筆記:snmp網管實務
簡介:
簡易網路管理協定(Simple Network Management Protocol簡稱SNMP)。是管理IP網路上和種裝置的標準協定。
SNMP的核心是一套簡易的操作程序,讓管理人員可以控管支援SNMP的裝置。通常被使用來管理路由器。
藉由SNMP,可以發展遠端網路監控(Remote Network Monitoring簡稱RMON).
SNMP的好處是,就算你當時不在現場,你仍可透過它持續監控網路。可以讓你保留足以證明網路運作正常的記錄,以及展現你在危機將近時所採取的行動。
人員配置:
設置網路管理系統意謂者需要增加更多人員。以解決維護與操作該環境所增加的負荷。不過在加入此監控方式的同時,通常可以減輕系統管理人員的工作負荷。你將需要:
維護「管理工作站」的人員。其職責為設定「管理工作站」。讓它能夠處理從「具snmp能力」之裝置而來的事件。
維護「具snmp能力」之裝置的人員。其職責為確保工作站及伺服器可以跟「管理工作站」溝通。
監視及修理網路人員。這部分通常稱為網路操作中心(Network Operations Center簡稱NOC)且是全年無休的人員配置。
管理者與代理者
SNMP以UDP作為管理者(manager)與代理者(agent)間遞送資料的傳輸協定。
SNMP會使用編號161的UTP埠來傳送及請求訊息,以及使用編號162的UTP埠接收來自待管裝置的trap訊息。
SNMPv1及SNMPv2將管理者與代理者之間的信頼關係建立在社群(community)概念上。SNMPv3修正了大部分的安全問題;它可以確保社群字串永遠是加密過的;所以也要經過特別的處理過程。
一個代理者可以設置三種社群名稱:唯讀(read-only)讀寫(read-write)以及trap。社群名稱(或字串)基本上就是密碼;社群字串與存取電腦帳戶所使用的密碼事實上無差別。
大多數廠商在設備出廠時,都會預設社群字串,基本上public是給read-only 社群用的,private是給read-write社群用的。
現用net-snmp
snmp: /usr/ports/www/mod_php4/work/php-4.3.4RC1/ext/snmp
http://net-snmp.sourceforge.net/
設定SNMP代理者的組態
參數的設定
所有SNMP裝置都會共享以下常見的可設定參數:
sysLocation 是被監控裝置的實體位置。它的定義被描述在RFC1213。
sysContact也是顯示待詢裝置的主要連絡人。
sysName應設定為待管裝置之完全合格的網域名稱。
具唯讀(read-only)讀寫(read-write)存取權限的社群字串(以及trap訊息的社群字串)
trap訊息的目的地;用來指定trap訊息將被送往何處。
執行組態命令稿:請參〔考附件一 規劃結果(經修正過)〕
/usr/local/bin/snmpconf -g basic_setup
自己手動設定組態;
ee /usr/local/share/snmp/snmpd.conf
輸入下列資料
sysLocation cyr_home
sysContact root@localhost
sysName cyr.idv.tw
rwcomminity private
rocomminity public
authtrapenable 1
trapcomminity trapsRus
trapsink localhost
trap2sink localhost
停止snmpd的運行
/usr/local/etc/rc.d/snmpd.sh stop
啟動snmpd
/usr/local/etc/rc.d/snmpd.sh start
如何規劃snmpd.conf 檔案中的access control
最簡單的方法是使用規劃指令如下:
rocommunity public (for SNMPv1/2c)
rwcommunity private
或
rouser user1 (for SNMPv3)
rwuser user2
public,private,user1,user2可以改成任何你想用的名稱。
系統新增了4個規劃關鍵字:
'com2sec', 'group', 'view', and 'access'
說明如下:
access 設定關鍵字;指定誰有由MIB tree指定位置開始存取的權限。有8個參數,原則上使用其預設值;語法如下:
access {group} "" any noauth exact {read-tree} {write-tree} {notify-tree}
在大括號中的項目必須被定義。
view 定義了MIB tree指定的位置的名稱;語法如下:
view {name} included/excluded {subtree} {mask}
view定義的名稱僅在規劃檔中使用。
group 用來將access列中使用的內部名稱對應到一個security name。
com2sec 依request來源將傳統的字串轉換為community security name。
規劃snmpv3的使用者:(/usr/local/share/snmp/snmpd.conf)
在建立的snmp.conf檔中,加入下列:
createUser {myUser} MD5 {myPassword} DES
然後(重)啟動 snmpd agent (參看前面的啟動,停止動作)
即可建立新的使用者;系統將會移除該列指令,以usmuser資料取代(安全)。
net-snmp所提供的程序
BIN
snmpbulkwalk
snmpget
snmpgetnext
snmpnetstat
snmpset
snmpstatus
snmptest
snmptranslate
snmptrap
snmpwalk
SBIN
snmpd
snmptrapd
指令操作例:
snmpwalk -v1 -c public localhost ucdavis
snmpwalk -v1 -c public localhost system
snmpwalk -v1 -c public pin0513.idv.tw. system
snmpget -m ALL -v1 -c public localhost sysUpTime.0
snmpget -v1 -c public myhost system.sysUpTime.0
snmpget -v 2c -c public localhost sysUpTime
snmpget -v1 -c public pin0513.idv.tw. system.sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (56002) 0:09:20.02
說明:
system 1.3.6.1.2.1.1 系統操作有關的物件。如系統名稱,時間等
interface 1.3.6.1.2.1.2 追蹤待管實體上的每個介面。
at 1.3.6.1.2.1.3 位址轉譯,已廢除。
ip 1.3.6.1.2.1.4 追蹤ip
icmp 1.3.6.1.2.1.5 追蹤icmp
tcp 1.3.6.1.2.1.6 追蹤tcp連結的狀態
udp 1.3.6.1.2.1.7 追蹤udp統計資料。
egp 1.3.6.1.2.1.8 追蹤egp的多種統計資料。
transmission 1.3.6.1.2.1.10 尚未有定義物件。
snmp 1.3.6.1.2.1.11 度量待管實體上snmp實作的效能。
附件一 規劃結果(經修正過)
