Wannan labarin an keɓe shi ne ga fasalulluka na saka idanu kayan aikin cibiyar sadarwa ta amfani da ka'idar SNMPv3. Za mu yi magana game da SNMPv3, zan raba gwaninta na ƙirƙirar cikakkun samfura a cikin Zabbix, kuma zan nuna abin da za a iya samu lokacin shirya faɗakarwar rarraba a cikin babban hanyar sadarwa. Yarjejeniyar SNMP ita ce babba yayin sa ido kan kayan aikin cibiyar sadarwa, kuma Zabbix yana da kyau don saka idanu da adadin abubuwa da taƙaita manyan ƙididdiga masu shigowa.
'Yan kalmomi game da SNMPv3
Bari mu fara da manufar SNMPv3 yarjejeniya da fasalulluka na amfani da ita. Ayyukan SNMP suna sa ido kan na'urorin cibiyar sadarwa da gudanarwa ta asali ta hanyar aika masu sauƙi umarni (misali, kunnawa da kashe mu'amalar hanyar sadarwa, ko sake kunna na'urar).
Babban bambanci tsakanin ka'idar SNMPv3 da sigoginsa na baya shine ayyukan tsaro na yau da kullun [1-3], wato:
- Tabbatarwa, wanda ke ƙayyade cewa an karɓi buƙatar daga tushe amintacce;
- boye-boye (Encryption), don hana bayyana bayanan da aka watsa lokacin da wasu mutane suka kama su;
- mutunci, wato, garantin cewa ba a takura wa fakitin yayin watsawa ba.
SNMPv3 yana nuna amfani da tsarin tsaro wanda aka saita dabarun tabbatarwa ga mai amfani da kuma rukunin da yake ciki (a cikin sigogin SNMP da suka gabata, buƙatun sabar zuwa abin sa ido idan aka kwatanta da “al’umma” kawai, rubutu. kirtani mai “Password” ana watsa shi cikin bayyanannen rubutu (rubutun bayyanannu)).
SNMPv3 yana gabatar da manufar matakan tsaro - matakan tsaro masu karɓuwa waɗanda ke ƙayyade ƙayyadaddun kayan aiki da halayen wakilin SNMP na abin saka idanu. Haɗin samfurin tsaro da matakin tsaro yana ƙayyade wane tsarin tsaro ake amfani dashi lokacin sarrafa fakitin SNMP [4].
Teburin ya bayyana haɗuwa da samfura da matakan tsaro na SNMPv3 (Na yanke shawarar barin ginshiƙan farko na uku kamar yadda suke cikin asali):
Dangane da haka, za mu yi amfani da SNMPv3 a cikin yanayin tantancewa ta amfani da ɓoyewa.
Ana saita SNMPv3
Kula da kayan aikin cibiyar sadarwa yana buƙatar tsari iri ɗaya na ƙa'idar SNMPv3 akan uwar garken sa ido da abin da ake kulawa.
Bari mu fara da kafa na'urar cibiyar sadarwar Cisco, mafi ƙarancin tsarin da ake buƙata shine kamar haka (don daidaitawa muna amfani da CLI, na sauƙaƙe sunaye da kalmomin shiga don guje wa rudani):
snmp-server group snmpv3group v3 priv read snmpv3name
snmp-server user snmpv3user snmpv3group v3 auth md5 md5v3v3v3 priv des des56v3v3v3
snmp-server view snmpv3name iso includedRukunin uwar garken snmp na farko - yana bayyana rukunin masu amfani da SNMPv3 (snmpv3group), yanayin karantawa (karantawa), da kuma damar shiga rukunin snmpv3group don duba wasu rassan bishiyar MIB na abin saka idanu (snmpv3name sannan a cikin Configuration ya ƙayyade waɗanne rassan bishiyar MIB ƙungiyar za ta iya shiga snmpv3group za su sami damar shiga).
