Lesi sihloko sinikezwe izici zokuqapha okokusebenza kwenethiwekhi kusetshenziswa iphrothokholi ye-SNMPv3. Sizokhuluma nge-SNMPv3, ngizokwabelana ngolwazi lwami ekudaleni izifanekiso ezigcwele ngokugcwele ku-Zabbix, futhi ngizobonisa ukuthi yini engafinyelelwa lapho ngihlela ukuxwayisa okusabalalisiwe kunethiwekhi enkulu. Iphrothokholi ye-SNMP iyona eyinhloko lapho iqapha okokusebenza kwenethiwekhi, futhi i-Zabbix inhle ngokuqapha inani elikhulu lezinto kanye nokufingqa amavolumu amakhulu amamethrikhi angenayo.
Amagama ambalwa mayelana ne-SNMPv3
Ake siqale ngenjongo yephrothokholi ye-SNMPv3 nezici zokusetshenziswa kwayo. Imisebenzi ye-SNMP ukuqapha amadivayisi enethiwekhi nokuphatha okuyisisekelo ngokuthumela imiyalo elula kuwo (isibonelo, ukunika amandla nokukhubaza ukuxhumana kwenethiwekhi, noma ukuqalisa kabusha idivayisi).
Umehluko omkhulu phakathi kwephrothokholi ye-SNMPv3 nezinguqulo zayo zangaphambilini imisebenzi yezokuphepha yakudala [1-3], okungukuthi:
- Ukuqinisekisa, okunquma ukuthi isicelo sitholwe kumthombo othembekile;
- ukubethela (Ukubethela), ukuvimbela ukudalulwa kwedatha edluliswayo lapho itholwa abantu besithathu;
- ubuqotho, okungukuthi, isiqinisekiso sokuthi iphakethe aliphazanyiswanga ngesikhathi sokudlulisela.
I-SNMPv3 isho ukusetshenziswa kwemodeli yokuphepha lapho isu lokuqinisekisa lisethelwe umsebenzisi othile kanye neqembu ayingxenye yalo (ezinguqulweni zangaphambilini ze-SNMP, isicelo esivela kuseva ukuya entweni yokuqapha siqhathanise “umphakathi” kuphela, umbhalo. iyunithi yezinhlamvu “enephasiwedi” edluliselwa ngombhalo ocacile (umbhalo ongenalutho)).
I-SNMPv3 yethula umqondo wamazinga okuphepha - amazinga okuphepha amukelekayo anquma ukumiswa kwezisetshenziswa kanye nokuziphatha kwe-ejenti ye-SNMP yento yokuqapha. Inhlanganisela yemodeli yezokuphepha nezinga lezokuphepha inquma ukuthi iyiphi indlela yokuvikela esetshenziswayo lapho kusetshenzwa iphakethe le-SNMP [4].
Ithebula lichaza inhlanganisela yamamodeli namazinga okuphepha e-SNMPv3 (nginqume ukushiya amakholomu amathathu okuqala njengasekuqaleni):
Ngokufanelekile, sizosebenzisa i-SNMPv3 kumodi yokuqinisekisa sisebenzisa ukubethela.
Ilungiselela i-SNMPv3
Ukuqapha okokusebenza kwenethiwekhi kudinga ukucushwa okufanayo kwephrothokholi ye-SNMPv3 kukho kokubili iseva yokuqapha kanye nento egadiwe.
Ake siqale ngokusetha idivayisi yenethiwekhi ye-Cisco, ukucushwa kwayo okuncane okudingekayo kungokulandelayo (ukulungiselela sisebenzisa i-CLI, ngenze amagama namaphasiwedi aba lula ukugwema ukudideka):
snmp-server group snmpv3group v3 priv read snmpv3name
snmp-server user snmpv3user snmpv3group v3 auth md5 md5v3v3v3 priv des des56v3v3v3
snmp-server view snmpv3name iso includedIqembu lokuqala le-snmp-server - lichaza iqembu labasebenzisi be-SNMPv3 (snmpv3group), imodi yokufunda (funda), kanye nelungelo lokufinyelela leqembu le-snmpv3group ukubuka amagatsha athile esihlahla se-MIB sento yokuqapha (snmpv3name bese ku- ukucushwa kucacisa ukuthi yimaphi amagatsha esihlahla se-MIB iqembu elingafinyelela ku-snmpv3group elizokwazi ukuthola ukufinyelela).
