Network Management Configuration Guide

lldp lldp introduction introduction lldp (link layer discovery protocol) is a layer 2 discovery protocol defined in ieee 802 1ab in simple terms, lldp is a proximity discovery protocol, a means of transmitting information between two directly connected devices for example, details such as device configuration and device identification can be advertised using this protocol basic concepts basic concepts lldp packet lldp packet the lldp packet structure is shown in the figure below da da destination mac, which is a multicast address whose value corresponds to the meaning shown in the table below sa sa source mac, generally using the system mac lldp ethertype lldp ethertype the frame type, by this byte, the switch can determine that it is an lldp frame and then hand it over to the lldp module for processing, the value is 0x88cc lldpdu lldpdu lldp data unit, which is the main body of lldp information exchange fcs fcs frame check bit table 1 destination mac address table table 1 destination mac address table destination mac meaning description 01 80\ c2 00 00 0e nearest bridge lldp packets of the nearest bridge bridge type, where the packet is restricted to the local network and cannot be forwarded by any bridge or route device 01 80\ c2 00 00 03 nearest non tpmr bridge nearest non tpmr bridg lldp packets, packets are only forwarded by two port mac relay (tpmr), no other bridge or route device on the bridge forwards the packet 01 80\ c2 00 00 00 nearest customer bridge lldp packets of the nearest customer bridge type, packets are only propagated between two customer bridges lldpdu structure lldpdu structure the lldpdu is the body of the lldp information exchange and determines which layer 2 information about the switch can be discovered through the lldp protocol the lldpdu structure is shown in the figure below the basic information unit in the lldpdu is the tlv t type t type the type of information l length l length the length of the packet v value v value the value of the packet, i e what is actually to be transmitted tlv type tlv type during the lldp frame interaction, the lldpdu often contains a number of different tlvs depending on the requirements, according to which it transmits or receives information about itself and neighboring devices the lldpdu is fixed starting with chassis id tlv, port id tlv and time to live tlv, and ends with end of lldpdu tlv, these four tlvs are mandatory tlvs other are optional tlvs, which can be defined by the switch whether to include in the lldpdu or not basic tlv types basic tlv types table 2 basic tlv types table 2 basic tlv types tlv type description mandatory chassis id port mac address of the sending device yes port id used to identify the port on the sender side of the lldpdu yes time to live duration of information on this device on neighboring devices yes system name name of the switch no system description system description of the switch no system capabilities the main functions of the system and which main functions are enabled no management address the management address, and the corresponding interface number and oid (object identifier) the content of the management address is the ip address specified by the user; if the user has not configured it, the management address is the primary ip address of the vlan through which the interface is allowed and with the smallest vlan id value; if the vlan with the smallest vlan id value is not configured with a primary ip address, the management address value is 127 0 0 1 no port description description string of the ethernet port no end of lldpdu marking the end of lldpdu yes note please refer to ieee802 1ab 2016 for specific tlv structure organization specific tlv organization specific tlv tlv as defined by ieee 802 1 tlv as defined by ieee 802 1 the tlv defined by ieee802 1 is mainly used to describe things like information about vlan and ports that send lldp packets table 3 tlv types as defined by ieee 802 1 table 3 tlv types as defined by ieee 802 1 tlv type description subtype does it support port vlan tlv the value of the default vlan of the port on which the lldp packet was sent 01 support port and protocal vlan tlv the value of the vlan defined by the port 02 support vlan name tlv name of the vlan where the port is located 03 support protocol identity tlv types of protocols supported by the port 04 support note see appendix d of ieee802 1q 2018 for the detailed structure of this type of tlv, which corresponds to the oui of 00,80,c2 tlv as defined by ieee 802 3 tlv as defined by ieee 802 3 tlv as defined by ieee802 3 is mainly used for negotiation of port performance, etc table 4 tlv types as defined by ieee 802 3 table 4 tlv types as defined by ieee 802 3 tlv type description subtype support mac/phy configuration/status tlv the speed and duplex status of the port, whether the port speed auto negotiation is supported, whether auto negotiation is enabled, and the current speed and duplex status 01 yes power via mdi tlv power capability of the port, e g whether it supports poe, whether it is a supply or a receiving device 02 yes link aggregation tlv (deprecated) whether the port supports link aggregation and whether link aggregation is enabled 03 yes maximum frame size tlv the maximum frame length supported by the port, taken as the port's maximum