SNMP is a management protocol that allows an SNMP client application to retrieve device configuration and status information and to configure the device (get and set). You can manage the switch via SNMP from a network management station running an application such as PCM+. For more information on PCM+, see the HP website at: www.hp.com/networking.
From the Products menu, select Network Management. The click on PCM+ Network Management under the HP Network Management bar.
To implement SNMP management, the switch must have an IP address configured either manually or dynamically (using DHCP or Bootp). If multiple VLANs are configured, each VLAN interface should have its own IP address. For DHCP use with multiple VLANs, see section "The Primary VLAN" in the "Static Virtual LANs (VLANs)" chapter of the Advanced Traffic Management Guide for your switch.
SNMP management features on the switch include:
-
Security via configuration of SNMP communities (SNMPv3 communities)
-
Standard MIBs, such as the Bridge MIB (RFC 1493), Ethernet MAU MIB (RFC 1515), and others.
The switch SNMP agent also uses certain variables that are included in an HP proprietary MIB (management information base) file. If you are using HP OpenView, you can ensure that it is using the latest version of the MIB file by downloading the file to the OpenView database. To do so, go to the HP Networking website at: www.hp.com/networking.
SNMP access requires an IP address and subnet mask configured on the switch. If you are using DHCP/Bootp to configure the switch, ensure that the DHCP/Bootp process provides the IP address.
Once an IP address is configured, the main steps for configuring SNMPv1 and v2c access management features are:
-
Configure the appropriate SNMP communities. (See SNMPv3 communities.)
In some networks, authorized IP manager addresses are not used. In this case, all management stations using the correct community name may access the switch with the View and Access levels that have been set for that community. If you want to restrict access to one or more specific nodes, you can use the switch's IP Authorized Manager feature. (See the Access Security Guide for your switch.)
SNMPv3 access requires an IP address and subnet mask configured on the switch. (See "IP Configuration" on page 8-2.) If you are using DHCP/Bootp to configure the switch, ensure that the DHCP/Bootp process provides the IP address. (See "DHCP/Bootp Operation".)
Once you have configured an IP address, the main steps for configuring SNMPv3 access management features are the following:
-
Enable SNMPv3 for operation on the switch (see Enabling SNMPv3).
-
Configure the appropriate SNMP users (see SNMPv3 users).
-
Configure the appropriate SNMP communities (see SNMPv3 communities).
-
Configure the appropriate trap receivers (see SNMP notifications).
In some networks, authorized IP manager addresses are not used. In this case, all management stations using the correct User and community name may access the switch with the View and Access levels that have been set for that community. If you want to restrict access to one or more specific nodes, you can use the IP Authorized Manager feature for the switch. (See the Access Security Guide for your switch.)
SNMP version 3 (SNMPv3) adds some new commands to the CLI for configuring SNMPv3 functions. To enable SNMMPv3 operation on the switch, use the snmpv3 enable
command. An initial user entry will be generated with MD5 authentication and DES privacy.
You may (optionally) restrict access to only SNMPv3 agents by using the snmpv3 only
command. To restrict write-access to only SNMPv3 agents, use the snmpv3 restricted-access
command.
|
|
CAUTION: Restricting access to only version 3 messages will make the community named “public” inaccessible to network management applications (such as autodiscovery, traffic monitoring, SNMP trap generation, and threshold setting) from operating in the switch. |
|
|
The snmpv3 enable
command allows the switch to:
-
Receive SNMPv3 messages.
-
Configure initial users.
-
Restrict non-version 3 messages to "read only" (optional).
Example:
|
|
NOTE: To create new users, most SNMPv3 management software requires an initial user record to clone. The initial user record can be downgraded and provided with fewer features, but not upgraded by adding new features. For this reason, HP recommends that when you enable SNMPv3, you also create a second user with SHA authentication and DES privacy. |
|
|
To use SNMPv3 on the switch, you must configure the users that will be assigned to different groups:
-
Configure users in the User Table with the
snmpv3 user
command.To view the list of configured users, enter the
show snmpv3 user
command (see Adding users). -
Assign users to Security Groups based on their security model with the
snmpv3 group
command (see Assigning users to groups (CLI)).
|
|
CAUTION: If you add an SNMPv3 user without authentication, privacy, or both, to a group that requires either feature, the user will not be able to access the switch. Ensure that you add a user with the appropriate security level to an existing security group. |
|
|
To configure an SNMPv3 user, you must first add the user name to the list of known users with the snmpv3 user
command, as shown in Adding SNMPv3 users and displaying SNMPv3 configuration.