Umugqa wesibili we-snmp-server umsebenzisi - uchaza umsebenzisi snmpv3user, ubulungu bakhe eqenjini le-snmpv3group, kanye nokusetshenziswa kokuqinisekisa kwe-md5 (iphasiwedi ye-md5 i-md5v3v3v3) kanye ne-encryption (iphasiwedi ye-des is des56v3v3v3). Yebo, kungcono ukusebenzisa ama-aes esikhundleni se-des; ngikunikeza lapha njengesibonelo. Futhi, lapho uchaza umsebenzisi, ungangeza uhlu lokufinyelela (ACL) olulawula amakheli e-IP wamaseva okuqapha anelungelo lokuqapha le divayisi - lokhu futhi kuwumkhuba ongcono kakhulu, kodwa ngeke ngenze isibonelo sethu sibe nzima.
Ukubuka komugqa wesithathu we-snmp-server kuchaza igama lekhodi elicacisa amagatsha esihlahla se-MIB esithi snmpv3name ukuze abuzwe yiqembu labasebenzisi le-snmpv3group. I-ISO, esikhundleni sokuchaza ngokuqinile igatsha elilodwa, ivumela iqembu labasebenzisi be-snmpv3group ukuthi lifinyelele zonke izinto ezisesihlahleni se-MIB sento yokuqapha.
Ukusetha okufanayo kwemishini yeHuawei (futhi ku-CLI) kubukeka kanje:
snmp-agent mib-view included snmpv3name iso
snmp-agent group v3 snmpv3group privacy read-view snmpv3name
snmp-agent usm-user v3 snmpv3user group snmpv3group
snmp-agent usm-user v3 snmpv3user authentication-mode md5
md5v3v3v3
snmp-agent usm-user v3 snmpv3user privacy-mode des56
des56v3v3v3Ngemuva kokusetha amadivayisi wenethiwekhi, udinga ukuhlola ukufinyelela kusuka kuseva yokuqapha ngephrothokholi ye-SNMPv3, ngizosebenzisa i-snmpwalk:
snmpwalk -v 3 -u snmpv3user -l authPriv -A md5v3v3v3 -a md5 -x des -X des56v3v3v3 10.10.10.252
Ithuluzi elibonakalayo elingaphezulu lokucela izinto ezithile ze-OID usebenzisa amafayela e-MIB yi-snmpget:
Manje ake siqhubekele phambili ekusetheni idatha evamile ye-SNMPv3, ngaphakathi kwesifanekiso se-Zabbix. Ukuze kube lula nokuzimela kwe-MIB, ngisebenzisa ama-OID edijithali:
Ngisebenzisa amamakhro wangokwezifiso ezinkambini ezibalulekile ngoba azofana kuzo zonke izici zedatha kusifanekiso. Ungawasetha ngaphakathi kwesifanekiso, uma zonke izisetshenziswa zenethiwekhi kunethiwekhi yakho zinamapharamitha we-SNMPv3 afanayo, noma ngaphakathi kwendawo yenethiwekhi, uma amapharamitha e-SNMPv3 ezinto ezihlukene zokuqapha ehlukile:
Sicela uqaphele ukuthi uhlelo lokuqapha lunegama lomsebenzisi kuphela kanye namagama ayimfihlo okuqinisekisa nokubethela. Iqembu labasebenzisi kanye nobubanzi bezinto ze-MIB lapho ukufinyelela okuvunyelwe khona kucaciswe entweni yokuqapha.
Manje ake siqhubekele ekugcwaliseni isifanekiso.
Isifanekiso se-poll ye-Zabbix
Umthetho olula lapho udala noma yiziphi izifanekiso zenhlolovo ukuzenza zibe nemininingwane eminingi ngangokunokwenzeka:
Nginaka kakhulu i-inventory ukwenza kube lula ukusebenza nenethiwekhi enkulu. Okuningi kulokhu ngokuhamba kwesikhathi, kodwa okwamanje - okubangela:
Ukuze kube lula ukubona izibangeli, ama-macros esistimu {HOST.CONN} afakiwe emagameni awo ukuze kungagcini amagama edivayisi kuphela, kodwa namakheli e-IP aboniswe kudeshibhodi esigabeni sesexwayiso, nakuba lokhu kuyindaba elula kunesidingo. . Ukuze nginqume ukuthi idivayisi ayitholakali yini, ngaphezu kwesicelo esivamile se-echo, ngisebenzisa isheke lokungatholakali komsingathi kusetshenziswa iphrothokholi ye-SNMP, lapho into ifinyeleleka nge-ICMP kodwa ingaphenduli kuzicelo ze-SNMP - lesi simo singenzeka, isibonelo. , lapho amakheli e-IP ephindwa kumadivayisi ahlukene, ngenxa yezibhulamlilo ezilungiselelwe ngokungalungile, noma izilungiselelo ezingalungile ze-SNMP ezintweni zokuqapha. Uma usebenzisa ukuhlola ukutholakala komsingathi kuphela nge-ICMP, ngesikhathi sokuphenya izigameko kunethiwekhi, idatha yokuqapha ingase ingatholakali, ngakho ukwamukela kwabo kufanele kuqashelwe.