transmission unit (mtu) 04 yes note see chapter 79 of ieee802 3 2018 for the detailed structure of this type of tlv, which corresponds to the oui of 00,12,0f lldp med tlv lldp med tlv lldp med tlvs are used in the field of voip (voice over internet protocol) this type of tlv can be used to exchange basic configuration, address, network policy and management information of voice devices, among other things, to enable the interoperability of voice devices from different manufacturers table 5 media endpoint discovery (med) related tlvs table 5 media endpoint discovery (med) related tlvs tlv type description subtype support lldp med capabilities tlv the type of the current device and the lldp med tlv type that can be encapsulated in the lldpdu 1 yes network policy tlv vlan id, layer 2 priority and dscp value for voice vlan 2 yes location identification tlv location identification information for use by other devices in location based applications 3 yes extended power via mdi tlv provides information on the extended power supply capacity of the current equipment 4 yes inventory tlv manufacturers of device 5 to 11 no note see ansi/tia 1057 for details of the structure of this type of tlv, which corresponds to oui 00,12,bb lldp default configuration lldp default configuration the default configuration of lldp is shown in the table below table 6 lldp default configuration table 6 lldp default configuration parameters default value lldp function enable lldp operating mode rx and tx lldp packet sending interval 30 seconds lldp aging time 120 seconds lldp advertises the management ip address enable lldp capabilities enable disable lldp disable lldp table 7 disable lldp table 7 disable lldp purpose commands description enter global configuration view configure terminal disable lldp lldp disable lldp configuration lldp configuration table 8 lldp configuration table 8 lldp configuration purpose commands description enter global configuration view configure terminal configure subtype in lldp messages lldp port id subtype { local | ifname | macaddress } configure the time interval for sending lldp messages lldp message transmission interval interval time interval time time interval, range 5 32768 configure the hold time of lldp lldp message transmission hold hold time hold time time parameter, range 2 10 ttl of lldp message = interval hold disable lldp to declare the mac address of the management port no lldp management address advertisements enable disable lldp capabilities declaration no lldp capabilities advertisements enable display and maintenance display and maintenance table 9 lldp display and maintenance table 9 lldp display and maintenance purpose commands description show lldp neighbors show lldp neighbor { summary | interface interface name } specify the interface to view neighbor details show lldp configuration show lldp local { summary | interface interface name } specify the interface to view local details typical configuration example typical configuration example \#check lldp neighbor table sonic# show lldp neighbor summary capability codes (r) router, (b) bridge, (o) other localport remotedevice remoteportid capability remoteportdescr \ 0/48 spine 228 c1 br ethernet0 0/60 sonic 227 c6 br ethernet68 0/72 sonic 102 c7 br 0/72 \ total entries displayed 3 \#check lldp neighbor details for device 0/48 interface sonic# show lldp neighbor interface 0/48 \ lldp neighbors \ interface 0/48 , via lldp, rid 1, time 1 day, 07 13 23 chassis chassisid mac 18 17 25 37 65 40 sysname spine 228 sysdescr debian gnu/linux 9 (stretch) linux 4 9 0 14 2 amd64 #1 smp debian 4 9 246 2 (2020 12 17) x86 64 mgmtip 10 250 0 228 mgmtiface 2 capability bridge, on capability router, on capability wlan, off capability station, off port portid local c1 portdescr 0/0 ttl 120 \ snmp snmp introduction introduction snmp (simple network management protocol) is a standard protocol for network management widely used in tcp/ip networks snmp provides a method of managing devices through a central computer (i e network management workstation) running network management software snmp has the following features simplicity snmp uses a polling mechanism to provide the most basic set of features for small, fast, low cost environments and is supported by most devices as snmp is carried by udp packets robust the goal of snmp is to ensure that management information is delivered at any two points so that administrators can retrieve information at any node on the network for troubleshooting snmp is currently available in three versions v1, v2c and v3 v1 is basically the same as v2, v2c can be seen as an enhanced version of v1 with some new operations, while v3 has undergone major changes to provide authentication and encryption security mechanisms, as well as user and view based access control features for enhanced security basic concepts basic concepts snmp management model snmp management model snmp is an application layer protocol specifically designed for network management there are two roles in the snmp protocol, one is the network management system and the other is the network device being managed the snmp system consists of nms (network management system), agent, management object and mib (management information base) the nms acts as the network management center for the entire network and manages the switches each