Systems and Network Management Perl Net::SNMP, and more on VACM and USM — Solutions 1 Aims • To understand how to write a Perl program to retrieve simple values from an snmp agent, using: ◦ a community security model ◦ the usm security model • To understand vacm and snmp access control more fully through discussion The main aims of the activities today are: 2 Questions about VACM for Discussion rfc 3415 describes the view obtained when using a family mask as a family of view subtrees. 1. Why do the authors of the standard use the term family of view subtrees? i A view using a family mask, such as that given in the next question, is equivalent to a set of subtrees, one for each element in the row, i.e., one for each column in the row. They all have a similar format, so they can be expressed with one structure represented by one subtree and a family mask. In the example shown in question 2, there are 22 columns in the table, so that the family of view subtrees represents 22 subtrees, each containing one element, i.e., one mib variable. Questions are continued on the next page. . . Nick Urbanik nicku(at)vtc.edu.hk ver. 1.1 Solutions Perl Net::SNMP, and more on VACM and USM Systems and Network Management 2 2. Illustrate your answer to question 1 by creating a view without using a family mask equivalent to that given by the following Net-snmp view statement: view view1 included IF-MIB::ifIndex.4 ff.a0 i view view view view view view view view view view view view view view view view view view view view view view view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 view1 included included included included included included included included included included included included included included included included included included included included included included IF-MIB::ifIndex.4 IF-MIB::ifDescr.4 IF-MIB::ifType.4 IF-MIB::ifMtu.4 IF-MIB::ifSpeed.4 IF-MIB::ifPhysAddress.4 IF-MIB::ifAdminStatus.4 IF-MIB::ifOperStatus.4 IF-MIB::ifLastChange.4 IF-MIB::ifInOctets.4 IF-MIB::ifInUcastPkts.4 IF-MIB::ifInNUcastPkts.4 IF-MIB::ifInDiscards.4 IF-MIB::ifInErrors.4 IF-MIB::ifInUnknownProtos.4 IF-MIB::ifOutOctets.4 IF-MIB::ifOutUcastPkts.4 IF-MIB::ifOutNUcastPkts.4 IF-MIB::ifOutDiscards.4 IF-MIB::ifOutErrors.4 IF-MIB::ifOutQLen.4 IF-MIB::ifSpecific.4 Here is a command line that will print this answer: $ for ((i=1; i <= 22; ++i)); do \ snmptranslate .1.3.6.1.2.1.2.2.1.$i.4 | sed ’s/^/view view1 included /’; done 3 Procedure Refer to the lecture notes about Net::SNMP while doing this activity. Refer also to the manual for Net::SNMP, which contains many examples. 1. Configure cpan (you only need do this once): (a) $ sudo perl -MCPAN -e shell (b) The shell will begin its interactive configuration process. Accept all defaults  ¨ by pressing  Enter © , except for the following : • When prompted “CPAN build and cache directory?” enter: /var/cache/cpan Do not accept the default in your home directory; it will not work, since the root user has no right to write to your nfs mounted home directory. • When asked to choose a Policy on building prerequisites, choose “follow”: Policy on building prerequisites (follow, ask or ignore)? [ask] follow Nick Urbanik nicku(at)vtc.edu.hk ver. 1.1 Solutions Perl Net::SNMP, and more on VACM and USM Systems and Network Management 3 Some Perl modules depend on others. When installing a module that depends on others, a selection of “ask” here ¤ means the cpan shell will § prompt you and require you to press ¦ Enter ¥ install the prerequisite to module. The selection “follow” means, “Don’t ask me; just go ahead, download and install any modules that are needed to install this one”. • For “Your http proxy?” enter http://hqproxy.vtc.edu.hk:8080/ • When asked to pick a nearby continent, enter 5 to select (5) North America • When asked to “Select your country”, enter 3 to select (3) United States. • When asked “Select as many URLs as you like”, I suggest just enter the first few numbers (corresponding to the first few urls); I put “1 2 3 4 5 6 7”. The numbers are just separated by spaces. 