SNMP (Simple Network Management Protocol) is an important network management protocol on TCP / IP networks, implementing network management by exchanging packets on the network. The SNMP protocol provides the possibility of centralized management of large networks. Its goal is to ensure the management information is transmitted between any two points. SNMP is convenient for the network administrator to retrieve information from any node on the network, make modifications, find faults, and complete fault diagnosis, capacity planning and report generation.
SNMP structure is divided into two parts: NMS and Agent.NMS (Network Management Station) is a workstation that runs client programs while Agent is a server-side software running on a network device. The NMS can forward GetRequest, GetNextRequest, and SetRequest packets to the Agent. Upon receiving the NMS request message, the agent performs Read or Write operations according to the packet type and generates a Response packet to return to the NMS. On the other hand, when the device encounters an abnormal event such as hot / cold start, the agent will forward a trap packet to NMS to report the events.
The system supports SNMP v1, SNMP v2c and SNMP v3. SNMP V1 provides a simple authentication mechanism, does not support the administrator-to-manager communications, andv1 Trap has no confirmation mechanism.V2c enhanced v1 management model (on security), management information structure, protocol operation, manager and communication ability between managers to increase the creation and deletion of the table, the communication ability between managers, reducing the storage side of the agent.V3 implements the user authentication mechanism and packet encryption mechanism, which greatly improves the security of the SNMP protocol.
This function cooperates with the network management software to log on to the OLT and manage the OLT.
11.2 Configuring the Basic Parameters
Configuring the Basic Parametersoperation command remark
Enter global configuration
mode configure terminal required
Enable/disable SNMP snmp-server [ enable | disable ] optional. Enabled by default. Configure sysContact [no] snmp-server contact syscontact optional, with
default parameters Display sysContact
configuration show snmp contact optional
Configure sysLocation [no] snmp-server locationsyslocation optional, with default parameters Display sysLocation
configuration show snmp location optional
Configure sysName [no] snmp-server name sysname optional, with default parameters
Display sysName configuration show snmp name optional
Configure maximum length of
snmp protocol packets [no] snmp-server max-packet-length length optional Display the mib node
137
Note:
1. The device that does not use the configuration command of snmp-server [ enable | disable ] does not need to be configured. It is enabled by default and can not be disabled.
11.3 Configure the Community Name
SNMP adopts the community name authentication scheme. SNMP packets that do not match the community name will be discarded. SNMP community is named by a string, known as the community name. Different communities can have read-only or read-write access permission. A community with read-only access can only query system information. However, in addition to query the system information, the community with read-write access permission can perform the system configuration. It defaults to no community name.
Configure the Community Name
operation command remark
Enter global configuration
mode configure terminal required
Configure whether to display the community name
encrypted or not snmp-server community encrypt { enable | disable }
Optional; The default is not
encrypted. Configure the community
name
snmp-server community name { ro | rw } { permit | deny } [view view-name]
Optional; The iso view is used
by default.
Display the community name show snmp community optional, with
default parameter Remove the community
name no snmp-server community community- index optional
Note:
1.The community name encryption function is irreversible. That is, after the encryption is configured, if the encryption function is disabled, the previously encrypted community will not become a plain text, and only the newly configured community will be encrypted.
11.4 Configure the Group
This configuration task can be used to configure an access control group. By default, there are two snmpv3 groups: (1) The initial group with the security level of auth;(2)The initial group with the security level of noauthpriv(No authentication is required and no encryption is required)
Configure the Group
operation command remark
Enter global
configuration mode configure terminal required
Configure the group snmp-server group view write write-viewgroup-name notify notify-view 3 [auth | noauth | priv] read read- required Configure the context
of the group [no]snmp-server group group-name 3 context context-name optional Display the group
configuration show snmp group [ group-name ] optional
Note:
1.In the configuration control group, the write-view and the notify-view have no default values, so you must enter the view name in the configuration. readview defaults to iso and the security level defaults to auth.
138
11.5 Configure the User
It is used to configure the user for the local engine or for the remote engine that can be identified. By default, the following users exist: (1)initialmd5, (2) initialsha, (3) initialnone.
The above three users are reserved for the system and cannot be used by the user. When configuring a user, you need to ensure that the engine to which this user belongs is identifiable. When an identifiable engine is deleted, the users it contains are also deleted.
