《網(wǎng)絡(luò)管理》第三版PPT課件
網(wǎng)絡(luò)管理第三版PPT課件,網(wǎng)絡(luò)管理,網(wǎng)絡(luò),管理,第三,PPT,課件
1SNMP Network Management ModelNetwork Management網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍2NETWORK MANAGEMENT:STANDARDSlISOOSICMIP-CMISlITU-TSG IVTMNlINTERNETINTERNET ENGINEERING TASK FORCE(IETF)SNMP網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍3CHARACTERISTICSlCMIPMANAGEMENT SHOULD BE POWERFULOBJECT ORIENTED APPROACHMANAGEMENT INFORMATION MUST BE EXCHANGED IN A RELIABLE FASHIONlTMNTHE ACTUAL PROTOCOLS ARE THOSE OF OSIlSNMPMANAGEMENT SHOULD BE SIMPLEVARIABLE ORIENTED APPROACHMANAGEMENT INFORMATION EXCHANGES MAY BE UNRELIABLE網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍4lDevelopment historyEarly years,ICMP(Internet Control Message Protocol)ICMP provides a means for transferring messages from routers and other hosts to a hostICMP has two useful message pairslecho/echo replyltimestamp/timestamp replyPING programDevelopment history網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍5lSimple Gateway Monitoring Protocol(SGMP)issued in Nov.1987lThree promising approaches emergedHigh-level Entity Management System(HEMS)Simple Network Management Protocol(SNMP):an enhanced version of SGMPCMIP over TCP/IP(CMOT)Development history網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍6lIABs developing strategy in 1988SNMP:short-term solutionCMOT:long-range solutionBoth SNMP and CMOT use the same database of MOs lIts impractical to be compatible for SNMP and CMOT at the object levellFinally,IAB allowed SNMP and CMOT to develop independentlyDevelopment history網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍7lThe progress of SNMPThe remote monitoring(RMON)lThe capability of monitoring whole net,extending SNMP MIBSNMPv2lExtension of Security,SMI and functionsSNMPv3lUnified architecturelUser-based security,view-based access controlThe progress of SNMP網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍12WHY DID SNMP SUCCEED?lSTANDARDS CAN BE OBTAINED FOR FREElSTANDARDS ARE AVAILABLE FROM FTP&WWW SERVERS IN AN ELECTRONIC FORMlRAPID DEVELOPMENT OF STANDARDSlPROTOTYPES MUST DEMONSTRATE THE NEED FOR,AND THE FEASIBILITY OF STANDARDS網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍13SNMP ArchitecturelOSI System Management ArchitecturelSNMP ArchitectureAsymmetrical two-tier organization modelSNMP Management stationSNMP Agent網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍14SNMP ArchitectureAsymmetrical two-tier organization model網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍15lKey elementsManagement stationlTypically,a stand-alone devicelServes as the interface for the human managerManagement agentlPlatforms equipped with SNMP,such as hosts,bridges,routers and hubs網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍16MIBlThe set of MOs shared by the manager and the agentlStandard MIB classes are defined by international organizationslMIB instances are realized in each agentNetwork management protocols lSNMP manager and agent,UDPlGet,Set and Trap網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍17GET網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍18GET-NEXT網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍19SET網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍20TRAP網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍21lTwo Methods to Get Information Polling-OnlyInterrupt-basedlPolling-OnlyA management station may be responsible for a large number of agentsA agent may maintain a large number of MOsIt becomes impractical for the station to regularly poll all agents for all of their readable objectsTrap-directedpolling網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍22lRecommended strategyAt infrequent intervals,the station poll the agents for some key informationThen the station refrains from pollingAgents are responsible for notifying the