Network Management Configuration Guide

lldp lldp introduction introduction lldp (link layer discovery protocol) is a layer 2 discovery protocol defined in ieee 802 1ab in simple terms, lldp is a proximity discovery protocol, a means of transmitting information between two directly connected devices for example, details such as device configuration and device identification can be advertised using this protocol basic concepts basic concepts lldp packet lldp packet the lldp packet structure is shown in the figure below da da destination mac, which is a multicast address whose value corresponds to the meaning shown in the table below sa sa source mac, generally using the system mac lldp ethertype lldp ethertype the frame type, by this byte, the switch can determine that it is an lldp frame and then hand it over to the lldp module for processing, the value is 0x88cc lldpdu lldpdu lldp data unit, which is the main body of lldp information exchange fcs fcs frame check bit table 1 destination mac address table table 1 destination mac address table true 154,91,361left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type lldpdu structure lldpdu structure the lldpdu is the body of the lldp information exchange and determines which layer 2 information about the switch can be discovered through the lldp protocol the lldpdu structure is shown in the figure below the basic information unit in the lldpdu is the tlv t type t type the type of information l length l length the length of the packet v value v value the value of the packet, i e what is actually to be transmitted tlv type tlv type during the lldp frame interaction, the lldpdu often contains a number of different tlvs depending on the requirements, according to which it transmits or receives information about itself and neighboring devices the lldpdu is fixed starting with chassis id tlv, port id tlv and time to live tlv, and ends with end of lldpdu tlv, these four tlvs are mandatory tlvs other are optional tlvs, which can be defined by the switch whether to include in the lldpdu or not basic tlv types basic tlv types table 2 basic tlv types table 2 basic tlv types true 103,395 80397126539003,107 19602873460997left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type note please refer to ieee802 1ab 2016 for specific tlv structure organization specific tlv organization specific tlv tlv as defined by ieee 802 1 tlv as defined by ieee 802 1 the tlv defined by ieee802 1 is mainly used to describe things like information about vlan and ports that send lldp packets table 3 tlv types as defined by ieee 802 1 table 3 tlv types as defined by ieee 802 1 true 144,237 96923076923076,81 69376563163713,142 33700359913212left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type note see appendix d of ieee802 1q 2018 for the detailed structure of this type of tlv, which corresponds to the oui of 00,80,c2 tlv as defined by ieee 802 3 tlv as defined by ieee 802 3 tlv as defined by ieee802 3 is mainly used for negotiation of port performance, etc table 4 tlv types as defined by ieee 802 3 table 4 tlv types as defined by ieee 802 3 true 140,299 53232284956425,84 29660336847218,82 17107378196357left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type note see chapter 79 of ieee802 3 2018 for the detailed structure of this type of tlv, which corresponds to the oui of 00,12,0f lldp med tlv lldp med tlv lldp med tlvs are used in the field of voip (voice over internet protocol) this type of tlv can be used to exchange basic configuration, address, network policy and management information of voice devices, among other things, to enable the interoperability of voice devices from different manufacturers table 5 media endpoint discovery (med) related tlvs table 5 media endpoint discovery (med) related tlvs true 146,305 76265134415536,88 28365437870255,81 96685217187883left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type note see ansi/tia 1057 for details of the structure of this type of tlv, which corresponds to oui 00,12,bb lldp default configuration lldp default configuration the default configuration of lldp is shown in the table below table 6 lldp default configuration table 6 lldp default configuration true 378,228left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type disable lldp disable lldp table 7 disable lldp table 7 disable lldp true 275,181 5,149 5left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type lldp configuration lldp configuration table 8 lldp configuration table 8 lldp configuration true 172,239 20679095436805,194 79320904563195left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type display and maintenance display and maintenance table 9 lldp display and maintenance table 9 lldp display and maintenance true 118,296 72418790109907,191 27581209890093left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type typical configuration example typical configuration example \#check lldp neighbor table sonic# show lldp neighbor summary capability codes (r) router, (b) bridge, (o) other localport remotedevice remoteportid capability remoteportdescr \ 0/48 spine 228 c1 br ethernet0 0/60 sonic 227 c6 br ethernet68 0/72 sonic 102 c7 br 0/72 \ total entries displayed 3 \#check lldp neighbor details for device 0/48 interface sonic# show lldp neighbor interface 0/48 \ lldp neighbors \ interface 0/48 , via lldp, rid 1, time 1 day, 07 13 23 chassis chassisid mac 18 17 25 37 65 40 sysname spine 228 sysdescr debian gnu/linux 9 (stretch) linux 4 9 0 14 2 amd64 #1 smp debian 4 9 246 2 (2020 12 17) x86 64 mgmtip 10 250 0 228 mgmtiface 2 capability bridge, on capability router, on capability wlan, off capability station, off port portid local c1 portdescr 0/0 ttl 120 \ snmp snmp introduction