Section 6.1. Parameter Settings


6.1. Parameter Settings

All SNMP devices share the following common configurable parameters:

  • sysLocation

  • sysContact

  • sysName

  • Read-write and read-only access community strings (and frequently, a trap community string)

  • Trap destination

sysLocation is the physical location for the device being monitored. Its definition in RFC 1213 is:

 sysLocation OBJECT-TYPE     SYNTAX  DisplayString (SIZE (0..255))     ACCESS  read-write     STATUS  mandatory     DESCRIPTION         "The physical location of this node (e.g., 'telephone closet,          3rd floor')."     ::= { system 6 } 

As you can see, its SYNTAX is DisplayString, which means it can be an ASCII string of characters; its size is declared to be, at most, 255 characters. This particular object is useful for determining where a device is located. This kind of practical information is essential in a large network, particularly if it's spread over a wide area. If you have a misbehaving switch, it's very convenient to be able to look up the switch's physical location. Unfortunately, sysLocation frequently isn't set when the device is installed and even more often isn't changed when the device is moved. Unreliable information is worse than no information, so use some discipline and keep your devices up-to-date.

RFC 1213's definition of sysContact is similar to that of sysLocation:

 sysContact OBJECT-TYPE     SYNTAX  DisplayString (SIZE (0..255))     ACCESS  read-write      STATUS  mandatory     DESCRIPTION         "The textual identification of the contact person for this managed          node, together with information on how to contact this person."     ::= { system 4 } 

sysContact is a DisplayString. It's fairly obvious what it's used for: it identifies the primary contact for the device in question. It is important to set this object with an appropriate value, as it can help your operations staff determine who needs to be contacted in the event of some catastrophic failure. You can also use it to make sure you're notified, if you're responsible for a given device, when someone needs to take your device down for maintenance or repairs. As with sysLocation, make sure to keep this information up-to-date as your staff changes. It's not uncommon to find devices for which the sysContact is someone who left the company several years ago.

sysNames hould be set to the fully qualified domain name (FQDN) for the managed device. In other words, it's the hostname associated with the managed device's IP address. The RFC 1213 definition follows:

 sysName OBJECT-TYPE     SYNTAX  DisplayString (SIZE (0..255))     ACCESS  read-write     STATUS  mandatory     DESCRIPTION         "An administratively-assigned name for this managed node. By          convention, this is the node's fully-qualified domain name."     ::= { system 5 } 

The read-only and read-write parameters are the community strings for read-only and read-write access. Notice that sysLocation, sysContact, and sysName all have ACCESS values of read-write. With the appropriate read-write community string, anyone can change the definition of these objects and many more objects of significantly greater importance. Ultimately, it's not a huge problem if somebody maliciously makes your router lie about its locationyou probably already know that it isn't located in Antarctica. But someone who can do this can also fiddle with your routing tables and do other kinds of much more serious damage. Someone who has only the read-only community string can certainly find out more information about your network than you would like to reveal to an outsider. Setting the community strings is extremely important to maintaining a secure environment. Most devices are shipped with default community strings that are well known. Don't assume that you can put off setting your community strings until later.

The trap destination parameters specify the addresses to which traps are sent. There's nothing really magical heresince traps are asynchronous notifications generated by your devices, the agent needs to know who should receive notification. Many devices support authentication-failure traps , which are generated if someone attempts to access them using incorrect community strings. This feature is extremely useful, as it allows you to detect attempts to break into your devices. Many devices also support the ability to include a community string with traps; you can configure the NMS to respond only to traps that contain the proper community string.

Many devices have additional twists on the access and trap parameters. For example, Cisco devices allow you to create different community strings for different parts of the MIByou can use this to allow people to set some variables, but not others. Many vendors allow you to place restrictions on the hosts that are allowed to make SNMP requests. That is, the device will respond only to requests from certain IP addresses, regardless of the community string.

The range of configuration options you're likely to run into is limited only by the imagination of the vendors, so it's obviously impossible for us to describe everything you might encounter. "Agent Configuration Walkthroughs," later in this chapter, will give you an idea of how some agents implement the standard configuration parameters, and a little insight into what other features might be available.




Essential SNMP
Essential SNMP, Second Edition
ISBN: 0596008406
EAN: 2147483647
Year: 2003
Pages: 165

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net