station of any unusual eventTrap-directedpolling網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍25ProxiesThree-tier organization modelTMN網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍27lManager accesses MOs through RMON ProbelRMON Probe preprocesses the raw dataRMONTMNLLA網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍28SNMP Management Information Model lSMI:Structure of Management InformationProvides a general framework for a MIB definitionlIdentifies data types used in the MIBlIdentifies how MOs are namedEncourages simplicity and extensibilitylThe MIB can store only simple data typesScalars two-dimensional arrays of scalarsOBJECT NAMING:MIBsInternetMIBiso(1)org(3)dod(6)Objectidentifier:1.3.6.1Registrationtree網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍31Internet MIB iso(1)org(3)dod(6)lObject identifier:1.3.6.1網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍32lDESCRIPTORDefining a mnemonic name for a object,all in lowercaseFor example,internet,mgmtlFour nodes under internetdirectorymgmtexperimentalprivatelmib-1 and mib-2 are at the same node under mgmt網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍33l定義被管對(duì)象標(biāo)識(shí)符句法編碼模式網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍34被管對(duì)象的標(biāo)識(shí)符被管對(duì)象的標(biāo)識(shí)符l被管對(duì)象的標(biāo)識(shí)符對(duì)象標(biāo)識(shí)符的兩種形式:lDESCRIPTOR和OBJECT IDENTIFIERlOBJECT IDENTIFIERASN.1中的基本數(shù)據(jù)類型對(duì)象標(biāo)識(shí)符,專門(mén)用來(lái)標(biāo)識(shí)對(duì)象l從對(duì)象樹(shù)派生出的一系列點(diǎn)分?jǐn)?shù)字串的形式,用來(lái)標(biāo)識(shí)對(duì)象例:internet OBJECT IDENTIFIER:=iso(1)org(3)dod(6)1網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍35被管對(duì)象的標(biāo)識(shí)符被管對(duì)象的標(biāo)識(shí)符lDESCRIPTOR對(duì)象節(jié)點(diǎn)加以說(shuō)明由ASN.1定義例:mgmt OBJECT IDENTIFIER:=internet 2網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍36定義被管對(duì)象定義被管對(duì)象l定義被管對(duì)象標(biāo)識(shí)符句法編碼模式lRFC1155中對(duì)SMI的具體說(shuō)明RFC1155RFC1155-SMIDEFINITIONS:BEGINEXPORTS-EVERYTHINGInternet,directory,mgmt,experimental,private,enterprises,OBJECT-TYPE,ObjectName,ObjectSyntax,SimpleSyntax,ApplicationSyntax,NetworkAddress,IpAddress,Counter,Gauge,TimeTicks,Opaque;-the path to the rootinternet OBJECT IDENTIFIER:=iso org(3)dod(6)1directoryOBJECT IDENTIFIER:=internet 1mgmtOBJECT IDENTIFIER:=internet 2experimentalOBJECT IDENTIFIER:=internet 3privateOBJECT IDENTIFIER:=internet 4enterprisesOBJECT IDENTIFIER:=private 1Part1:Part2:-definition of object types OBJECT-TYPE MACRO:=BEGINTYPE NOTATION:=“SYNTAX”type(TYPE ObjectSyntax)“ACCESS”Access “STATUS”StatusVALUE NOTATION:=value(VALUE ObjectName)Access:=“read-only”|“read-write”|“write-only”|“not-accessible”Status:=“mandatory”|“optional”|“obsolete”ENDRFC1155Part3:-names of objects in the MIBObjectName:=OBJECT IDENTIFIER-syntax of objects in the MIBObjectSyntax:=CHOICE simple SimpleSyntax,application-wide ApplicationSyntaxSimpleSyntax:=CHOICE numberINTEGER,stringOCTET STRING,objectOBJECT IDENTIFIER,emptyNULL ApplicationSyntax:=CHOICE addressNetworkAddress,counter Counter,gaugeGauge,ticksTimeTicks arbitrary Opaque RFC1155Part4:Part5:-application-wide typesNeworkAddress:=CHOICE intenetIpAddressIpAddress:=APPLICATION 0 IMPLICIT OCTET STRING(SIZE(4)Counter :=APPLICATION 1 IMPLICIT INTEGER(0.4294967295)Gauge:=APPLICATION 2 IMPLICIT INTEGER(0.4294967295)TimeTicks :=APPLICATION 3 IMPLICIT INTEGER(0.4294967295)Opaque :=APPLICATION 4 OCTET STRINGENDRFC1155Part6:網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍44DatatypeDescriptionINTEGEROCTETSTRINGOBJECTIDENTIFIERNULLIpAddressCounterGaugeTimeTicksOpaqueSEQUENCESEQUENCEOF整型數(shù),根據(jù)符號(hào)、長(zhǎng)度和范圍的不同有多個(gè)變種。用于說(shuō)明8bit長(zhǎng)度的二進(jìn)制信息或文本信息,長(zhǎng)度可變。整數(shù)序列,用于說(shuō)明被管對(duì)象在MIB中的位置。空值,占位符。句點(diǎn)分隔的十進(jìn)制IP地址。非負(fù)整數(shù),只能做增值運(yùn)算,達(dá)到最大值后從0開(kāi)始。非負(fù)整數(shù),可增值和減值,達(dá)到最大值后被鎖定,等待復(fù)位。非負(fù)整數(shù),用作百分之一秒為單位的計(jì)時(shí)器。