introduction snmp (simple network management protocol) is a standard protocol for network management widely used in tcp/ip networks snmp provides a method of managing devices through a central computer (i e network management workstation) running network management software snmp has the following features simplicity snmp uses a polling mechanism to provide the most basic set of features for small, fast, low cost environments and is supported by most devices as snmp is carried by udp packets robust the goal of snmp is to ensure that management information is delivered at any two points so that administrators can retrieve information at any node on the network for troubleshooting snmp is currently available in three versions v1, v2c and v3 v1 is basically the same as v2, v2c can be seen as an enhanced version of v1 with some new operations, while v3 has undergone major changes to provide authentication and encryption security mechanisms, as well as user and view based access control features for enhanced security basic concepts basic concepts snmp management model snmp management model snmp is an application layer protocol specifically designed for network management there are two roles in the snmp protocol, one is the network management system and the other is the network device being managed the snmp system consists of nms (network management system), agent, management object and mib (management information base) the nms acts as the network management center for the entire network and manages the switches each managed device contains agent, mib and multiple management objects residing on the switch the nms interacts with the agent running on the managed device and the agent completes the nms commands by manipulating the mib on the switch the snmp management model is shown in figure below and the main elements of the model are as follows the nms plays the role of a manager in the network and is a system that uses the snmp protocol to manage/monitor network devices, running on nms server, which can send requests to the agent on the switch to query or modify the values of one or more specific parameters the nms can receive active trap packets from the agent on the switch in order to be informed of the current status of the managed device the agent is an agent process in the managed device that maintains information and data about the managed devices and responds to requests from the nms, reporting management data to the nms that sent the request the agent receives the request information from the nms, completes the corresponding instructions through the mib table, and then responds to the nms with the operation results in the event of a fault or other event, the switch will send a proactive message to the nms via the agent, reporting the current status change of the switch to the nms management object refers to a managed object each device may contain multiple managed objects, which may be a piece of hardware in the switch or a collection of parameters configured on hardware, software (e g routing protocols) the mib is a database that specifies the variables maintained by the management object (i e information that can be queried and set by the agent ) the mib defines a series of properties of the management object in the database the name of the object, the state of the object, the access rights of the object and the data type of the object, etc by querying the mib, the agent can get information about the current state of the switch snmp packet structure snmp packet structure snmpv1 and snmpv2c packets consist mainly of version, community name, and snmp pdu the packets for each type of snmp operation are encapsulated in snmp pdu as shown in figure below version version indicates the version of snmp, the corresponding field value is 0 if it is snmpv1 packet and 1 for snmpv2c community name community name used to complete authentication between snmp agent and nms, in the form of string, user can define the community name includes "read" and "write", when performing snmp query operation, the "read" community name is used for authentication; when performing snmp setup operation, the "write" community name is used for authentication snmpv3 packets mainly consist of version, msgid, maxsize, flags, security model, security parameters, context engineid, context name and snmp pdu, as shown in figure below the snmp pdu format of snmpv3 packets is the same as that of snmpv2c snmpv3 packets can use the authentication mechanism, which encrypts the context engineid, context name and snmp pdus version version indicates the version of snmp, if it is an snmpv3 packet then the corresponding field value is 3 msgid msgid the sequence number of the request packet maxsize maxsize the maximum number of bytes that the packet sender can hold and receive flags flags packet identification bits, occupying one byte, with three characteristic bits reportableflag, privflag and authflag reportableflag=1, the snmpv3 packet recipient must send a report pdu to the sender if it can generate report pdu; reportableflag=0, the snmpv3 packet recipient does not send a report pdu report is only used when the snmp pdu cannot be decrypted (e g decryption failure due to key error, etc ) privflag=1, to encrypt snmpv3 packets; privflag=0, not to encrypt snmpv3 packets authflag=1 for authentication of snmpv3 packets; authflag=0 for no authentication of snmpv3 packets any combination is possible except for the case where privflag=1 and authflag=0 so when configuring the security level of snmpv3, it is important to note that if the user group is at the privacy level, the user and alert host must be at the privacy level; if the user group is at the authentication level, the user and alert host can be privacy