Syntax:
Adds or deletes a user entry for SNMPv3. Authorization and privacy are optional, but to use privacy, you must use authorization. When you delete a user, only the
user_name
is required.[ auth < md5 | sha> <
auth_pass>
]With authorization, you can set either MD5 or SHA authentication. The authentication password
<auth_pass>
must be 6 to 32 characters and is mandatory when you configure authentication.
To display the management stations configured to access the switch with SNMPv3 and view the authentication and privacy protocols that each station uses, enter the show snmpv3 user
command.
Syntax:
Display of the management stations configured on VLAN 1 displays information about the management stations configured on VLAN 1 to access the switch.
Display of the management stations configured on VLAN 1
HP Switch# configure terminal HP Switch(config)# vlan 1 HP Switch(vlan-1)# show snmpv3 user Status and Counters - SNMPv3 Global Configuration Information User Name Auth. Protocol Privacy Protocol ----------- -------------- ----------------- initial MD5 CFB AES-128 NetworkAdmin MD5 CBC-DES
Next you must set the group access level for the user by assigning the user to a group. This is done with the snmpv3 group
command, as shown in Example: of assigning users to groups. For more details on the MIBs access for a given group, see Group access levels.
Syntax:
Assigns or removes a user to a security group for access rights to the switch. To delete an entry, all of the following three parameters must be included in the command:
group <
group_name
>Identifies the group that has the privileges that will be assigned to the user. For more details, see Group access levels.
user <
user_name
>Identifies the user to be added to the access group. This must match the user name added with the
snmpv3 user
command.
sec-model
<ver1 | ver2c | ver3>Defines which security model to use for the added user. An SNMPv3 access group should use only the ver3 security model.
The switch supports eight predefined group access levels, shown in Table 6-3. There are four levels for use by version 3 users and four are used for access by version 2c or version 1 management applications.
Predefined group access levels
Group name |
Group access type |
Group read view |
Group write view |
---|---|---|---|
managerpriv |
Ver3 Must have Authentication and Privacy |
ManagerReadView |
ManagerWriteView |
managerauth |
Ver3 Must have Authentication |
ManagerReadView |
ManagerWriteView |
operatorauth |
Ver3 Must have Authentication |
OperatorReadView |
DiscoveryView |
operatornoauth |
Ver3 No Authentication |
OperatorReadView |
DiscoveryView |
commanagerrw |
Ver2c or Ver1 |
ManagerReadView |
ManagerWriteView |
commanagerr |
Ver2c or Ver1 |
ManagerReadView |
DiscoveryView |
comoperatorrw |
Ver2c or Ver1 |
OperatorReadView |
OperatorReadView |
comoperatorr |
Ver2c or Ver1 |
OperatorReadView |
DiscoveryView |
Each view allows you to view or modify a different set of MIBs:
|
|
NOTE: All access groups and views are predefined on the switch. There is no method to modify or add groups or views to those that are predefined on the switch. |
|
|
SNMP commuities are supported by the switch to allow management applications that use version 2c or version 1 to access the switch. The communities are mapped to Group Access Levels that are used for version 2c or version 1 support. This mapping happens automatically based on the communities access privileges, but special mappings can be added with the snmpv3 community
command (see Mapping SNMPv3 communities (CLI)).
SNMP commuities are supported by the switch to allow management applications that use version 2c or version 1 to access the switch. For more details, see SNMPv3 communities.
Syntax:
Maps or removes a mapping of a community name to a group access level. To remove a mapping you need to specify only the
index_name
parameter.
index <
index_name
>An index number or title for the mapping. The values of 1 to 5 are reserved and can not be mapped.
name <
community_name
>The community name that is being mapped to a group access level.
sec-name <
security_name
>The group level to which the community is being mapped.
tag <
tag_value
>This is used to specify which target address may have access by way of this index reference.
Example:
Assigning a community to a group access level shows the assigning of the Operator community on MgrStation1 to the CommunityOperatorReadWrite group. Any other Operator has an access level of CommunityOperatorReadOnly.