managed device contains agent, mib and multiple management objects residing on the switch the nms interacts with the agent running on the managed device and the agent completes the nms commands by manipulating the mib on the switch the snmp management model is shown in figure below and the main elements of the model are as follows the nms plays the role of a manager in the network and is a system that uses the snmp protocol to manage/monitor network devices, running on nms server, which can send requests to the agent on the switch to query or modify the values of one or more specific parameters the nms can receive active trap packets from the agent on the switch in order to be informed of the current status of the managed device the agent is an agent process in the managed device that maintains information and data about the managed devices and responds to requests from the nms, reporting management data to the nms that sent the request the agent receives the request information from the nms, completes the corresponding instructions through the mib table, and then responds to the nms with the operation results in the event of a fault or other event, the switch will send a proactive message to the nms via the agent, reporting the current status change of the switch to the nms management object refers to a managed object each device may contain multiple managed objects, which may be a piece of hardware in the switch or a collection of parameters configured on hardware, software (e g routing protocols) the mib is a database that specifies the variables maintained by the management object (i e information that can be queried and set by the agent ) the mib defines a series of properties of the management object in the database the name of the object, the state of the object, the access rights of the object and the data type of the object, etc by querying the mib, the agent can get information about the current state of the switch snmp packet structure snmp packet structure snmpv1 and snmpv2c packets consist mainly of version, community name, and snmp pdu the packets for each type of snmp operation are encapsulated in snmp pdu as shown in figure below version version indicates the version of snmp, the corresponding field value is 0 if it is snmpv1 packet and 1 for snmpv2c community name community name used to complete authentication between snmp agent and nms, in the form of string, user can define the community name includes "read" and "write", when performing snmp query operation, the "read" community name is used for authentication; when performing snmp setup operation, the "write" community name is used for authentication snmpv3 packets mainly consist of version, msgid, maxsize, flags, security model, security parameters, context engineid, context name and snmp pdu, as shown in figure below the snmp pdu format of snmpv3 packets is the same as that of snmpv2c snmpv3 packets can use the authentication mechanism, which encrypts the context engineid, context name and snmp pdus version version indicates the version of snmp, if it is an snmpv3 packet then the corresponding field value is 3 msgid msgid the sequence number of the request packet maxsize maxsize the maximum number of bytes that the packet sender can hold and receive flags flags packet identification bits, occupying one byte, with three characteristic bits reportableflag, privflag and authflag reportableflag=1, the snmpv3 packet recipient must send a report pdu to the sender if it can generate report pdu; reportableflag=0, the snmpv3 packet recipient does not send a report pdu report is only used when the snmp pdu cannot be decrypted (e g decryption failure due to key error, etc ) privflag=1, to encrypt snmpv3 packets; privflag=0, not to encrypt snmpv3 packets authflag=1 for authentication of snmpv3 packets; authflag=0 for no authentication of snmpv3 packets any combination is possible except for the case where privflag=1 and authflag=0 so when configuring the security level of snmpv3, it is important to note that if the user group is at the privacy level, the user and alert host must be at the privacy level; if the user group is at the authentication level, the user and alert host can be privacy or authentication level securitymodel securitymodel the security model used for the packet, both the sender and the receiver must use the same security model securityparameters securityparameters including information about the snmp entity engine, username, authentication parameters, encryption parameters and other security information context engineid context engineid snmp unique identifier which together with the pdu type, determines which application it should be sent to context name context name identifies the collection of management information that is accessible by an snmp entity working principle working principle snmpv1 and snmpv2c work in the same way snmpv3 is implemented in the same way as snmpv1/snmpv2c, with the only difference being that snmpv3 adds authentication and encryption processing snmp query snmp query snmp query means that the nms sends a query request to the snmp agent on its own initiative snmp agent receives the query request, completes the corresponding command through the mib table and returns the result to the nms the snmp query process is basically the same for all versions, the only difference