Brocade Product Training Introducing SNMP Web-based Training Brocade Education Services Page 1-1
Objectives Describe SNMP basics: terminology and concepts Describe the need for SNMP Describe the advantages of SNMP Describe SNMP versions Identify the key components of SNMP: SNMP Entities (Management stations/agents) and SNMP MIBs Describe SNMP Management Information Base (MIB) 2 Page 1-2
SNMP Overview Simple Network Management Protocol (SNMP) is an asynchronous request/response protocol that uses operations to manage networks, examples: GET, GET-NEXT, SET, TRAP SNMP exchanges use User Data Protocol UDP/IP (part of the TCP/IP stack), a very simple, unacknowledged, connectionless protocol A management station runs a management application that can monitor and control network elements via an agent SNMPv3 calls management stations and agents, SNMP entities An agent is a network device such as a Fibre Channel switch, hub or a bridge that is responsible for executing operations requested by the management station 3 Simple Network management Protocol (SNMP) is an asynchronous request/response protocol that uses four main operations to manage networks: 1. GET Managing station request to read the value of a managed object (a device/setting/reading within a group of related managed objects) 2. GET-NEXT - Managing station request to read the value of the next managed object in a MIB tree 3. SET Managing station request to change the value of a managed object. 4. TRAP Managed system (agent) notification to managing station that an unusual event occurred. More on this to come! Sample SNMP applications that run on manager stations include but are not limited to: HP OpenView; CA Unicenter; Tivoli ; Cabletron Spectrum; Compaq Network Management Software; Adventnet; MG-SOFT Each SNMPv3 entity (manager station or agent) consists of an SNMP engine and one or more SNMP applications. These will be discussed in further detail in this module. Page 1-3
SNMP Overview (cont.) The need for SNMP SAN Managers need to keep equipment up and running Networks need to be monitored One workstation running SNMP management software can: Monitor management information from thousands of devices in IP Network and/or SAN Can be used to monitor FRUs, performance, and error statistics Special monitoring can be done separately MRTG Cricket 4 Network management is all about keeping the network up and running, monitoring and controlling network devices remotely using conventional network technology. Local management and remote management are two ways of managing a device. Enterprise management software, like HP OpenView, Tivoli, and CA Unicenter, monitor thousands of devices in an enterprise. Many of these packages have add on components that are tailored to manager Brocade SANs. There are also commercial and freely available packages that can be run separately by the SAN Administrator so that they can get alerts, trend performance and capture details of errors of switches separately from the large network management stations. Page 1-4
SNMP Overview (cont.) Advantages of using SNMP Standardized protocol Universal acceptance Portable Implemented entirely in software Independent of operating systems Independent of hardware platforms SNMP is lightweight Widely deployed 5 SNMP is a standardized Protocol: SNMP is the standard network management protocol for TCP/IP networks. Internet Protocols are open, nonproprietary standards developed through voluntary efforts by the Internet community, so is the SNMP that is actively maintained and all future enhancements to SNMP are based on existing protocol standards. Universal Acceptance: All major vendors support SNMP. All SNMP-managed devices use the same type of management interface and to support a common set of network management information. Portability: SNMP is implemented entirely in software and is independent of operating system and programming language. The functional design of SNMP is also portable and it defines a core set of operations that must function identically on all devices that support SNMP. SNMP is Lightweight: SNMP facilitates the ability to manage a device without impacting the operation of the device or its performance. SNMP management may be added to a network device with very little increase in workload and demand on system resources. Widely Deployed: SNMP is one of the most popular protocols in the protocol suite that every vendor is aware of. This popularity serves as one dominant factor for its wide deployment by the vendors. Page 1-5