數(shù)據(jù)按OCTETSTRING編碼傳輸用于構(gòu)造清單結(jié)構(gòu)。用于構(gòu)造表結(jié)構(gòu)。網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍45ASN.1宏定義宏定義lASN.1中宏的作用l宏的模板MACRO :=BEGINTYPE NOTATION:=VALUE NOTATION:=END網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍46IMPORTSObjectName,ObjectSyntax From RFC-1155-SMIOBJECT-TYPE MACRO:=BEGINTYPE NOTATION:=“SYNTAX”type(TYPE ObjectSyntax)“ACCESS”Access“STATUS”Status DescrPart ReferPart IndexPart DefValPartVALUE NOTATION:=value(VALUE ObjectName)Access:=“read-only”|“read-write”|“write-only”|“not-accessible”Status:=“mandatory”|“optional”|“obsolete”|“deprecated”DescrPart:=“DESCRIPTION”value(description DisplayString)|emptyReferPart:=“REFERENCE”value(reference DisplayString)|emptyIndexPart:=“INDEX”“”IndexTypes“”IndexTypes:=IndexType|IndexTypes“,”IndexTypeIndexType:=value(indexobject ObjectName)|type(indextype)DefValPart:=“DEFVAL”“”value(defvalue ObjectSyntax)“”|emptyDisplayString:=OCTET STRING SIZE(0.255)END被管對(duì)象類定義Part1Part2Part3網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍47lexample of the definition of object type icmpInMsgsOBJECT-TYPESYNTAX CounterACCESSread-onlySTATUS mandatory:=icmp 1定義了icmp節(jié)點(diǎn)下的被管對(duì)象,描述符是icmpInMsgsicmp的OBJECT IDENTIFIER是:1.3.6.1.2.1.5icmpInMsgs的是:1.3.6.1.2.1.5.1網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍48lexample of the definition of object type sysDescrOBJECT-TYPESYNTAX DisplayString(SIZE(0.255)ACCESSread-onlySTATUS mandatoryDESCRIPTION“A textual description of the entity.This value should include the full name and version identification of the systems hardware type,software operating system,and networking software.It is mandatory that this contain only printable ASCII characters.”:=system 1網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍49Encoding StructurelThe ASN.1 syntax that contains the MI is encoded using the basic encoding rules(BER)lSNMP adopts a specific encoding structureTLV:Type,Length and Value網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍50BER基本編碼方法基本編碼方法網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍51BER中的中的Identifier字段字段(Tag number 31)網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍52Class8thbit7thbitUniversalApplicationContext-specificPrivate00110101DatatypeTagINTEGEROCTETSTRINGNULLOBJECTIDENTIFIERSEQUENCESEQUENCEOFIpAddressCounterGaugeTimeTicksOpaqueUNIVERSAL2UNIVERSAL4UNIVERSAL5UNIVERSAL6UNIVERSAL16UNIVERSAL16APPLICATION0APPLICATION1APPLICATION2APPLICATION3APPLICATION400100000000101010000000010110001lFor example,the encoding of OCTET STRING 0A1BH網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍53Class8thbit7thbitUniversalApplicationContext-specificPrivate00110101DatatypeTagINTEGEROCTETSTRINGNULLOBJECTIDENTIFIERSEQUENCESEQUENCEOFIpAddressCounterGaugeTimeTicksOpaqueUNIVERSAL2UNIVERSAL4UNIVERSAL5UNIVERSAL6UNIVERSAL16UNIVERSAL16APPLICATION0APPLICATION1APPLICATION2APPLICATION3APPLICATION400110 000000111011000001001100000lFor example,the encoding of Internet 1 3 6 1436100000001網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍54MIB-II lOID(Object IDentifire):mib-21 3 6 1 2 1 GroupOIDDescriptionSysteminterfaceat(addresstranslation)ipicmptcpudpegpcmotdot3(transmission)snmpmib-21mib-22mib-23mib-24mib-25mib-26mib-27mib-28mib-29mib-210mib-211關(guān)于系統(tǒng)的總體信息關(guān)于系統(tǒng)到子網(wǎng)的各個(gè)接口的信息關(guān)于internet到子網(wǎng)地址映射信息關(guān)于系統(tǒng)中IP的實(shí)現(xiàn)和運(yùn)行的信息關(guān)于系統(tǒng)中ICMP的實(shí)現(xiàn)和運(yùn)行的信息關(guān)于系統(tǒng)中TCP的實(shí)現(xiàn)和運(yùn)行的信息關(guān)于系統(tǒng)中UDP的實(shí)現(xiàn)和運(yùn)行的信息關(guān)于系統(tǒng)中EGP的實(shí)現(xiàn)和運(yùn)行的信息為CMOT協(xié)議保留為傳輸信息保留關(guān)于系統(tǒng)中SNMP的實(shí)現(xiàn)和運(yùn)行的信息網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍55System