is that snmpv3 has added authentication and encryption processing there are three snmp query operations get, getnext and getbulk snmpv1 version does not support the getbulk operation get get the nms uses this operation to obtain one or more parameter values from the snmp agent getnext getnext the nms uses this operation to get the next parameter value from the snmp agent for one or more parameters getbulk getbulk based on the getnext implementation, this is equivalent to performing multiple getnext operations in succession the number of times the managed device performs getnext during a single getbulk packet interaction can be set on the nms snmp set snmp set snmp set means that the nms actively sends a request to the snmp agent to perform set operation on the switch after receiving the set request, the snmp agent completes the corresponding command through the mib table and sends the result back to the nms the snmp set operation has only one set, which is used by the nms to set the value of one or more parameters in the snmp agent similar to the query operation, the snmpv3 version adds authentication and encryption processing, and the rest of the work process does not differ between versions snmp response snmp response snmp response means that the snmp agent receives the request from the nms and then completes the corresponding query/modification operation through the mib and then sends the information back to the nms the snmp response has only one response operation, which can return one or more parameter values this operation is issued by the agent and is the response operation to the four operations getrequest, getnextrequest, setrequest and getbulkrequest snmp traps snmp traps snmp traps are alarms or events generated by the snmp agent that are actively reported to the nms by the snmp agent so that the network administrator is kept informed of the current operating status of the switch there are two ways for snmp agent of snmp traps trap and inform inform is not supported in snmpv1 the difference between trap and inform is that after the snmp agent sends an alert or event to the nms via inform, the nms needs to reply inform response for acknowledgement snmp configuration snmp configuration table 10 overview of snmp configuration tasks table 10 overview of snmp configuration tasks configuration tasks description configure snmp community configure snmp community optional configure snmp user configure snmp user optional configure snmp agent trap configure snmp agent trap optional configure snmp agent source configure snmp agent source optional configure snmp community configure snmp community note this configuration is only for snmpv1, snmpv2c table 11 configure the snmp community table 11 configure the snmp community purpose commands description enter global configuration view configure terminal add snmp community snmp agent community name configure snmp user configure snmp user note this configuration is only for snmpv3 table 12 configure the snmp user table 12 configure the snmp user purpose commands description enter global configuration view configure terminal add snmp user snmp agent user name \[ authentication mode authen protocol authkey \[ privacy mode privacy protocol privkey ]] authen protocol authentication method with md5 or sha authkey authentication password privacy protocol encryption method des or aes privkey encrypted password configure snmp agent trap configure snmp agent trap table 13 configure the snmp agent trap table 13 configure the snmp agent trap purpose commands description enter global configuration view configure terminal add snmp agent trap snmp agent trap target { v1 | v2c | v3 } a b c d \[ udp port portnum ] \[ vrf vrfname ] \[ community community name | user user name ] a b c d ip address of the destination of the trap udp port default 162, range 0 65535 note v1, v2 and v3 can only be configured with one snmp agent trap each, the original configuration will be overwritten if more than one is configured configure snmp agent source configure snmp agent source table 14 configure the snmp agent source table 14 configure the snmp agent source purpose commands description enter global configuration view configure terminal add snmp agent source snmp agent source a b c d \[ udp port portnum ] \[ vrf vrfname] a b c d destination ip address of source udp port default 162, range 0 65535 display and maintenance display and maintenance table 15 snmp display and maintenance table 15 snmp display and maintenance purpose commands description show community configuration show snmp agent community show snmpv3 users show snmp agent user show trap server configuration show snmp agent trap target display the configuration of the source address and port of the agent show snmp agent source typical configuration example typical configuration example configure the snmp agent source configure the snmp agent source \#configure snmp agent source sonic# config terminal sonic(config)# snmp agent source 10 10 10 2 udp port 165 sonic(config)# snmp agent source 10 20 10 3 \#data lookup on other devices (need to ensure source ip is pingable) root\@asterfusion /# snmpwalk v 1 c public 10 10 10 2 165 1 3 6 1 2 1 25 2 2 0 iso 3 6 1 2 1 25 2 2 0 = integer 8048596 root\@asterfusion /# snmpwalk v 1 c public 10 20 10 3 1 3 6 1 2 1 25 2 2 0 iso 3 6 1 2 1 25 2 2 0 = integer 8048596