SNMP Overview (cont.) Brocade supported SNMP versions Pre-Fabric OS v4.4 implements SNMPv1/v2c Uses SNMPv2c Structure of Management Information (SMI) framework but not SNMPv2c protocol operations like getbulk Utilizes both SNMPv1 and SNMPv2c community administration Fabric OS v4.4 adds SNMPv3 Formalizes descriptions of concepts used in earlier SNMP versions Adds security enhancements and thus also adds secure remote configuration capabilities 6 SNMPv2c: This is the revised protocol, which includes improvements to SNMPv1 in the areas of protocol packet types, transport mappings, MIB structure elements but using the existing SNMPv1 administration structure ("community based" and hence SNMPv2c). SMI stands for Structure of Management Information. Page 1-6
SNMP Versions SNMP Version 1 (SNMPv1) provides the basic SNMP network management framework: Defines the MIB-II standard Describes Protocol Data Units (PDUs): getrequest, getnext, getresponse, setresponse, and trap SNMP Version 2c (SNMPv2c) adds: Expanded data types (64-bit counters) 1 A get bulk PDU (improved efficiency) An inform PDU (better event notification) SNMPv1 and SNMPv2c use community names (strings) to authenticate 2 Community names are clear text strings designed to establish trust between SNMP management stations and agents Sometimes community names are referred to as passwords Community names must be the same on communicating management stations and agents Communities can be read-only (RO), read-write (RW), or trap capable 7 The IETF (Internet Engineering Task Force) is the body that defines standard Internet operating protocols. Every device that supports SNMP must also support MIB-II. MIB-II is defined as iso.org.dod.internet.mgmt.1, or 1.3.6.1.2.1. MIB-II keeps track interface information and statistics (examples include: number of octet sent, errors stats on octets sent, IP routing information, User Data Protocol/UDP statistics and so on). MIB-II also includes a list of objects about system operation, such as the system uptime, system contact, and system name. Footnote 1: Most counters represent a 32-bit number and have a minimum value of 0 and a maximum value of 2 32-1 (4,294,967,295). SNMPv2 introduces 64-bit counters that have a maximum value of 2 64-1 (18,446,744,073,709,551,615). These larger counters give us a longer time to cycle through statistics before the counters are rolled back. Footnote 2: SNMPv1 and SNMPv2 use the notion of communities to establish trust between managers and agents. Page 1-7
SNMP Versions (cont.) SNMPv3 SNMP Version 3 (SNMPv3) adds support for strong authentication and private (secure) communication between SNMP entities (management stations and agents) Supports all the operations defined by versions 1 and 2c Defines user-names, similar to SNMPv1/v2c community names Re-defines and modularizes some of SNMPv1/SNMPv2c concepts Each SNMP entity consists of an SNMP engine and one or more SNMP applications The engine is tasked with sending/receiving, authenticating and encrypting/decrypting messages 1 The engines tasks provide services for SNMP applications 2 that run on the entity Examples of these applications: command generator, command responder, notification (trap) receiver, notification sender 8 SNMPv3 adds several new textual conventions, better ways of interpreting the datatypes defined in earlier versions. The modularization of SNMP components allows different components to be enhanced without having to propose, qualify, and eventually release a new version of SNMP. Footnote 1: The engine can also control access to managed objects (ACLs) Footnote 2: An additional examples of an application is called proxy forwarded. This is needed when an SNMPv3 entity is used to forward messages to another SNMPv3 entity. Page 1-8
SNMP Versions (cont.) SNMPv3 Engine Tasks The Dispatcher is responsible for sending and receiving SNMP messages It can be used determine the SNMP version of the message It processes messages to/from the Message Processing Subsystem The Message Processing Subsystem extracts data out of received messages and processes outgoing message data It could contain subsystems that process SNMPv1, SNMPv2, and SNMPv3 requests SNMPv1 Message SNMPv2c Message SNMPv3 Message 9 The dispatcher acts as the interface between the world outside an SNMP entity and the world inside the SNMP entity. It sends/receives messages over the network and dispatches SNMP communication called protocol data units to internal applications/message processing subsystem. The message processing subsystem is the packager of data, it puts the data into messages or extracts the data out of messages. Page 1-9