Use SNMP communities to restrict access to the switch by SNMP management stations by adding, editing, or deleting SNMP communities. You can configure up to five SNMP communities, each with either an operator-level or a manager-level view and either restricted or unrestricted write access.
Using SNMP requires that the switch have an IP address and subnet mask compatible with your network.
This command lists the data for currently configured SNMP community names (along with trap receivers and the setting for authentication traps—see SNMP notifications).
Syntax:
Example:
Lists the data for all communities in a switch; that is, both the default "public" community name and another community named "blue-team."
To list the data for only one community, such as the "public" community, use the above command with the community name included. For Example:
HP Switch# show snmp-server public
The snmp-server
command enables you to add SNMP communities with either default or specific access attributes, and to delete specific communities.
Syntax:
Configures a new community name.
The
no
form uses only the<
variable and deletes the named community from the switch.community-name
>
[ operator | manager ]
Optionally assigns an access level.
At the
operator
level, the community can access all MIB objects except the CONFIG MIB.At the
manager
level, the community can access all MIB objects.[ restricted | unrestricted ]
Optionally assigns MIB access type.
Assigning the
restricted
type allows the community to read MIB variables, but not to set them.Assigning the
unrestricted
type allows the community to read and set MIB variables.
Example:
To add the following communities:
Community |
Access Level |
Type of Access |
---|---|---|
red-team |
manager (Access to all MIB objects.) |
unrestricted (read/write) |
blue-team |
operator (Access to all MIB objects except the CONFIG MIB.) |
restricted (read-only) |
HP Switch(config)# snmp-server community red-team manager unrestricted HP Switch(config)# snmp-server community blue-team operator restricted
To eliminate a previously configured community named "gold-team":
HP Switch(config) # no snmp-server community gold-team
This section describes how to configure a switch to send network security and link-change notifications to configured trap receivers.
By default, the following notifications are enabled on a switch:
-
Determine the versions of SNMP notifications that you want to use in your network.
If you want to use SNMPv1 and SNMPv2c traps, you must also configure a trap receiver. See the following sections and follow the required configuration procedures:
If you want to use SNMPv3 notifications (including traps), you must also configure an SNMPv3 management station. Follow the required configuration procedure in Configuring SNMPv3 notifications (CLI).
-
To reconfigure any of the SNMP notifications that are enabled by default to be sent to a management station (trap receiver), see Enabling Link-Change Traps (CLI).
-
(Optional) See the following sections to configure optional SNMP notification features and verify the current configuration:
The switches support the following functionality from earlier SNMP versions (SNMPv1 and SNMPv2c):
-
Trap receivers: A trap receiver is a management station to which the switch sends SNMP traps and (optionally) event log messages sent from the switch. From the CLI you can configure up to ten SNMP trap receivers to receive SNMP traps from the switch.
-
Fixed or "Well-Known" Traps: A switch automatically sends fixed traps (such as "coldStart", "warmStart", "linkDown", and "linkUp") to trap receivers using the
public
community name. These traps cannot be redirected to other communities. If you change or delete the defaultpublic
community name, these traps are not sent. -
Thresholds: A switch automatically sends all messages created when a system threshold is reached to the network management station that configured the threshold, regardless of the trap receiver configuration.
Use the snmp-server host
command to configure a trap receiver that can receive SNMPv1 and SNMPv2c traps, and (optionally) Event Log messages. When you configure a trap receiver, you specify its community membership, management station IP address, and (optionally) the type of Event Log messages to be sent.
If you specify a community name that does not exist—that is, has not yet been configured on the switch—the switch still accepts the trap receiver assignment. However, no traps are sent to that trap receiver until the community to which it belongs has been configured on the switch.
For information about configuring SNMP trap receivers, see SNMP trap receivers.
Syntax:
Configures a destination network management station to receive SNMPv1/v2c traps and (optionally) Event Log messages sent as traps from the switch, using the specified community name and destination IPv4 or IPv6 address. You can specify up to ten trap receivers (network management stations). (The default community name is
public
.)
[ <none | all | not-info | critical | debug> ]
(Optional) Configures the security level of the Event Log messages you want to send as traps to a trap receiver (see Table 6-2).
The type of Event Log message that you specify applies only to Event Log messages, not to threshold traps.
For each configured event level, the switch continues to send threshold traps to all network management stations that have the appropriate threshold level configured.