GroupObjectOIDSyntaxAccesssysDescrsystem1DisplayString(SIZE(0.255)ROsysObjectIDsystem2OBJECTIDENTIFIERROsysUpTimesystem3TimeTicksROsysContactsystem4DisplayString(SIZE(0.255)RWsysNamesystem5DisplayString(SIZE(0.255)RWsysLocationsystem6DisplayString(SIZE(0.255)RWsysServicesystem7INERGER(0.127)RO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍56Interface Group 網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍57Interface Group(continued)ObjectOIDSyntaxAccessifNumberinterfaces1INTEGERROifTableinterfaces2SEQUENCEOFifEntryNAifEntryifTable1SEQUENCENAifIndexifEntry1INTEGERROifDescrifEntry2DisplayString(SIZE(0.255)ROifTypeifEntry3INTEGERROifMtuifEntry4INERGERROifSpeedifEntry5GaugeROifPhysAddressifEntry6PhysAddressROifAdminStatusifEntry7INTEGERRWifOperStatusifEntry8INTEGERROifLastChangeifEntry9TimeTicksROifInOctetsifEntry10CounterRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍58Interface Group(continued)ifInUcastPktsifEntry11CounterROifInNUcastPktsifEntry12CounterROifInDiscardsifEntry13CounterROifInErrorsifEntry14CounterROifInUnkownProtosifEntry15CounterROifOutOctetsifEntry16CounterROifOutUcastPktsifEntry17CounterROifOutNUcastPktsifEntry18CounterROifOutDiscardsifEntry19CounterROifOutErrorsifEntry20CounterROifOutQLenifEntry21GaugeROifSpecificifEntry22OBJECTIDENTIFIERRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍59Address translation Group ObjectOIDSyntaxAccessatTableat1SEQUENCEOFAtEntryNAatEntryatTable1SEQUENCENAatIfIndexatEntry1INTEGERRWatPhysAddressatEntry2PhysAddressRWatNetAddressatEntry3NetworkAddressRW網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍60Ip Group ObjectOIDSyntaxAccessipForwardingip1INTEGERRWipDefaultTTLip2INTEGERRWipInReceivesip3CounterROipInHdrErrorsip4CounterROipInAddrErrorsip5CounterROipForwDatagramsip6CounterROipInUnknownProtosip7CounterROipInDiscardsip8CounterROipInDeliversip9CounterROipOutRequestsip10CounterROipOutDiscardsip11CounterROipOutNoRoutesip12CounterRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍61Ip Group(countinued)ipReasmTimeOutip13INTEGERROipReasmReqdsip14CounterROipReasmOKsip15CounterROipRaesmFailsip16CounterROipFragsOkip17CounterROipFragsFailsip18CounterROipFragsCreatesip19CounterROipAddrTableip20SEQUENCEOFIpAddrEntryNAipRouteTableip21SEQUENCEOFIpRouteEntryNAipNetToMediaTableip22SEQUENCEOFIpNetToMedisEntryNAipRoutingDiscardsip23CounterRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍62Icmp Group ObjectOIDSyntaxAccessicmpInMsgsicmp1CounterROicmpInErrorsicmp2CounterROicmpInDestUnreachsicmp3CounterROicmpInTimeExcdsicmp4CounterROicmpInParmProbsicmp5CounterROicmpInSrcQuenchsicmp6CounterROicmpInRedirectsicmp7CounterROicmpInEchosicmp8CounterROicmpInEchoRepsicmp9CounterROicmpInTimestampsicmp10CounterROicmpInTimestampRepsicmp11CounterROicmpInAddrMasksicmp12CounterRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍63Icmp Group(continued)icmpInAddrMaskRepsicmp13CounterROicmpOutMsgsicmp14CounterROicmpOutErrorsicmp15CounterROicmpOutDestUnreachsicmp16CounterROicmpOutTimeExcdsicmp17CounterROicmpOutParmProbsicmp18CounterROicmpOutSrcQuenchsicmp19CounterROicmpOutRedirectsicmp20CounterROicmpOutEchosicmp21CounterROicmpOutEchoRepsicmp22CounterROicmpOutTimestampsicmp23CounterROicmpOutTimestampRepsicmp24CounterROicmpOutAddrMasksicmp25CounterROicmpOutAddrMaskRepsicmp26CounterRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍64Tcp Group ObjectOIDSyntaxAccesstcpRtoAlgorithmtcp1INTEGERROtcpRtoMintcp2INTEGERROtcpRtoMaxtcp3INTEGERROtcpMaxConntcp4INTEGERROtcpActiveOpenstcp5CounterROtcpPassiveOpenstcp6CounterROtcpAttemptFailstcp7CounterROtcpEstabResetstcp8CounterROtcpCurrEstabtcp9GaugeROtcpInSegstcp10CounterROtcpOutSegstcp11CounterROtcpRetranSegstcp12CounterROtcpConnTabletcp13SEQUENCEOFTcpConnEntryNAtcpInErrorstcp14CounterROtcpOutRststcp15CounterRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍65Udp Group ObjectOIDSyntaxAccessudpInDatagramsudp1CounterROudpNoPortsudp2CounterROudpInErrorsudp3CounterROudpOutDatagramsudp4CounterROudpTableudp5SEQUENCEOFUdpEntryNAudpEntryudpTable1SEQUENCENAudpLocalAddressudpEntry1IpAddressROudpLocalPortudpEntry2INTEGERRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍66Egp