SNMP Versions SNMPv3 Engine Tasks (cont.) The Security Subsystem provides authentication and privacy services The Access Control Subsystem authorizes services SNMPv1/v2c Message SNMPv3 Message Community String? OK User-name Match? Access Control Check Authentication? OK Privacy? OK MD5 or SHA Algorithm Check DES Encrypt and Decrypt 10 The security subsystem can contain more than one security model. In the case of Brocade switches, for example, it contains: SNMP v1/v2c community strings; SNMP v3 user-names, authentication, and privacy; and access control lists. Authentication occurs using either MD5 or SHA algorithm checks. MD5, message-digest algorithm, is an extension of the MD4 algorithm. The MD5 algorithm takes an input a message of arbitrary length and produces an output 128-bit "fingerprint" or "message-digest". It is designed for circumstances where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA. RSA is a public-key encryption technology created by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA was built from the fact that, given that it is pretty easy to multiply two very large prime numbers together to get their product, it is extremely difficult to go the reverse direction: to find the two prime factors of a composite number. This one-way nature of RSA allows an encryption key to be generated and shared with the world, and still not allow a message to be decrypted. SHA is an acronym which stands for Secure Hash Standard. SHA is modeled after MD4. Like MD5, SHA takes a message and produces a message-digest, it s output is 160-bit. The message-digest can then be put into the Digital Signature Algorithm (DSA) to generate or verify the signature for the message. This signing of the message-digest rather than the message is designed to improve the efficiency. The same algorithm must be used at both ends of the communication. DES is a Digital Encryption Standard that uses a secret key to encrypt/decrypt messages. Page 1-10
SNMP Versions (cont.) SNMPv3 SNMPv3 can guarantee identity of sender by authenticating communications Ensure privacy by enabling SNMPv3 to encrypt/ decrypt messages DES Encryption Agent can also use Access Control Lists (ACLs) 11 SNMP v3 enables both authentication and privacy. SNMP v3 enables authentication of communication entities (Who are you?/are you who you say you are?). SNMP v3 can also provide encryption/decryption of communications that pass between entities thus ensuring privacy. In addition, SNMP v3 allows the entities to further protect access by creating Access Control Lists (ACL)/policies. DES is a Digital Encryption Standard that uses a secret key to encrypt/decrypt messages. DES works by giving both sender and receiver a secret key. This secret key is used to encrypt and decrypt messages. Plain text block messages are repeatedly changed into unique ciphertext. This cyphertext is unique because the secret key is used to generate the transformation algorithm. DES has a 64-bit block size and uses a 56-bit key during encryption Page 1-11
SNMP Components Involves communication between Manager and Agent (SNMP entities) Station SNMP Agent MIB This figure further demonstrates the simple in SNMP there are very few components involved Minimum of one Network Management Station (NMS) One or more managed nodes each containing an agent Station and agents/entities use SNMP to exchange management information MIBs get consulted for lookups 12 Within the SNMP model, a manageable network consists of one or more manager systems (or network management stations), and a collection of agent systems (or network elements). SNMPv3 calls both manager and agent systems enties. The manager communicates with an agent using the Simple Network Management Protocol (SNMP). The Brocade SilkWorm agent supports both SNMP version 1 (SNMPv1) and Community-based SNMP version 2 (SNMPv2C). SNMP allows a manager to retrieve management information, such as its identification, from an agent. A manager can change management information on the agent. This operation is termed SNMP-SET. An agent can send information to the manager without being explicitly polled. This operation is termed a trap in SNMPv1 or a notification in SNMPv2C/v3. Traps or notifications would alert the manager to events that occur on the agent system, such as reboot. For the rest of the document, the term trap is used. Page 1-12
SNMP Components (cont.) Network Management Station (NMS) System Entity Responsible for managing SNMP agent/entity Responsible for polling and receiving traps from agents Is able to query agent and Get responses Set variables Receive traps Examples of SNMP management systems applications are: HP OpenView Tivoli Netview CA Unicenter Netcool MRTG 13 A Manager or Management System is a separate entity that manages the agent entity from a remote place. This is typically a computer that is used to run one or more network management system. Consider an Organization having office in different geographical locations. Administration of all the computers present in different localities would be difficult. But, when the System Administrator s computer is installed with a manager entity and all other systems and devices across all the offices are installed with agent entities, management becomes easier. The administrator has to just query the agent entity through its manger entity to know the functioning of the device. A typical Manager Is implemented as a Network Management System entity Would implement full SNMP protocol Is able to query entity agents, get responses, set variables, and acknowledge asynchronous events. Page 1-13