2. Install Net::SNMP using cpan, as described in the notes, with: cpan> install Net::SNMP Net::SNMP::Interfaces Net::SNMP::HostInfo 3. Write a program to read outgoing network traffic from your loopback network interface, and print it as a single number of bytes. #! /usr/bin/perl use strict; use Net::SNMP; my ($session, $error) = Net::SNMP->session( -hostname => shift || ’localhost’, -community => shift || ’public’, -port => shift || 161 ); if (!defined($session)) { printf("ERROR: %s.\n", $error); exit 1; } my my my my my $ifOutOctets = ’.1.3.6.1.2.1.2.2.1.16’; $loopback_instance = ’.1’; $loopback_if_out = $ifOutOctets . $loopback_instance; $sysUpTime = ’1.3.6.1.2.1.1.3.0’; $result = $session->get_request( -varbindlist => [ $loopback_if_out ] ); if (!defined($result)) { printf("ERROR: %s.\n", $session->error); $session->close; exit 1; } Nick Urbanik nicku(at)vtc.edu.hk ver. 1.1 Solutions Perl Net::SNMP, and more on VACM and USM Systems and Network Management 4 printf("bytes output from loopback interface for host ’%s’ is %s\n", $session->hostname, $result->{$loopback_if_out} ); $session->close; exit 0; 4. Verify that the number given matches that read using /sbin/ifconfig, and making an snmp query using snmpget. /par/medskip/parWe can compare the output with /sbin/ifconfig or with /sbin/ip -s link show lo. Here we run them one after teh other to try to get readings that are made close together: $ ip -s link ls lo;./snmpget-loopback-bytes 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 2024216 19758 0 0 0 0 TX: bytes packets errors dropped carrier collsns 2024216 19758 0 0 0 0 bytes output from loopback interface for host ’localhost’ is 2024287 Okay, let’s do it again with ifconfig: $ ifconfig lo;./snmpget-loopback-bytes lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:20581 errors:0 dropped:0 overruns:0 frame:0 TX packets:20581 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2094493 (1.9 Mb) TX bytes:2094493 (1.9 Mb) bytes output from loopback interface for host ’localhost’ is 2094564 They match closely enough. A more accurate measurement would calculate the rate of network traffic, and use accurate time measurements to compare the results. 5. Ensure that your agent is properly configured with at least one usm account, as required by the snmpv3 tutorial. /par/medskip/parThis is all covered in detail in the solutions to the tutorial. Make sure you read it, and try it out yourself. 6. Write a second program to read outgoing network traffic on the loopback network interface using usm. Again, verify that the output of your program is consistent with other ways of obtaining the same information. /par/medskip/parNote that this program assumes that the usm user usera was created exactly as I showed in the solution to the snmpv3 tutorial. #! /usr/bin/perl use strict; Nick Urbanik nicku(at)vtc.edu.hk ver. 1.1 Solutions Perl Net::SNMP, and more on VACM and USM Systems and Network Management 5 use Net::SNMP; my ($session, $error) = Net::SNMP->session( -authpassword => shift || ’my_password1’, -hostname => shift || ’localhost’, -username => shift || ’usera’, -version => ’snmpv3’, ); if (!defined($session)) { printf("ERROR: %s.\n", $error); exit 1; } my my my my my $ifOutOctets = ’.1.3.6.1.2.1.2.2.1.16’; $loopback_instance = ’.1’; $loopback_if_out = $ifOutOctets . $loopback_instance; $sysUpTime = ’1.3.6.1.2.1.1.3.0’; $result = $session->get_request( -varbindlist => [ $loopback_if_out ] ); if (!defined($result)) { printf("ERROR: %s.\n", $session->error); $session->close; exit 1; } printf("bytes output from loopback interface for host ’%s’ is %s\n", $session->hostname, $result->{$loopback_if_out} ); $session->close; exit 0; We can check it in the same way as before: $ ip -s link ls lo;./snmpget-loopback-bytes-usm 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 2098022 20629 0 0 0 0 TX: bytes packets errors dropped carrier collsns 2098022 20629 0 0 0 0 bytes output from loopback interface for host ’localhost’ is 2098667 Nick Urbanik nicku(at)vtc.edu.hk ver. 1.1