If you do not specify an event level, the switch uses the default value (none) and sends no Event Log messages as traps.
[<inform>]
(Optional) Configures the switch to send SNMPv2 inform requests when certain events occur. For more information, see Enabling SNMPv2c informs (CLI).
Security levels for Event Log messages sent as traps
Example:
To configure a trap receiver in a community named "red-team" with an IP address of 10.28.227.130 to receive only "critical" event log messages, you can enter the following command:
HP Switch(config)# snmp-server host 10.28.227.130 red-team critical
On a switch enabled for SNMPv2c, you can use the snmp-server host inform
command (Enabling SNMPv2c informs (CLI)) to send inform requests when certain events occur. When an SNMP Manager receives an inform request, it can send an SNMP response back to the sending agent on the switch to let the agent know that the inform request reached its destination.
If the sending agent on the switch does not receive an SNMP response back from the SNMP Manager within the timeout period, the inform request may be resent, based on the retry count value.
When you enable SNMPv2c inform requests to be sent, you must specify the IP address and community name of the management station that will receive the inform notification.
For information about enabling SNMPv2c informs, see SNMPv2c informs.
Syntax:
[no]
snmp-server host
<ipv4-addr
|ipv6-addr
><
[ retries <community name
> informcount
> ] [ timeout <interval
> ]Enables (or disables) the
inform
option for SNMPv2c on the switch and allows you to configure options for sending SNMP inform requests.
|
|
NOTE: The |
|
|
To verify the configuration of SNMPv2c informs, enter the show snmp-server
command, as shown in Display of SNMPv2c inform configuration (note indication of inform Notify Type in bold below):
Display of SNMPv2c inform configuration
HP Switch(config)# show snmp-server SNMP Communities Community Name MIB View Write Access ---------------- -------- ------------ public Manager Unrestricted Trap Receivers Link-Change Traps Enabled on Ports [All] : All ... Address Community Events Sent Notify Type Retry Timeout --------------------- --------------- ----------- ----------- ----- -------- 15.28.333.456 guest All inform 3 15 Excluded MIBs Snmp Response Pdu Source-IP Information Selection Policy : Default rfc1517 Trap Pdu Source-IP Information Selection Policy : Configured IP Ip Address : 10.10.10.10
The SNMPv3 notification process allows messages that are passed via SNMP between the switch and a network management station to be authenticated and encrypted.
-
Enable SNMPv3 operation on the switch by entering the
snmpv3 enable
command (See "SNMP Version 3 Commands" on page N-7). -
Configure SNMPv3 users by entering the
snmpv3 user
command (see SNMPv3 users). Each SNMPv3 user configuration is entered in the User Table. -
Assign SNMPv3 users to security groups according to their level of access privilege by entering the
snmpv3 group
command (see Assigning users to groups (CLI)). -
Define the name of an SNMPv3 notification configuration by entering the
snmpv3 notify
command.Syntax:
Associates the name of an SNMPv3 notification configuration with a tag name used (internally) in SNMPv3 commands. To delete a notification-to-tag mapping, enter
no snmpv3 notify
.notify_name
-
Configure the target address of the SNMPv3 management station to which SNMPv3 informs and traps are sent by entering the
snmpv3 targetaddress
command.Syntax:
Configures the IPv4 or IPv6 address, name, and configuration filename of the SNMPv3 management station to which notification messages are sent.
params <
parms_name
>Name of the SNMPv3 station's parameters file.
The parameters filename configured with
params
must match theparams_name
params
value entered with theparams_name
snmpv3 params
command in Step 6.taglist <
[ tag_name ]tag_name
>…
Specifies the SNMPv3 notifications (identified by one or more
tag_name
values) to be sent to the IP address of the SNMPv3 management station.You can enter more than one
tag_name
value. Eachtag_name
value must be already associated with the name of an SNMPv3 notification configuration entered with thesnmpv3 notify
command in Step 4.Use a blank space to separate
tag_name
values.You can enter up to 103 characters in
tag_name
entries following thetaglist
keyword.[
filter
<none
|debug
|all
|not-info
|critical>
](Optional) Configures the type of messages sent to a management station.
(Default: none.)
[
udp-port
<port
> ](Optional) Specifies the UDP port to use.
(Default: 162.)
[
port-mask
<mask
> ](Optional) Specifies a range of UDP ports. (Default: 0.)