SNMP Components (cont.) Agent Mediator between management entity and an end device in the SAN Resides in a SAN device - in the Brocade world it resides in the switch Makes information available to the SNMP Management Entity Brocade s agent entity does the following: Implements SNMP protocol Stores and retrieves management information defined in supported SNMP MIBs Collects and maintains information about the switches local environment 14 An agent entity is a mediator between the manager entity and an end device in a SAN. The agent entity resides in a SAN device and makes the management information available to the manager entity. It is to be understood that an agent entity is a program that resides in the device or the application and does not constitute a separate entity. A typical agent entity Implements SNMP Protocol Stores and retrieves management information data as defined in the MIB Collects and maintains information about its local environment Can asynchronously signal an event to manager Page 1-14
SNMP Components (cont.) MIBs MIB is an acronym for Management Information Base A MIB is a database of network management information The information is a combination of switch settings, hardware configuration, status and statistical data (information about the agent) Brocade MIBs can be compiled in the management station MIB 15 Management Information Bases (MIBs) are a collection of objects or definitions that define the properties of the managed objects. In order to enable the SNMP manager or management application to operate intelligently on the data available on the device, the manager needs to know the names and types of objects on the managed device. This is made possible by MIB modules, which are specified in MIB files usually provided with managed devices. It should be understood that, MIB itself is only an abstraction of data and is not actually a physical database and not a physically executable object. Page 1-15
SNMP Functional Model Network View Management Station (SNMPv3 Entity) Management Station (SNMPv3 Entity) Agent Entity (Switch) Agent Entities Agent Fibre Channel Fabric 16 There is no limit to the number of management station entities, but the Brocade agent entity can respond to no more than 6 different SNMP community names (SNMPv1/v2c) or 6 different user-names, 3 RW and 3 RO (SNMPv3). SilkWorm SNMP agent entities support: SNMPv1, SNMPv2c, and SNMPv3 manager entities MIB-II system group,interface group and SNMP group Fabric Element MIB Fibre Alliance MIB Vendor Specific MIBs Standard Generic Traps Enterprise Specific Traps Command line utilities to provide access to and command the agent (e.g., agtcfgset, agtcfgshow, snmpconfig, snmpmibcapset, snmpmibcapshow) Page 1-16
SNMP Functional Model (cont.) Request/Response The management station entity can monitor passively and actively When a management station entity queries an agent, it is active Active means it is actively inspecting (get) or altering (set) variables (objects) Manager Station Entity Get, Get Next. Get Bulk, Set Reply Agent Entity This figure further demonstrates the simple in SNMP there are a limited set of active queries In an active query the following commands can be sent, GET, GET NEXT, GET BULK and SET Once the value has been set or obtained a reply is sent back 17 Within the SNMP model, a manageable network consists of one or more manager system entities (or network management stations), and a collection of agent system entities. The manager entity communicates with an agent entity using the Simple Network Management Protocol (SNMP). SNMP allows a manager to retrieve management information, such as its identification, from an agent entity. A manager can change management information on the agent entity. This operation is termed SNMP-SET. An agent entity can send information to the manager without being explicitly polled. This operation is termed a trap in SNMPv1 or a notification in SNMPv2C and SNMPv3. Traps or notifications would alert the manager to events that occur on the agent entity, such as reboot. Page 1-17