###########################################################################
#
# snmpd.conf
#
# - created by the snmpconf configuration program
#
###########################################################################
# SECTION: System Information Setup
#
# This section defines some of the information reported in
# the "system" mib group in the mibII tree.
# syslocation: The [typically physical] location of the system.
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysLocation.0 variable will make
# the agent return the "notWritable" error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: location_string
syslocation nyust_mis
# syscontact: The contact information for the administrator
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysContact.0 variable will make
# the agent return the "notWritable" error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: contact_string
syscontact root@locahost
# sysservices: The proper value for the sysServices object.
# arguments: sysservices_number
sysservices 79
###########################################################################
# SECTION: Access Control Setup
#
# This section defines who is allowed to talk to your running
# snmp agent.
# rwuser: a SNMPv3 read-write user
# arguments: user [noauth|auth|priv] [restriction_oid]
rwuser cyr
rwuser pin
# rouser: a SNMPv3 read-only user
# arguments: user [noauth|auth|priv] [restriction_oid]
rouser public
# rocommunity: a SNMPv1/SNMPv2c read-only access community name
# arguments: community [default|hostname|network/bits] [oid]
rocommunity public 0.0.0.0/32
# rwcommunity: a SNMPv1/SNMPv2c read-write access community name
# arguments: community [default|hostname|network/bits] [oid]
rwcommunity cyr
###########################################################################
# SECTION: Trap Destinations
#
# Here we define who the agent will send traps to.
# trapsink: A SNMPv1 trap receiver
# arguments: host [community] [portnum]
trapsink pin0513.idv.tw.
# trap2sink: A SNMPv2c trap receiver
# arguments: host [community] [portnum]
trap2sink pin0513.idv.tw.
# informsink: A SNMPv2c inform (acknowledged trap) receiver
# arguments: host [community] [portnum]
informsink pin0513.idv.tw.
# trapcommunity: Default trap sink community to use
# arguments: community-string
trapcommunity traps
# authtrapenable: Should we send traps when authentication failures occur
# arguments: 1 | 2 (1 = yes, 2 = no)
authtrapenable 1
###########################################################################
# SECTION: Monitor Various Aspects of the Running Host
#
# The following check up on various aspects of a host.
# proc: Check for processes that should be running.
# proc NAME [MAX=0] [MIN=0]
#
# NAME: the name of the process to check for. It must match
# exactly (ie, http will not find httpd processes).
# MAX: the maximum number allowed to be running. Defaults to 0.
# MIN: the minimum number to be running. Defaults to 0.
#
# The results are reported in the prTable section of the UCD-SNMP-MIB tree
# Special Case: When the min and max numbers are both 0, it assumes
# you want a max of infinity and a min of 1.
# proc
# disk: Check for disk space usage of a partition.
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
#
# disk PATH [MIN=100000]
#
# PATH: mount path to the disk in question.
# MIN: Disks with space below this value will have the Mib's errorFlag set.
# Can be a raw byte value or a percentage followed by the %
# symbol. Default value = 100000.
#
# The results are reported in the dskTable section of the UCD-SNMP-MIB tree
# disk
# load: Check for unreasonable load average values.
# Watch the load average levels on the machine.
#
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
#
# 1MAX: If the 1 minute load average is above this limit at query
# time, the errorFlag will be set.
# 5MAX: Similar, but for 5 min average.
# 15MAX: Similar, but for 15 min average.
#
# The results are reported in the laTable section of the UCD-SNMP-MIB tree
load 12.0 12.0 12.0
# file: Check on the size of a file.
# Display a files size statistics.
# If it grows to be too large, report an error about it.
#
# file /path/to/file [maxsize_in_bytes]
#
# if maxsize is not specified, assume only size reporting is needed.
#
# The results are reported in the fileTable section of the UCD-SNMP-MIB tree
# file