[
addr-mask
<mask
> ](Optional) Specifies a range of IP addresses as destinations for notification messages.
(Default: 0.)
[
retries
<value
> ](Optional) Number of times a notification is retransmitted if no response is received. Range: 1-255.
(Default: 3.)
[
timeout
<value
> ](Optional) Time (in millisecond increments) allowed to receive a response from the target before notification packets are retransmitted. Range: 0-2147483647.
[Default: 1500 (15 seconds).]
[
max-msg-size
<size
> ](Optional) Maximum number of bytes supported in a notification message to the specified target. (Default: 1472)
-
Create a configuration record for the target address with the
snmpv3 params
command.
Syntax:
Applies the configuration parameters and IP address of an SNMPv3 management station (from the
params
value configured with theparams_name
snmpv3 targetaddress
command in Step 5) to a specified SNMPv3 user (from theuser
value configured with theuser_name
snmpv3 user
command in Step 2).If you enter the
snmpv3 params user
command, you must also configure a security model (sec-model
) and message processing algorithm (msg-processing
).
<sec-model [ ver1 | ver2c | ver3> ]
Configures the security model used for SNMPv3 notification messages sent to the management station configured with the
snmpv3 targetaddress
command in Step 5.If you configure the security model as
ver3
, you must also configure the message processing value asver3
.msg-processing
<ver1
| ver2c | ver3> [ noaut | auth | priv ]Configures the algorithm used to process messages sent to the SNMPv3 target address.
If you configure the message processing value as
ver3
and the security model asver3
, you must also configure a security services level (noauth
,auth
, orpriv
).
Example:
An Example: of how to configure SNMPv3 notification is shown here:
By default, a switch is enabled to send the SNMP notifications listed in Supported Notifications when a network security event (For example, authentication failure) occurs. However, before security notifications can be sent, you must first configure one or more trap receivers or SNMPv3 management stations as described in:
You can manage the default configuration of the switch to disable and re-enable notifications to be sent for the following types of security events:
For more information, see Network security notifications.
Syntax:
[no]
snmp-server enable traps
[ snmp-auth | password-change-mgr | login-failure-mgr | port-security | auth-server-fail | dhcp-snooping | arp-protect | running-config-change ]Enables or disables sending one of the security notification types listed below to configured trap receivers. (Unless otherwise stated, all of the following notifications are enabled in the default configuration.)
The notification sends a trap:
To determine the specific cause of a security event, check the Event Log in the console interface to see why a trap was sent. For more information, see "Using the Event Log for Troubleshooting Switch Problems".
Enter the show snmp-server traps
command, as shown in Display of configured network security notifications. Note that command output is a subset of the information displayed with the show snmp-server
command in Display of SNMP notification configuration.
Display of configured network security notifications
HP Switch(config)# show snmp-server traps Trap Receivers Link-Change Traps Enabled on Ports [All] : A1-A24 Traps Category Current Status ------------------------------ -------------------------- SNMP Authentication : Extended Password change : Enabled Login failures : Enabled Port-Security : Enabled Authorization Server Contact : Enabled DHCP Snooping : Enabled Dynamic ARP Protection : Enabled Dynamic IP Lockdown : Enabled Address Community Events Sent Notify Type Retry Timeout ---------------------- ---------- ----------- ----------- ----- ------- 15.255.5.225 public All trap 3 15 2001:0db8:0000:0001 :0000:0000:0000:0121 user_1 All trap 3 15 Excluded MIBs
By default, a switch is enabled to send a trap when the link state on a port changes from up to down (linkDown) or down to up (linkUp). To reconfigure the switch to send link-change traps to configured trap receivers, enter the snmp-server enable traps link-change
command.
Syntax:
The switch uses an interface IP address as the source IP address in IP headers when sending SNMP notifications (traps and informs) or responses to SNMP requests.
For multi-netted interfaces, the source IP address is the IP address of the outbound interface of the SNMP reply, which may differ from the destination IP address in the IP header of the received request. For security reasons, it may be desirable to send an SNMP reply with the IP address of the destination interface (or a specified IP address) on which the corresponding SNMP request was received.
To configure the switch to use the source IP address on which an SNMP request was received in SNMP notification/traps and replies, enter the snmp-server response-source
(“Syntax:”) and snmp-server trap-source
(“Syntax:???TITLE???”) commands.