Layi na biyu snmp-server mai amfani - yana bayyana mai amfani snmpv3user, membansa a cikin rukunin snmpv3group, da kuma amfani da ingantaccen md5 (kalmar sirri don md5 shine md5v3v3v3) da encryption des (kalmar sirri don des shine des56v3v3v3). Tabbas, yana da kyau a yi amfani da aes maimakon des; Ina ba shi a nan a matsayin misali. Hakanan, lokacin ayyana mai amfani, zaku iya ƙara lissafin shiga (ACL) wanda ke daidaita adiresoshin IP na sabar sa ido waɗanda ke da haƙƙin sa ido kan wannan na'urar - wannan kuma shine mafi kyawun aiki, amma ba zan wahalar da misalinmu ba.
Layi na uku na snmp-server view yana bayyana sunan code wanda ke bayyana rassan itacen snmpv3name MIB domin su iya tambayar su ta snmpv3group user group. ISO, maimakon tsananin ayyana reshe guda ɗaya, yana bawa ƙungiyar masu amfani da snmpv3 damar shiga duk abubuwan da ke cikin bishiyar MIB na abin sa ido.
Saitin irin wannan don kayan aikin Huawei (kuma a cikin CLI) yayi kama da wannan:
snmp-agent mib-view included snmpv3name iso
snmp-agent group v3 snmpv3group privacy read-view snmpv3name
snmp-agent usm-user v3 snmpv3user group snmpv3group
snmp-agent usm-user v3 snmpv3user authentication-mode md5
md5v3v3v3
snmp-agent usm-user v3 snmpv3user privacy-mode des56
des56v3v3v3Bayan kafa na'urorin cibiyar sadarwa, kuna buƙatar bincika samun dama daga uwar garken sa ido ta hanyar ka'idar SNMPv3, Zan yi amfani da snmpwalk:
snmpwalk -v 3 -u snmpv3user -l authPriv -A md5v3v3v3 -a md5 -x des -X des56v3v3v3 10.10.10.252
Ƙarin kayan aikin gani don neman takamaiman abubuwan OID ta amfani da fayilolin MIB shine snmpget:
Yanzu bari mu ci gaba don saita nau'ikan bayanai na yau da kullun don SNMPv3, a cikin samfurin Zabbix. Don sauƙi da 'yancin kai na MIB, Ina amfani da OIDs na dijital:
Ina amfani da macros na al'ada a cikin mahimman filayen saboda za su kasance iri ɗaya ga duk abubuwan bayanai a cikin samfuri. Kuna iya saita su a cikin samfuri, idan duk na'urorin cibiyar sadarwar da ke cikin hanyar sadarwar ku suna da sigogi iri ɗaya na SNMPv3, ko a cikin kullin cibiyar sadarwa, idan sigogin SNMPv3 na abubuwan sa ido daban-daban sun bambanta:
Lura cewa tsarin sa ido kawai yana da sunan mai amfani da kalmomin shiga don tantancewa da ɓoyewa. Ƙungiya mai amfani da iyakar abubuwan MIB waɗanda aka ba da izinin shiga an ƙayyade akan abin sa ido.
Yanzu bari mu matsa zuwa cika samfurin.
Samfurin zabe na Zabbix
Ƙa'ida mai sauƙi lokacin ƙirƙirar kowane samfuri na bincike shine a sanya su dalla-dalla yadda zai yiwu:
Ina mai da hankali sosai ga kaya don sauƙaƙe aiki tare da babban hanyar sadarwa. Ƙari akan wannan kadan daga baya, amma a yanzu - yana haifar da:
Don sauƙin ganin abubuwan da ke haifar da faɗakarwa, tsarin macros {HOST.CONN} ana haɗa su a cikin sunayensu ta yadda ba sunayen na'urori kawai ba, har da adiresoshin IP suna nunawa akan dashboard a cikin sashin faɗakarwa, kodayake wannan ya fi dacewa fiye da larura. . Don sanin ko babu na'urar, ban da buƙatun echo na yau da kullun, Ina amfani da rajistan shiga don rashin samuwar mai watsa shiri ta amfani da ka'idar SNMP, lokacin da abu ke samun damar ta ICMP amma baya amsa buƙatun SNMP - wannan yanayin yana yiwuwa, alal misali. , lokacin da aka kwafi adiresoshin IP akan na'urori daban-daban, saboda ba daidai ba da aka saita ta Firewalls, ko kuskuren saitunan SNMP akan abubuwan sa ido. Idan kun yi amfani da duba wadatar masauki ta hanyar ICMP kawai, a lokacin binciken abubuwan da suka faru a kan hanyar sadarwar, ƙila ba za a sami bayanan sa ido ba, don haka dole ne a kula da karɓar su.
