SNMP

johnny_jiang

                                                                                                                SNMP configuration on Cisco router
===========
Enable SNMP
               
               
                ! Method one
snmp-server group ispsnmp v1
snmp-server user jianglei ispsnmp v1
snmp-server group isprouter v2c
snmp-server user johnny isprouter v2c
! Method Two snmp-server community snmpserver RO 1
Basically, we use default view which gives us the permission to  walk the full cisco MIB tree. As such, we can also define ours to restrict SNMP NMS.
               
                groupname: ispsnmp                          security model:v1
readview : v1default                        writeview:
notifyview:
row status: active
groupname: isprouter                        security model:v2c
readview : v1default                        writeview:
notifyview:
row status: active
groupname: snmpserver                       security model:v1
readview : v1default                        writeview:
notifyview:
row status: active      access-list: 1
groupname: snmpserver                       security model:v2c
readview : v1default                        writeview:
notifyview:
row status: active      access-list: 1
isp#sh snmp view
*ilmi system - included permanent active
*ilmi atmForumUni - included permanent active
v1default iso - included permanent active
v1default internet.6.3.15 - excluded volatile active
v1default internet.6.3.16 - excluded volatile active
v1default internet.6.3.18 - excluded volatile active
v1default ciscoMgmt.394 - excluded volatile active
v1default ciscoMgmt.395 - excluded volatile active
v1default ciscoMgmt.399 - excluded volatile active
v1default ciscoMgmt.400 - excluded volatile active
isp#
snmp-server view Orionro system included
snmp-server group ispsnmp v1 read Orionro
!
snmp-server community snmpserver view Orionro RO 1
isp#sh snmp view
*ilmi system - included permanent active
*ilmi atmForumUni - included permanent active
Orionro system - included nonvolatile active
v1default iso - included permanent active
v1default internet.6.3.15 - excluded volatile active
v1default internet.6.3.16 - excluded volatile active
v1default internet.6.3.18 - excluded volatile active
v1default ciscoMgmt.394 - excluded volatile active
v1default ciscoMgmt.395 - excluded volatile active
v1default ciscoMgmt.399 - excluded volatile active
v1default ciscoMgmt.400 - excluded volatile active
groupname: snmpserver                       security model:v1
readview : Orionro                          writeview:
notifyview:
row status: active      access-list: 1
SNMP Interface Index
               
                [Quote]
Most engineers do not understand that the internal SNMP
interface numbers assigned by the router are not stable. That is, the SNMP
interface numbers are prone to change after router reboot, especially if you add
or remove logical interfaces (i.e., subinterfaces) or physical modules.
This issue has plagued many administrators and software vendors
for years. The problem is that most network performance software packages poll
for interface data by using the unique interface number assigned by the router.
However, if these numbers change after a router reboots, then the performance
data becomes meaningless, since there is no guarantee that you are still polling
the same interface. Most high-end SNMP performance software companies have built
"fixes" to circumvent this exact issue.
isp(config)#snmp-server ifindex persist
isp#sh snmp mib ifmib ifisp#sh snmp mib ifmib ifindexFastEthernet0/0: Ifindex = 1Null0: Ifindex = 6Serial1/0: Ifindex = 2Serial1/1: Ifindex = 3Serial1/2: Ifindex = 4Serial1/3: Ifindex = 5
SNMP Traps and Informs
snmp-server enable traps
snmp-server host 192.168.145.128 version 2c admintraps
SNMP host must be specified to send traps. We also need to specify the traps sending community string. ( in this scenario, it's admintraps )
[Quote]
The host-addr argument is the name or IP address of the
NMS server that will receive the traps. You can define whether the router will
send SNMP traps or informs to this host by specifying either the traps or
informs keyword. If neither is specified, the default is to send traps.
Also, you can specify which version of SNMP traps the router will send by
including either version 1 or version 2c. If neither version is
specified, the router will default to Version 1. Note that informs don't exist
in SNMP Version 1, so you must specify Version 2c (or version 3) if you want to
enable this feature.
The community string argument specifies the community
string that the router will send within the SNMP trap or inform. This doesn't
need to match either the read-only or read-write community strings on the
router.
You can change the default SNMP trap port from 162 (the
default) to another value with the optional udp-port keyword. This
keyword must be followed by the alternative UDP port number that you want to
use.
Finally, if the trap-type keyword is present, it allows
you to configure the types of types that the router will send to this server.
There is a list of valid trap types in
Table 17-4
. The command can accept
one or more types. However, if no trap types are included, the router will
default to sending every enabled trap type.
There are two important things to note about this command.
First, you must enable trap-types via the global command before you can specify
them for a particular host. Second, this command will allow you to send
different sets of traps to different servers. This can sometimes be useful if
you have multiple NMS servers that handle different management functions.
The configuration for SNMP informs
is almost the same as SNMP traps. The main difference is that you can't enable
individual inform types by using the global snmp-server enable informs command. The global
inform command lacks the granularity of the same trap-based command. However,
you can still enable specific inform types on the host-level command. This can
mean more typing if there are several inform recipients. But there is no loss of
functionality.
Enabling SNMPv3

               
                snmp-server engineID local 1234
snmp-server group v3snmp v3 auth access 2
snmp-server user secureuser v3snmp v3 auth md5 authpassword [priv des56 encrypassword]
snmp-server host 11.11.11.11 traps version 3 auth secureuser
Basically, it is same as SNMPv2c/v1. You just need to create v3 group and user, specify what auth and encryption you might use.
The SNMP engine ID is a unique string used to identify the device for administration purposes. You do not need to specify an engine ID for the device; a default string is generated using a Cisco enterprise number (1.3.6.1.4.1.9) and the MAC address of the first interface on the device.If you wish to specify your own ID, you do not need to specify the entire 24-character engine ID, if it contains trailing zeros. Specify only a portion of the engine ID up to the point at which only zeros remain in the value. This portion must be 10 hexadecimal characters or more. For example, to configure an engine ID of 123400000000000000000000, you can specify snmp-server engineID local 1234000000.
A remote engine ID is required when an SNMPv3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Informs are acknowledged traps. The agent sends an inform to the manager. When the manager receives the inform, it sends a response to the agent. Thus, the agent knows that the inform reached its destination.


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u1/42903/showart_471971.html