For more information, see Source IP address for SNMP notifications.
Syntax:
Specifies the source IP address of the SNMP response PDU. The default SNMP response PDU uses the IP address of the active interface from which the SNMP response was sent as the source IP address.
The
no
form of the command resets the switch to the default behavior (compliant with rfc-1517).(Default: Interface IP address)
dst-ip-of-request
Destination IP address of the SNMP request PDU that is used as the source IP address in an SNMP response PDU.
[
|
ipv4-addr
]
ipv6-addr
User-defined interface IP address that is used as the source IP address in an SNMP response PDU. Both IPv4 and IPv6 addresses are supported.
loopback <
0-7>
IP address configured for the specified loopback interface that is used as the source IP address in an SNMP response PDU. If multiple loopback IP addresses are configured, the lowest alphanumeric address is used.
To use the IP address of the destination interface on which an SNMP request was received as the source IP address in the IP header of SNMP traps and replies, enter the following command:
HP Switch(config)# snmp-server response-source dst-ip-of-request
Syntax:
Specifies the source IP address to be used for a trap PDU. To configure the switch to use a specified source IP address in generated trap PDUs, enter the
snmp-server trap-source
command.The
no
form of the command resets the switch to the default behavior (compliant with rfc-1517).(Default: Use the interface IP address in generated trap PDUs)
ipv4-addr
User-defined interface IPv4 address that is used as the source IP address in generated traps. IPv6 addresses are not supported.
loopback
<0-7>
P address configured for the specified loopback interface that is used as the source IP address in a generated trap PDU. If multiple loopback IP addresses are configured, the lowest alphanumeric address is used.
|
|
NOTE: When you use the
|
|
|
Enter the show snmp-server
command to display the SNMP policy configuration, as shown in Display of source IP address configuration.
Display of source IP address configuration
HP Switch(config)# show snmp-server SNMP Communities Community Name MIB View Write Access ---------------- -------- ------------ public Manager Unrestricted Trap Receivers Link-Change Traps Enabled on Ports [All] : All ... Excluded MIBs Snmp Response Pdu Source-IP Information Selection Policy : dstIpOfRequest Trap Pdu Source-IP Information Selection Policy : Configured IP
Syntax:
Displays the currently configured notification settings for versions SNMPv1 and SNMPv2c traps, including SNMP communities, trap receivers, link-change traps, and network security notifications.
Example:
In the following Example:, the show snmp-server
command output shows that the switch has been configured to send SNMP traps and notifications to management stations that belong to the "public," "red-team," and "blue-team" communities.
The MAC Address Count feature provides a way to notify the switch management system when the number of MAC addresses learned on a switch port exceeds the permitted configurable number.
To enable the mac-count-notify option, enter this command in global config context.
Syntax:
Sends a trap when the number of MAC addresses learned on the specified ports exceeds the configured
<learned-count>
value.
To configure the mac-count-notify option on a port or ports, enter this command. When the configured number of MAC addresses is exceeded (the learned-count), a trap is sent.
Syntax:
Configures
mac-count-notify traps
on the specified ports (or all) for the entire switch.The
[no]
form of the command disablesmac-count-notify traps
.
[<learned-count>]
: The number of MAC addresses learned before sending a trap. Values range between 1-128.
Use the show mac-count-notify traps [<port-list>] command to display information about the configured value for sending a trap, the current count, and if a trap has been sent.
Information displayed for the show mac-count-notify traps
command
HP Siwtch (config)# show mac-count-notify traps Mac-count-notify Enabled: Yes Port Count for Count Trap Sent sending Trap ------ --------------- ------- ------------ 1 2 3 4 5 50 0 No 6 50 2 No 7 50 0 No 8 9 ...
The interface context can be used to configure the value for sending a trap.
Configuring mac-count-notify traps from the interface context
HP Switch (config)# interface 5
HP Switch (eth-5)# mac-count-notify traps 35
The show snmp-server traps
command displays whether the MAC Address Count feature is enabled or disabled.