Group ObjectOIDSyntaxAccessegpInMsgsegp1CounterROegpInErrorsegp2CounterROegpOutMsgsegp3CounterROegpOutErrorsegp4CounterROegpNeighTableegp5SEQUENCEOFEgpNeighEntryNAegpAsegp6INTEGERRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍67網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍68SNMP Communication Model lService FunctionsSNMPStation to Agentlget-request,get-next-request and set-requestAgent to Stationlget-response and trapOSICommunicationModelCMIP-CMIS網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍70SNMP Communication Model lAccess ControllInstance IdentificationlSNMP Message網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍71Access Control lDistributed applicationsOne Station to many agents One Agent to many stationslAccess ControlAuthentication service Access policyProxy service網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍72Community and Security lA community defines authentication,access control and proxy service relationship between an agent and a set of stationslCommunityA local concept at the agentA unique name used for the stations within the community to request their operationsOne agent may have many communities網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍73lThe community names are contained in the messages sent to the agent by the stationslThe community names play the roles of passwordslThe community name is used to start an authentication procedure,and encrypting and decrypting procedure can also be involvedAuthentication scheme網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍74Access policy lBy defining a community,an agent limits access to its MIB to a selected set of stationslBy using more than one community,the agent can provide different categories of MIB access to different stations 網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍75lTwo aspects to the access controlSNMP MIB viewlA subset of the objects within a MIB SNMP access modelREAD-ONLY or READ-WRITElSNMP community profileThe combination of a MIB view and an access modelA community profile is associated with each communitylThe combination of a community and a community profile is referred to access policy網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍76Proxy service lFor each device that the proxy system represents,it maintains an access policylThus,the proxy knows which MIB objects can be used to manage the proxied system and their access mode網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍77Instance IdentificationlEvery object in a MIB has a unique object identifier,which id defined by the position of the object in the tree-structured MIBlBut,the object identifiers identify the object types rather than object instances,lAn access is toward to a specific instance of an objectlColumnar objects:Objects appear in tables網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍78Interface Group 網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍79Interface Group(continued)ObjectOIDSyntaxAccessifNumberinterfaces1INTEGERROifTableinterfaces2SEQUENCEOFifEntryNAifEntryifTable1SEQUENCENAifIndexifEntry1INTEGERROifDescrifEntry2DisplayString(SIZE(0.255)ROifTypeifEntry3INTEGERROifMtuifEntry4INERGERROifSpeedifEntry5GaugeROifPhysAddressifEntry6PhysAddressROifAdminStatusifEntry7INTEGERRWifOperStatusifEntry8INTEGERROifLastChangeifEntry9TimeTicksROifInOctetsifEntry10CounterRO網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍80Interface Group(continued)ifInUcastPktsifEntry11CounterROifInNUcastPktsifEntry12CounterROifInDiscardsifEntry13CounterROifInErrorsifEntry14CounterROifInUnkownProtosifEntry15CounterROifOutOctetsifEntry16CounterROifOutUcastPktsifEntry17CounterROifOutNUcastPktsifEntry18CounterROifOutDiscardsifEntry19CounterROifOutErrorsifEntry20CounterROifOutQLenifEntry21GaugeROifSpecificifEntry22OBJECTIDENTIFIERROifIndexifDescrifType1*2*3*4*5*1.3.6.1.2.1.2.2.1.11.3.6.1.2.1.2.2.1.21.3.6.1.2.1.2.2.1.3ifTable構(gòu)成的表格ifEntry1.3.6.1.2.1.2.2.1網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍82lRandom-accessA