or authentication level securitymodel securitymodel the security model used for the packet, both the sender and the receiver must use the same security model securityparameters securityparameters including information about the snmp entity engine, username, authentication parameters, encryption parameters and other security information context engineid context engineid snmp unique identifier which together with the pdu type, determines which application it should be sent to context name context name identifies the collection of management information that is accessible by an snmp entity working principle working principle snmpv1 and snmpv2c work in the same way snmpv3 is implemented in the same way as snmpv1/snmpv2c, with the only difference being that snmpv3 adds authentication and encryption processing snmp query snmp query snmp query means that the nms sends a query request to the snmp agent on its own initiative snmp agent receives the query request, completes the corresponding command through the mib table and returns the result to the nms the snmp query process is basically the same for all versions, the only difference is that snmpv3 has added authentication and encryption processing there are three snmp query operations get, getnext and getbulk snmpv1 version does not support the getbulk operation get get the nms uses this operation to obtain one or more parameter values from the snmp agent getnext getnext the nms uses this operation to get the next parameter value from the snmp agent for one or more parameters getbulk getbulk based on the getnext implementation, this is equivalent to performing multiple getnext operations in succession the number of times the managed device performs getnext during a single getbulk packet interaction can be set on the nms snmp set snmp set snmp set means that the nms actively sends a request to the snmp agent to perform set operation on the switch after receiving the set request, the snmp agent completes the corresponding command through the mib table and sends the result back to the nms the snmp set operation has only one set, which is used by the nms to set the value of one or more parameters in the snmp agent similar to the query operation, the snmpv3 version adds authentication and encryption processing, and the rest of the work process does not differ between versions snmp response snmp response snmp response means that the snmp agent receives the request from the nms and then completes the corresponding query/modification operation through the mib and then sends the information back to the nms the snmp response has only one response operation, which can return one or more parameter values this operation is issued by the agent and is the response operation to the four operations getrequest, getnextrequest, setrequest and getbulkrequest snmp traps snmp traps snmp traps are alarms or events generated by the snmp agent that are actively reported to the nms by the snmp agent so that the network administrator is kept informed of the current operating status of the switch there are two ways for snmp agent of snmp traps trap and inform inform is not supported in snmpv1 the difference between trap and inform is that after the snmp agent sends an alert or event to the nms via inform, the nms needs to reply inform response for acknowledgement snmp configuration snmp configuration table 10 overview of snmp configuration tasks table 10 overview of snmp configuration tasks true 220,220,221 left #4283c7 2 1 unhandled content type left #4283c7 unhandled content type left 2 1 unhandled content type left 1 1 unhandled content type left #d8e5f5 2 1 unhandled content type left #d8e5f5 1 1 unhandled content type left 2 1 unhandled content type left 1 1 unhandled content type left #d8e5f5 2 1 unhandled content type left #d8e5f5 1 1 unhandled content type configure snmp community configure snmp community note this configuration is only for snmpv1, snmpv2c table 11 configure the snmp community table 11 configure the snmp community true 250,250,106left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure snmp user configure snmp user note this configuration is only for snmpv3 table 12 configure the snmp user table 12 configure the snmp user true 155,187 5,263 5left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure snmp agent trap configure snmp agent trap table 13 configure the snmp agent trap table 13 configure the snmp agent trap true 149,274 50671140939596,182 49328859060404left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type note v1, v2 and v3 can only be configured with one snmp agent trap each, the original configuration will be overwritten if more than one is configured configure snmp agent source configure snmp agent source table 14 configure the snmp agent source table 14 configure the snmp agent source true 147,218 32964601769913,240 67035398230087left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type display and maintenance display and maintenance table 15 snmp display and maintenance table 15 snmp display and maintenance true 274,233 42987492026515,98 57012507973485left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type typical configuration example typical configuration example configure the snmp agent source configure the snmp agent source \#configure snmp agent source sonic# config terminal sonic(config)# snmp agent source 10 10 10 2 udp port 165 sonic(config)# snmp agent source 10 20 10 3 \#data lookup on other devices (need to ensure source ip is pingable) root\@asterfusion /# snmpwalk v 1 c public 10 10 10 2 165 1 3 6 1 2 1 25 2 2 0 iso 3 6 1 2 1 25 2 2 0 = integer 8048596 root\@asterfusion /# snmpwalk v 1 c public 10 20 10 3 1 3 6 1 2 1 25 2 2 0 iso 3 6 1 2 1 25 2 2 0 = integer 8048596