Masiqhubekele phambili ekutholeni ukuxhumana kwenethiwekhi - kumishini yenethiwekhi lona umsebenzi wokuqapha obaluleke kakhulu. Njengoba kungase kube namakhulu okuxhumana kudivayisi yenethiwekhi, kuyadingeka ukuhlunga okungadingekile ukuze ungafihli ukubonwa noma ukuhlanganisa isizindalwazi.
Ngisebenzisa umsebenzi ojwayelekile wokutholwa kwe-SNMP, onemingcele etholakala kakhudlwana, ngokuhlunga okuvumelana nezimo:
discovery[{#IFDESCR},1.3.6.1.2.1.2.2.1.2,{#IFALIAS},1.3.6.1.2.1.31.1.1.1.18,{#IFADMINSTATUS},1.3.6.1.2.1.2.2.1.7]
Ngalokhu kutholwa, ungakwazi ukuhlunga ukuxhumana kwenethiwekhi ngezinhlobo zazo, izincazelo zangokwezifiso, nezimo zembobo yokuphatha. Izihlungi nezinkulumo ezijwayelekile zokuhlunga esimweni sami zibukeka kanje:
Uma kutholwa, lezi zixhumanisi ezilandelayo zizokhishwa:
- kukhutshazwe ngesandla (adminstatus<>1), sibonga IFADMINSTATUS;
- ngaphandle kwencazelo yombhalo, sibonga i-IFALIAS;
- enophawu * encazelweni yombhalo, sibonga i-IFALIAS;
- okuyisevisi noma ezobuchwepheshe, ngibonga i-IFDESCR (okwami, kuzinkulumo ezivamile okuthi IFALIAS kanye ne-IFDESCR zihlolwa ngesibizo esisodwa esivamile).
Isifanekiso sokuqoqa idatha kusetshenziswa iphrothokholi ye-SNMPv3 sesizolunga. Ngeke sihlale ngemininingwane eminingi kuma-prototypes wezinto zedatha zokusebenzelana kwenethiwekhi; asiqhubekele emiphumeleni.
Imiphumela yokuqapha
Okokuqala, thatha uhlu lwenethiwekhi encane:
Uma ulungiselela izifanekiso zochungechunge ngalunye lwamadivayisi enethiwekhi, ungafinyelela ukwakheka okulula ukuhlaziya kwedatha efinyeziwe kusofthiwe yamanje, izinombolo ze-serial, kanye nesaziso somhlanzi oza kuseva (ngenxa yesikhathi esiphansi sokuphumula). Ingcaphuno yohlu lwezifanekiso zami ingezansi:
Futhi manje - iphaneli yokuqapha eyinhloko, enezingcipho ezisatshalaliswa ngezinga lokuqina:
Ngenxa yendlela ehlanganisiwe yezifanekiso zemodeli yedivayisi ngayinye kunethiwekhi, kungenzeka ukuqinisekisa ukuthi, ngaphakathi kohlaka lwesistimu eyodwa yokuqapha, ithuluzi lokubikezela amaphutha nezingozi lizohlelwa (uma izinzwa ezifanele namamethrikhi etholakala). I-Zabbix ifaneleka kahle ukuqapha inethiwekhi, iseva, nezingqalasizinda zesevisi, futhi umsebenzi wokugcina imishini yenethiwekhi ubonisa ngokucacile amandla ayo.
Uhlu lwemithombo esetshenzisiwe:1. I-Hucaby D. CCNP Umzila Nokushintsha I-SWITCH 300-115 Official Cert Guide. Cisco Press, 2014. pp. 325-329.
2. RFC 3410.
3. RFC 3415.
4. SNMP Configuration Guide, Cisco IOS XE Release 3SE. Isahluko: Inguqulo ye-SNMP 3.
Source: www.habr.com