special columnar object in a table:INDEXSNMP adds the INDEX value to the identifier of a columnar object to identify itlFor example,ifTable contains a columnar object,ifType,and its identifier islFor the second interface type,the identifier is 1.3.6.1.2.1.2.2.1.31.3.6.1.2.1.2.2.1.3.2網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍83lConceptual Table and Row Objectshave no identifier,their ACCESS characteristic is not-accessible。lScalar ObjectsA scalar object has only one instanceIts identifier is object type identifier+0 網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍84lSerial-access(Lexicographical Ordering)An object identifier is a sequence of integers,can be considered as the numbers of chapters,sections and sebsections of a bookOne can determine the order of two identifiers by the lexicographical order(A:1.2.1,B:1.1.2.1)Get-next-request accesses objects according to the lexicographical order網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍85SNMP FormatslInformation is exchanged between a Station and an Agent in the form of an SNMP message網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍86GetRequest-PDU,GetNextRequest-PDU and SetRequest-PDU Response PDUTrap PDUVariable bindings網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍87lTransmission of an SNMP MessageThe PDU is constructed,using the ASN.1 structure defined in RFC1157This PDU is then passed to an authentication service,together with the source and destination transport addresses and a community nameThe protocol entity then constructs a message,consisting of a version field,the community name,and the result from step 2This new ASN.1 object is then encoded using the BER and passed to the transport service網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍88lReceipt of an SNMP Message The message is checked syntacticallyThe version number is verifiedpasses the user name,the PDU portion of the message,and the transport addresses to an authentication serviceThe protocol entity does a basic syntax-check of the PDUUsing the named community,the appropriate SNMP access polity is selected and the PDU is processed accordingly網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍89GetRequest PDU lIs issued by an SNMP entity on behalf of a station applicationlThe receiving SNMP entity responds to it with a GetResponse PDU containing the same request-idlThe GetRequest operation is atomiclErrors:noSuchName,tooBig and genErr網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍90GetNextRequest PDU lIs almost identical to the GetRequest PDU,the same PDU exchange pattern and the same formatlThe only difference:In the GetNextRequest PDU,for each variable,the respondent is to return the value of the object instance that is nextlA useful function:allowing the station to discover the structure of a MIB view dynamically網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍91SetRequest PDU lIs issued by an SNMP entity on behalf of a station application lThe variablebindings list includes both object instance identifiers and the values to be assigned lThe receiving SNMP entity responds to it with a GetResponse PDU containing the same request-idlThe SetRequest operation is atomiclErros:noSuchName,tooBig,genErr and badValue網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍92Trap PDU lIs issued by an SNMP entity on behalf of an agent applicationlIs used to provide the station with an asynchronous notification of some significant eventlIts format is quite different from that of the other PDUs網(wǎng)網(wǎng) 絡(luò)絡(luò) 管管 理理 教教 程程 郭 軍93The SNMP Group in MIB-IIObjectOIDSyntaxAccesssnmpInPktssnmp1CounterROsnmp
收藏