Sun SNMP Management Agent for Sun Fire and Netra Systems

This chapter provides a brief introduction to the essential features of the Simple Network Management Protocol (SNMP). This chapter addresses the issues that are of particular relevance to the Sun Fire and Netra systems.

The chapter contains the following sections:

• SNMP Versions
• SNMP Managers and Agents
• SNMP Management Information Base

---

SNMP Versions

SNMP is an open internet standard for managing networked devices (systems). It is defined, in common with other internet standards, by a number of Requests for Comments (RFCs) published by the Internet Engineering Task Force (IETF).

There are three versions of SNMP that define approved standards:

• SNMPv1
• SNMPv2 (also known, and referred to in this document, as SNMPv2c)
• SNMPv3

SNMPv1 was first defined in 1988. SNMPv2 was introduced in 1993 and attempted to address some of the shortcomings of SNMPv1 by adding further protocol operations and data types and providing security. Limitations in the security model led to what is now accepted as the SNMPv2c standard, which dropped the new security-based features. Experimental versions, known as SNMPv2usec and SNMPv2*, also appeared at this time, but these have not been widely adopted and remain experimental.

SNMPv3, introduced in 1999, defines the SNMP management framework supporting pluggable components, including security.

For further information about these standards, refer to the following RFCs at the IETF website (http://www.ietf.org/rfc.html):

• SNMPv1: RFC1155, RFC1157, RFC1212, RFC1215
• SNMPv2: RFC2578, RFC2579, RFC2580, RFC3416
• SNMPv3: RFC3410, RFC3411, RFC3412, RFC3413, RFC3414, RFC3415
• Coexistence between standards: RFC2576

---

SNMP Managers and Agents

SNMP is a network protocol that allows devices to be managed remotely by a network management station (NMS), also commonly called a manager.

To be managed, a device must have an SNMP agent associated with it. The purpose of the agent is to:

• Receive requests for data representing the state of the device from the manager, and provide an appropriate response
• Accept data from the manager to enable control of the device state
• Generate SNMP traps, which are unsolicited messages sent to one or more selected mangers to signal significant events relating to the device

---

SNMP Management Information Base

To manage and monitor a device, its characteristics must be represented using a format known to both the agent and the manager. These characteristics can represent physical properties such as fan speeds, or services such as routing tables. The data structure defining these characteristics is known as a management information base (MIB). This data model is typically organized into tables, but can also include simple values. An example of the former is a routing table, and an example of the latter is a timestamp indicating the time at which the agent was started.

The MIB is a definition for a virtual data store accessible via SNMP. The content is accessible from the manager using get and set operations as follows:

• In response to a get operation, the agent provides data, either maintained locally or directly from the managed device.
• In response to a set operation, the agent typically performs some action affecting the state of either itself or the managed device.

To enable an NMS to manage a device via its agent, the MIB corresponding to the data presented by the agent must be loaded into the manager. The mechanism for doing this varies depending on the implementation of the network management software. This gives the manager the information required to address and interpret correctly the data model presented by the agent.

To address the content of this virtual data store, the MIB is defined in terms of object identifiers (OIDs). An OID consists of an hierarchically arranged sequence of integers that defines a unique name space. Each assigned integer has an associated text name. For example, the OID 1.3.6.1 corresponds to the OID name iso.org.dod.internet and 1.3.6.1.4 corresponds to the OID name iso.org.dod.internet.private.

The numeric form is used within SNMP protocol transactions, whereas the text form is used in user interfaces to aid readability. Objects represented by such OIDs are commonly referred to by the last component of their name as a shorthand form. To avoid confusion arising from this convention, it is normal to apply a MIB-specific prefix, such as sunPlat, to all object names defined therein, thereby making all such identifiers globally unique.

MIB Tables

Much of the data content defined by MIBs is in tabular form, and organized as entries consisting of a sequence of objects, each with its own OIDs. For example, a table of fan characteristics could consist of a number of rows, one per fan, with each row containing columns corresponding to the current speed, the expected speed, and the minimum acceptable speed.

The addressing of the rows within the table can be as follows:

• Simple, single-dimensional index (a row number within the table, for
  example `6')
• More complex, multidimensional, instance specifier such as an IP address and port number (for instance, 127.0.0.1, 1234)

Each table definition within the MIB has an INDEX clause that defines which instance specifiers to use to select a given entry. In either case, the objects used to define the index to the required row must themselves be defined within the MIB. Thus, a table with a simple, single-dimensional index typically has an index column that is referenced by the table's INDEX clause. A specific data item within a table is then addressed by specifying the OID giving its columnar prefix.

For example, myFanTable.myFanEntry.myCurrentFanSpeed) with a suffix instance specifier (for instance 127.0.0.1.1234 from the previous example) gives myFanTable.myFanEntry.myCurrentFanSpeed.127.0.0.1.1234.

The SMI defining the MIB syntax provides an important capability for extending tables to add additional entries, effectively by adding extra columns to the table. This is achieved by defining a table with an INDEX clause that is a duplicate of the INDEX clause of the table being extended.

It is also possible to define MIB tables that are indexed not by objects contained within them, but by objects imported from other tables, potentially defined in other MIBs. This construct, effectively, enables columns to be added to an existing table.

Access Control

All addressable objects defined in the MIB have associated maximum access rights, for instance, read-only or read-write. These determine the maximum access the agent can support, and can be used by the manager to restrict the operations it will permit the operator to attempt. The agent is able to apply lower access rights as required, that is, it is able to refuse writes to objects that are considered read-write. This refusal can be on the basis of:

• How applicable the operation is to the object being addressed (for example, where an object defined by the MIB represents a state machine for which only certain transactions are legal)
• Security restrictions that limit certain operations to restricted sets of managers

The mechanism used to communicate security access rights in SMMPv1 is that of community strings. These are simply text strings such as private and public that are passed with each SNMP data request. As SNMPv1 and SNMPv2 requests are not encrypted, this should not be considered secure. The mechanism used to define which community strings the agent should respond to, and from which manager, depends on the implementation of the agent, but is typically based on access control lists (ACLs), which are files describing applicable access permissions.

For a description of how to configure ACLs, refer to Chapter 3.

Sun SNMP Management Agent for Sun Fire and Netra Systems

817-2559-16

Copyright © 2006, Sun Microsystems, Inc. All Rights Reserved.