Configure the User
operation command remark
Enter global configuration
mode configure terminal required
Configure whether the display of password is encrypted or not
snmp-server encrypt { enable | disable } The default isOptional; encryption Configure the user
snmp-server user usernamegroupname [ remote ipaddress [ udp-port port-number] ] [ auth { md5 | sha } { auth- password authpassword | auth-key authkey } [ priv des priv- key { auth-key privkey | auth-password privpassword } ]]
required Remove the user no snmp-server user port-number ] ] username [ remote ipaddress [ udp-port optional Display the user
configuration show snmp user [username] optional
Note:
1.remote ipaddress [ udp-port port-number] :It means to configure the remote engine user. If you do not enter, it means to configure the local engine user. It defaults to local engine user. Port is the remote engine port number; if you do not enter, the default port number is 162.
3. There are three levels of user privilege levels: a.:noauthpriv (No authentication is required and no encryption is required), It is the default configuration;b.auth(Authentication is required but not encrypted);c.authpriv(It requires authentication and encryption). The user's security level must be the same as the corresponding group security group.
11.6 Configure the Views
It is used to configure the views available to access control and the subtrees that they contain. The iso, internet, and sysview exist by default. Delete and modify the internet is not supported.
Configure the Views
operation command remark
Enter global
configuration mode configure terminal required
Configure the views snmp-server view view-nameoid-tree { included | excluded } required Remove the views no snmp-server view view-name [ oid-tree ] optional Display the views
configuration show snmp view view-name optional
11.7 Configure SNMP Notification
Configure SNMP Notification
139
Enter global
configuration mode configure terminal required
Configure the source IP of the notification packets
[no]snmp-server trap-source { loopback-interface |vlan-interface |
supervlan-interface } if-id optional
Enable notification
function [no]snmp-server enable [ [ informs | traps ] [ bridge | gbn | gbnsavecfg | interfaces | rmon | snmp ] ] required Display notification
configuration show snmp notify optional
Configure to notify the destination host
[no]snmp-server host ipaddress [version {1 | 2c | 3 [auth | noauthpriv | priv ] } security-name [ udp-port port-number] [ notify-type [ bridge | gbn | gbnsavecfg | interfaces | rmon | snmp ] ]
required
Display the
configuration of notification host
show snmp host optional
11.8 Configure Engine ID
It is used to configure the engine id of the local snmp and the engine id of the remote snmp. The local engine id defaults to 134640000000000000000000, and it can be modified but cannot be deleted. The remote engine id can be added and removed. By default, the remote engine id is not identified. Once an identifiable remote engine is deleted, its corresponding users will also be deleted. The maximum number of configurable remote engines is 32.This command uses the command of no to restore the default local engine id or delete the remote engine id.
Configure Engine ID
operation command remark
Enter global
configuration mode configure terminal required
Configure engineid snmp-server engineid { local port-number] engine-id } engine-id | remote ipaddress [ udp-port optional Display engineid
configuration show snmp engineid { local | remote } [ id ] optional Remove engineid no snmp-server engineid { local | remote ipaddress port-number } optional
11.9 Configuration Example for Snmp
1.Network requirementsBefore accessing the OLT with the mib-browser, make sure that the mib-browser terminal is able to communicate with the OLT properly.
a. Configure the community test2, and then make the mib-browser accesses the OLT through snmp v1 / v2;
b. Configure group name g3, user name u3, security levels are auth, make mib-browser access OLT through the snmp v3;
c. Configure snmp notice. Notify v2 and v3 respectively; 2.Configuration steps
#Enable snmp(There is no need to configure a device without this command) OptiWay(config)#snmp-server enable
#Configure the community test2, mib-browser accesses the OLT through snmp v1 / v2 OptiWay(config)#snmp-server community test2 rw permit view iso
#Configure the group name g3, the user name u3, the security levels are auth, mib-browser can access the OLT through snmp v3.
140
OptiWay(config)#snmp-server group g3 3 auth notify iso read iso write iso OptiWay(config)#snmp-server user u3 g3 auth md5 auth-password password OptiWay(config)#show snmp group g3 groupname: g3 securitymodel: 3 auth readview: iso writeview: iso notifyview: iso context: default value(NULL) OptiWay(config)#show snmp user u3
User name: u3
Engine ID: 134640000000000000000000 Authentication Protocol: HMACMD5AuthProtocol Group-name: g3
Validation: valid
# Configure the notification function #Enable the notification function
OptiWay(config)#snmp-server enable traps #configure to notify the host
OptiWay(config)#snmp-server host 192.168.1.10 version 2 test2 OptiWay(config)#snmp-server host 192.168.1.10 version 3 auth u3
141