNMP server only accepts SMUX connections from peers listed by IP address in the SNMPD.CONF file.
To enable SMUX support, answer Yes to the appropriate question in @TCPWARE:CNFNET SNMP.
SMUX_PEER ip-address [/mask]
The SNMP agent listens on TCP port 199 for peer connections, while the connection to the SNMP client is over UDP port 161, with traps sent over UDP port 162. Multiple peers registering the same subtree are each assigned a priority, and the agent can send multiple variables in a single request. The SMUX protocol is described in RFC 1227. The mask specifies the number of bits in the internet address that must match the specified address. The default value is 32.
SNMP Agent Extensibility (AgentX) Peers
The AgentX protocol is an SNMP subagent extension protocol. Each subagent or peer registers a MIB subtree with the SNMP agent. Requests for objects residing in a registered MIB subtree are passed from the SNMP agent using the AgentX protocol to the subagent. The subagent passes the results of an SNMP query back to the SNMP agent.
The SNMP agent listens on TCP port 705 for subagent connections. The AgentX framework consists of a single processing entity called the master agent. This master agent, available on the standard transport address, sends and receives SNMP protocol messages in an agent role but has little or no direct access to management information. While some of the AgentX protocol messages appear similar in syntax and semantics to the SNMP, remember that AgentX is not SNMP. Refer to RFCs 2741 and 2742 for complete AgentX information. The SNMP server only accepts AgentX connections from peers listed in the SNMPD.CONF file. To enable AgentX support, answer Yes to the question “Do you want to activate the SNMP AgentX service on this host?” in @TCPWARE:CNFNET SNMP.
Then add AGENTX_PEER ip-address to the SNMPD.CONF file.
AGENTX_PEER ip-address [/mask]
The SNMP server only accepts AgentX connections from peers listed by IP address in the SNMPD.CONF file. Use the following syntax in the file:
AGENTX_PEER ip-address
If you are developing an AgentX subagent and need to debug the packets being exchanged with the SNMP Agent, then define /system TCPWARE_SNMP_DEBUG 0%X40000 before starting SNMP.
Private MIB Application Program Interface
In addition to SMUX and AgentX, TCPware’s SNMP agent supports subagents serving private MIBs through an application programming interface (API). Under this scheme, anyone willing to have their private MIBs served by TCPware’s SNMP agent should develop a shareable image that exports the APIs in them in addition to the routines they may need for accessing the MIB variables. The SNMP API routines are described in Chapter 10 of the Programmer's Reference, SNMP Extensible Agent API Routines.
SNMP Log File
When the SNMP agent starts up, it creates a log file called TCPWARE:SNMPSERVER.LOG. This file contains information about the activities of the SNMP agent, such as:
· The time the agent starts up and shuts down.
· When SMUX peers open or close a connection, and register or de-register a MIB tree.
· Any errors found in the SNMP configuration file.
· Any errors that occur when the agent is running.
Reloading the SNMP Configuration Without Rebooting
To reload the SNMP configuration:
$ @TCPWARE:RESTART SNMP
Performing SNMP Functions with TCPware
You can display SNMP information with the NETCU SHOW SNMP MIB_VARIABLE command. See the SHOW SNMP command in the TCPware NETCU Command Reference for information about this command.
Template Configuration File
SNMP services provides a TEMPLATE_SNMPD.CONF file in TCPWARE_COMMON:[TCPWARE] that you can use as a basis:
!
! SNMP Agent (SNMPD) Configuration File (template)
!
! System description: sysdescr <id string>
! Typically the id string would include:
! VAX cpu model (such as MicroVAX II, VAX 8650, etc)
! VMS and version number
! "Process Software, TCPware for OpenVMS Version 8.3"
!
sysdescr "place system description string here"
!
! System Contact: syscontact <contact name>
!
syscontact "place name, phone number, and mail address of administrator
here"
!
! System Location: syslocation <location>
!
syslocation "place system location information here"
!
! Line Interfaces Information: interface <line-id><line speed>
! <description>
! Note: You usually need not define these. SNMPD provides good defaults.
!
!interface una-0 10000000 "DEC DELUA Ethernet controller"
!
! Communities:
! community <community name><internet address><READ-ONLY|READ-
! WRITE|TRAPS>
!
community readers 1.2.3.4 READ-ONLY
community netman 223.95.45.3 READ-WRITE
community nettraps 223.49.45.3 TRAPS
!
! To disable authentication traps, remove the "!" from the following
line.
!no-auth-traps
!
! To disable link status traps, remove the "!" from the following
line.
!no-link-traps
!
! SMUX Peers:
! SMUX_PEER <ip-address>
SMUX_PEER 1.2.5.4
SMUX_PEER 1.0.5.6
!
! Agent X Peers:
! AGENTX_PEER <ip-address>
AGENTX_PEER 127.0.0.1
AGENTX_PEER 192.168.1.1