Bari mu ci gaba zuwa gano hanyoyin sadarwa na cibiyar sadarwa - don kayan aikin cibiyar sadarwa wannan shine mafi mahimmancin aikin sa ido. Tunda ana iya samun ɗaruruwan mu’amala a kan na’urar sadarwa, ya zama dole a tace waɗanda ba su da amfani don kada a rikitar da abin gani ko kuma rikitar da bayanan.
Ina amfani da daidaitaccen aikin gano SNMP, tare da ƙarin sigogi masu iya ganowa, don ƙarin sassauƙan tacewa:
discovery[{#IFDESCR},1.3.6.1.2.1.2.2.1.2,{#IFALIAS},1.3.6.1.2.1.31.1.1.1.18,{#IFADMINSTATUS},1.3.6.1.2.1.2.2.1.7]
Tare da wannan binciken, zaku iya tace mu'amalar hanyar sadarwa ta nau'ikan su, kwatancen al'ada, da matsayin tashar tashar gudanarwa. Tace da kalamai na yau da kullun don tacewa a cikin akwati na suna kama da haka:
Idan an gano, za a keɓance mahaɗan masu zuwa:
- nakasassu da hannu (adminstatus<>1), godiya ga IFADMINSTATUS;
- ba tare da bayanin rubutu ba, godiya ga IFALIAS;
- samun alamar * a cikin bayanin rubutu, godiya ga IFALIAS;
- wanda sabis ne ko fasaha, godiya ga IFDESCR (a cikin yanayina, a cikin maganganu na yau da kullun IFALIAS da IFDESCR ana duba su ta hanyar laƙabi ɗaya na yau da kullun).
Samfurin tattara bayanai ta amfani da ka'idar SNMPv3 ya kusan shirya. Ba za mu ƙara yin daki-daki ba kan samfuran abubuwan abubuwan bayanai don mu'amalar hanyar sadarwa; bari mu matsa zuwa sakamakon.
Sakamakon saka idanu
Don farawa da, ɗauki lissafin ƙaramin cibiyar sadarwa:
Idan kun shirya samfuri don kowane jerin na'urorin cibiyar sadarwa, zaku iya samun sauƙi-da-bincike shimfidar bayanan taƙaitaccen bayani akan software na yanzu, lambobin serial, da sanarwar mai tsaftacewa yana zuwa uwar garken (saboda ƙarancin Uptime). Wani yanki na jerin samfura na yana ƙasa:
Kuma yanzu - babban kwamiti na saka idanu, tare da abubuwan da aka rarraba ta matsakaicin matakin:
Godiya ga haɗin kai ga samfura don kowane samfurin na'ura a cikin hanyar sadarwa, yana yiwuwa a tabbatar da cewa, a cikin tsarin tsarin sa ido ɗaya, za a shirya kayan aiki don tsinkaya kurakurai da haɗari (idan akwai na'urori masu auna firikwensin da ma'auni masu dacewa). Zabbix ya dace sosai don sa ido kan hanyar sadarwa, uwar garken, da kayan aikin sabis, kuma aikin kiyaye kayan aikin cibiyar sadarwa yana nuna iyawar sa.
Jerin hanyoyin da aka yi amfani da su:1. Hucaby D. CCNP Roting da Sauyawa SWITCH 300-115 Jagoran Takaddun Shaida. Cisco Press, 2014. pp. 325-329.
2. RFC 3410.
3. RFC 3415.
4. Jagoran Kanfigareshan SNMP, Cisco IOS XE Sakin 3SE. Babi: SNMP Siffar 3.
source: www.habr.com