Information about SNMP traps, including MAC address count being Enabled/Disabled
HP Switch(config)# show snmp-server traps Trap Receivers Link-Change Traps Enabled on Ports [All] : All Traps Category Current Status ____________________________ __________________ SNMP Authentication : Extended Password change : Enabled Login failures : Enabled Port-Security : Enabled Authorization Server Contact : Enabled DHCP-Snooping : Enabled Dynamic ARP Protection : Enabled Dynamic IP Lockdown : Enabled MAC address table changes : Disabled MAC Address Count : Enabled Address Community Events Type Retry Timeout ---------------- ----------- ------- ------ ------ ------- 15.146.194.77 public None trap 3 15 15.255.134.252 public None trap 3 15 16.181.49.167 public None trap 3 15 16.181.51.14 public None trap 3 15 Excluded MIBs
The switch supports RMON (remote monitoring) on all connected network segments. This allows for troubleshooting and optimizing your network.
The following RMON groups are supported:
The RMON agent automatically runs in the switch. Use the RMON management station on your network to enable or disable specific RMON traps and events. Note that you can access the Ethernet statistics, Alarm, and Event groups from the HP Switch Manager network management software. For more information on PCM+, see the HP Networking web site at www.hp.com/networking.
From the Products menu, select Network Management. Then click on PCM+ Network Management under the HP Network Management bar.
sFlow can also be configured via the CLI for up to three distinct sFlow instances: once enabled, an sFlow receiver/destination can be independently configured for full flow-sampling and counter-polling. CLI-configured sFlow instances may be saved to the startup configuration to persist across a switch reboot.
The following sFlow commands allow you to configure sFlow instances via the CLI. For more information, see Advanced management: RMON.
Syntax:
Enables an sFlow receiver/destination. The receiver-instance number must be a 1, 2, or 3.
By default, the udp destination port number is 6343.
To disable an sFlow receiver/destination, enter
no sflow
.receiver-instance
Syntax:
Once an sFlow receiver/destination has been enabled, this command enables flow sampling for that instance. The receiver-instance number is 1, 2, or 3, and the sampling rate is the allowable non-zero skipcount for the specified port or ports.
To disable flow-sampling for the specified port-list, repeat the above command with a sampling rate of
0
.
Syntax:
Once an sFlow receiver/destination has been enabled, this command enables counter polling for that instance. The receiver-instance number is 1, 2, or 3, and the polling interval may be set to an allowable non-zero value to enable polling on the specified port or ports.
To disable counter-polling for the specified port-list, repeat the above command with a polling interval of
0
.
The following sFlow commands allow you to display sFlow configuration and status via the CLI. Viewing sFlow destination information is an Example: of sflow agent
information.
Syntax:
Displays sFlow agent information. The agent address is normally the IP address of the first VLAN configured.
The
show sflow agent
command displays read-only switch agent information. The version information shows the sFlow version, MIB support, and software versions; the agent address is typically the IP address of the first VLAN configured on the switch.
Viewing sflow agent
information
HP Switch# show sflow agent Version 1.3;HP;XX.11.40 Agent Address 10.0.10.228
Syntax:
Displays information about the management station to which the sFlow sampling-polling data is sent.
The
show sflow
command includes information about the management-station's destination address, receiver port, and owner, as shown in Viewing sFlow destination information.instance
destination
Viewing sFlow destination
information
HP Switch# show sflow 2 destination Destination Instance 2 sflow Enabled Datagrams Sent 221 Destination Address 10.0.10.41 Receiver Port 6343 Owner Administrator, CLI-owned, Instance 2 Timeout (seconds) 99995530 Max Datagram Size 1400 Datagram Version Support 5
-
Destination Address remains blank unless it has been configured.
-
Datagrams Sent shows the number of datagrams sent by the switch agent to the management station since the switch agent was last enabled.
-
Timeout displays the number of seconds remaining before the switch agent will automatically disable sFlow (this is set by the management station and decrements with time).
-
Max Datagram Size shows the currently set value (typically a default value, but this can also be set by the management station).
Syntax:
Displays status information about sFlow sampling and polling.
The
show sflow
command displays information about sFlow sampling and polling on the switch, as shown in Example: of viewing sFlow sampling and polling information. You can specify a list or range of ports for which to view sampling information.instance
sampling-polling [port-list
]
|
|
NOTE: The sampling and polling instances (noted in parentheses) coupled to a specific receiver instance are assigned dynamically, and so the instance numbers may not always match. The key thing to note is whether sampling or polling is enabled on a port, and the sampling rates or polling intervals for the receiver instance configured on each port. |
|
|