SNMP Functional Model (cont.) Trap/Notification In passive monitoring an unusual event on the agent (switch) causes an unsolicited message (trap/notification) to be sent to the management station Manager Station Entity TRAP Agent Entity Traps are unsolicited notifications initiated by the agent entity to alert the management station entity of an extra-ordinary condition Actions for a trap are configurable on the manager station entity Traps come standard with Fabric OS Fabric Watch, an optional licensed product, can also produce additional traps based on user defined thresholds 18 Traps are unsolicited events that are sent from the agent entity to the manager station entity. In the Brocade world, it is sent from the switch to the SNMP monitoring station entities. The purpose of traps are to alert the manager entity when an extra ordinary event takes place. This alert occurs immediately after the event occurs. If it wasn t for SNMP traps, there could be windows of time when an important event took place, like a failed power supply, that would not be known by the network manager station entity until the next polling cycle. Page 1-18
SNMP Functional Model (cont.) MIB Hierarchical Tree Structure iso (1) org (3) dod (6) internet (1) directory (1) mgmt (2) experimental(3) Private(4) mib-2 (1) fibrechannel (42) enterprise (1) system (1) interface (2) fcfe (1) bcsi (1588) sysobjectid (2) sysdescr (1) fcfabric (2) commdev (2) 19 Each branch in the tree has a unique name and identifier. The leaves of the tree represent actual MIB objects. The numbers next to the objects represent the number of subtrees that object is within the current subtree. For example, the fibrechannel object is the 42nd subtree within the subtree of experimental. Therefore the numeric indentifier for the fibrechannel object is 1.3.6.1.3.42. All data referring to managed objects are organized in a hierarchical MIB tree. For the ease of managing the system, each MIB entry node can be represented by numbers; these numbers are commonly set in parentheses behind the node s name, i.e ISO(1). The MIB tree is worldwide maintained by ISO. The MIB tree s root is made up by the node ISO(1). Page 1-19
SNMP Functional Model (cont.) MIB Object IDs iso (1) org (3).1.3.6.1.4.1.1588.2 dod (6) internet (1) directory (1) mgmt (2) experimental(3) Private(4) mib-2 (1) fibrechannel (42) enterprise (1) system (1) interface (2) fcfe (1) bcsi (1588) sysobjectid (2) sysdescr (1) fcfabric (2) commdev (2) 20 This shows an example of the object ID of a particular branch and tree. The object ID is formed by connecting the branch numbers separated by periods. Object Ids are unique in the SNMP world. Brocade s object ID numbers are registered with the Internet Assigned Numbers Authority (IANA). The IANA has list of vendor object ID numbers that can be found at http://www.iana.org/assignments/enterprisenumbers. Page 1-20
SNMP Functional Model (cont.) MIB Object Names iso (1) org (3) Iso.org.dod.internet.private.enterprise dod (6) internet (1) directory (1) mgmt (2) experimental(3) Private(4) mib-2 (1) fibrechannel (42) enterprise (1) system (1) interface (2) fcfe (1) bcsi (1588) sysobjectid (2) sysdescr (1) fcfabric (2) commdev (2) 21 Each associate OID also has an object name. They are formed by linking the textual name of the branch and leaf. Many SNMP management programs allow either the OID or object name to be entered. They two different ways to reference the same MIB object. Page 1-21
SNMP Functional Model (cont.) MIB - Instances MIB Objects can be defined by x.y X is the object ID Y is instance of the object For example 1.3.6.1.4.1.1588.2.1.1.1.6.2.1.12.1 is the object ID of swfcporttxframes 1.3.6.1.4.1.1588.2.1.1.1.6.2.1.12.1 is the instance ID for port 0 You need to add 1 to the port number to get its instance number in SNMP because SNMP number starts at 1; switch port numbering starts at 0 22 The MIB object ID specifies a particular object that can be monitored. The instance number specifies the particular physical object number that is going to be monitored. For example, you may want to monitor the number of transmitted frames and there are 16 ports on the switch. The instance number correctly identifies the physical object that you want to monitor. In this example, you are going to monitor the number of transmitted frames on port 0. Instance numbers always start with 1. When monitoring values of switch ports, you need to add 1 to the port number to get the proper SNMP instance number. Page 1-22
Summary SNMP is a standardized protocol that many managers use to monitor their Fibre Channel SANs SNMP has the following components SNMP Entities: Management Stations and Agents Management Information Bases (MIBs) SNMP versions use different security measures SNNPv1/v2c use community strings (names) SNMPv3 user-names can be configured for both authentication (MD5 or SHA) and privacy (DES encryption/decryption) Brocade enables SNMP ACLs in all Fabric OS versions SNMP communication includes queries (GET, SET ) and traps which are also called notifications SNMP traps are events that are initiated by the agent entity to alert the management station of an extra-ordinary event 23 In this module, we introduced the basic concepts behind SNMP. Page 1-23
End of Introducing SNMP Web-based Training Brocade Education Services 24 Page 1-24